Use JAAS for LDAP password with Spring security - authentication

I have a Java EE web application which uses an LDAP authentication. I use Spring security to connect to my LDAP with the following code:
<bean id="ldapContextSource" class="com.myapp.security.authentication.MySecurityContextSource">
<constructor-arg index="0" value="${ldap.url}" />
<constructor-arg index="1" ref="userConnexion" />
</bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="ldapAuthProvider" />
</security:authentication-manager>
<bean id="userConnexion" class="com.myapp.util.security.WebsphereCredentials">
<constructor-arg value="${ldap.authJndiAlias}" />
</bean>
<bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<constructor-arg>
<bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
<constructor-arg ref="ldapContextSource" />
<property name="userSearch" ref="userSearch" />
</bean>
</constructor-arg>
<constructor-arg>
<bean class="com.myapp.security.authentication.MyAuthoritiesPopulator" >
<property name="userService" ref="userService" />
</bean>
</constructor-arg>
<property name="userDetailsContextMapper" ref="myUserDetailsContextMapper"/>
<property name="hideUserNotFoundExceptions" value="false" />
</bean>
Actually, my bean WebsphereCredentials uses a WebSphere private class WSMappingCallbackHandlerFactory as in this response : How to access authentication alias from EJB deployed to Websphere 6.1
We can see it in the official websphere documentation: http://pic.dhe.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=%2Fcom.ibm.websphere.express.doc%2Finfo%2Fexp%2Fae%2Frsec_pluginj2c.html
But I don't want it because:
I think my application can access all JAAS logins in my WebSphere instance (not sure).
This class is defined in the HUGE IBM client library com.ibm.ws.admin.client-7.0.0.jar (42 Mo) => compilation slower, not present in my enterprise nexus
It's not portable, not standard
For information, I define the WebsphereCredentials constructor as this:
Map<String, String> map = new HashMap<String, String>();
map.put(Constants.MAPPING_ALIAS, this.jndiAlias);
Subject subject;
try {
CallbackHandler callbackHandler = WSMappingCallbackHandlerFactory.getInstance().getCallbackHandler(map, null);
LoginContext lc = new LoginContext("DefaultPrincipalMapping", callbackHandler);
lc.login();
subject = lc.getSubject();
} catch (NotImplementedException e) {
throw new EfritTechnicalException(EfritTechnicalExceptionEnum.LOGIN_CREDENTIAL_PROBLEM, e);
} catch (LoginException e) {
throw new EfritTechnicalException(EfritTechnicalExceptionEnum.LOGIN_CREDENTIAL_PROBLEM, e);
}
PasswordCredential cred = (PasswordCredential) subject.getPrivateCredentials().toArray()[0];
this.user = cred.getUserName();
this.password = String.valueOf(cred.getPassword());
Is there a way to use just Spring security and remove this dependency?
I have no idea how to combine http://static.springsource.org/spring-security/site/docs/3.1.x/reference/jaas.html and http://static.springsource.org/spring-security/site/docs/3.1.x/reference/ldap.html.
Maybe I must totally change my approach and use another way?


I assume your goal is to simply utilize the username / password that you configure in WebSphere to connect to the LDAP directory? If this is the case, you are not really trying to combine LDAP and JAAS based authentication. The JAAS support is really intended to be a way of using JAAS LoginModules to authenticate a user instead of using the LDAP based authentication.
If you are wanting to obtain the username and password without having a compile time dependency on WebSphere, you have a few options.
Eliminating Compile Time and Runtime Dependencies on WAS
One option is to configure the password in a different way. This could be as simple as using the password directly directly in the configuration file as shown in the Spring Security LDAP documentation:
<bean id="ldapContextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<constructor-arg value="ldap://monkeymachine:389/dc=springframework,dc=org"/>
<property name="userDn" value="cn=manager,dc=springframework,dc=org"/>
<property name="password" value="password"/>
</bean>
You could also configure the username password in JNDI. Another alternative is to use a .properties file with the Property. If you are wanting to ensure the password is secured, then you will probably want to encrypt the password using something like Jasypt.
Eliminating Compile Time dependencies and still configuring with WAS
If you need or want to use WebSphere's J2C support for storing the credentials, then you can do by injecting the CallbackHandler instance. For example, your WebsphereCredentials bean could be something like this:
try {
LoginContext lc = new LoginContext("DefaultPrincipalMapping", this.callbackHandler);
lc.login();
subject = lc.getSubject();
} catch (NotImplementedException e) {
throw new EfritTechnicalException(EfritTechnicalExceptionEnum.LOGIN_CREDENTIAL_PROBLEM, e);
} catch (LoginException e) {
throw new EfritTechnicalException(EfritTechnicalExceptionEnum.LOGIN_CREDENTIAL_PROBLEM, e);
}
PasswordCredential cred = (PasswordCredential) subject.getPrivateCredentials().toArray()[0];
this.user = cred.getUserName();
this.password = String.valueOf(cred.getPassword());
Your configuration would then look something like this:
<bean id="userConnexion" class="com.myapp.util.security.WebsphereCredentials">
<constructor-arg ref="wasCallbackHandler"/>
</bean>
<bean id="wasCallbackHandler"
factory-bean="wasCallbackFactory"
factory-method="getCallbackHandler">
<constructor-arg>
<map>
<entry
value="${ldap.authJndiAlias}">
<key>
<util:constant static-field="com.ibm.wsspi.security.auth.callback.Constants.MAPPING_ALIAS"/>
</key>
</entry>
</map>
</constructor-arg>
<constructor-arg>
<null />
</constructor-arg>
</bean>
<bean id="wasCallbackFactory"
class="com.ibm.wsspi.security.auth.callback.WSMappingCallbackHandlerFactory"
factory-method="getInstance" />
Disclaimer
CallbackHandler instances are not Thread safe and generally should not be used more than once. Thus it can be a bit risky injecting CallbackHandler instances as member variables. You may want to program in a check to ensure that the CallbackHandler only used one time.
Hybrid Approach
You could do a hybrid approach that always removes the compile time dependency and allows you to remove the runtime dependency in instances where you might not be running on WebSphere. This could be done by combining the two suggestions and using Spring Bean Definition Profiles to differentiate between running on WebSphere and a non-WebSphere machine.

Related

Number of connections and channels

I am new to Rabbitmq and Spring. I want to know how to manage the number of connections and channels.
In my architecture there are 2 queues where messages are published from single producer based on routing key on direct exchange. As per my understanding I would need a single connection with 2 channels which will be persistent and messages will be published through them. I assumed this is managed by Spring automatically. But a connection, consisting of single channel, is created every time a message is published.
- How do I manage the channels and connections? Is it the right approach to create a single channel for each queue in a connection? If the queue size increases to 10 then 10 channels should be used in a single connection?
Configuration File:
<bean id="connectionFactory" class="org.springframework.amqp.rabbit.connection.CachingConnectionFactory">
<property name="username" value="test"/>
<property name="password" value="test"/>
<property name="host" value="50.16.11.22"/>
<property name="port" value="5672"/>
</bean>
<bean id="publisher" class="com.test.code.Publisher">
<constructor-arg ref="amqpTemplate"></constructor-arg>
</bean>
<bean id="amqpTemplate" class="org.springframework.amqp.rabbit.core.RabbitTemplate">
<property name="connectionFactory" ref="connectionFactory"/>
<property name="mandatory" value="true"></property>
<property name="exchange" value="x.direct"></property>
</bean>
<rabbit:admin connection-factory="connectionFactory" />
<rabbit:queue name="q.queue1" />
<rabbit:queue name="q.queue2" />
<rabbit:direct-exchange name="x.direct">
<rabbit:bindings>
<rabbit:binding queue="q.queue1" key="key1" />
<rabbit:binding queue="q.queue2" key="key2" />
</rabbit:bindings>
</rabbit:direct-exchange>
</beans>
This is my Publisher class
public class Publisher {
public Publisher(RabbitTemplate rabbitTemplate) {
this.rabbitTemplate = rabbitTemplate;
}
public void messageToQueue1(JSONObject message) {
amqpTemplate.convertAndSend("key1", message.toString());
}
public void messageToQueue2(JSONObject message) {
amqpTemplate.convertAndSend("key2", message.toString());
}
}

But a connection, consisting of single channel, is created every time a message is published.
That is not true. There is also no dedicated channel for each routing key.
The CachingConnectionFactory maintains a single persistent connection (by default) and channels are cached.
The first publish creates a channel and puts it in the cache. The next publish gets it from the cache. Only if the cache is empty is a new channel created (and then you'll end up with 2 cached channels).
You'll only get as many channels as you need concurrently.

Spring-Data-Solr How to provide authentication data

how do i proivde authentication data for spring data solr server?
Here is what i have in configuration
<solr:solr-server id="solrServer" url="http://xxxxxxxx:8983/solr" />
<bean id="solrTemplate" class="org.springframework.data.solr.core.SolrTemplate" scope="singleton">
<constructor-arg ref="solrServer" />
</bean>
<bean id="searchRepository" class="com.bankofamerica.atmtech.repository.SolrJournalRepository">
<property name="solrOperations" ref="solrTemplate" />
</bean>
<bean id="App" class="App">
<property name="repo" ref="searchRepository" />
</bean>
I don't see any property where i can set it.

You cannot set Credentials directly but have to go through the factory.
#Bean
SolrTemplate solrTemplate() {
return new SolrTemplate(solrServerFactory());
}
#Bean
SolrServerFactory solrServerFactory() {
Credentials credentials = new UsernamePasswordCredentials("foo", "bar");
return new HttpSolrServerFactory(solrServer(), "collection1", credentials , "BASIC");
}
#Bean
SolrServer solrServer() {
return new HttpSolrServer("http://localhost:8983/solr");
}
I guess some kind of SolrAuthenticationProvider picked up and applied if present in application context would make sense in this case.

ActiveMQ with JMS topic - some messages not dequeued by consumer

We're trying to set up ActiveMQ 5.9.0 as a message broker using JMS topics, but we're having some issues with the consumption of the messages.
For testing purposes, we have a simple configuration of 1 topic, 1 event producer, and 1 consumer. We send 10 messages one after the other, but every time we run the application, 1-3 of these messages are not consumed! The other messages are consumed and proceesed fine.
We can see that all the messages we're published to the topic in the ActiveMQ managment console, but they never reach the consumer, even if we reastart the application (we can see that the numbers in the "Enqueue" and "Dequeue" columns are different).
EDIT: I should also mention that when using queues instead of topic, this problem does not occur.
Why is this happening? Could it have something to do with atomikos (which is the transaction manger)? Or maybe something else in the configuration? Any ideas/suggestions are welcome. :)
This is the ActiveMQ/JMS spring configuration:
<bean id="connectionFactory" class="com.atomikos.jms.AtomikosConnectionFactoryBean"
init-method="init" destroy-method="close">
<property name="uniqueResourceName" value="amq" />
<property name="xaConnectionFactory">
<bean class="org.apache.activemq.spring.ActiveMQXAConnectionFactory"
p:brokerURL="${activemq_url}" />
</property>
<property name="maxPoolSize" value="10" />
<property name="localTransactionMode" value="false" />
</bean>
<bean id="cachedConnectionFactory"
class="org.springframework.jms.connection.CachingConnectionFactory">
<property name="targetConnectionFactory" ref="connectionFactory" />
</bean>
<!-- A JmsTemplate instance that uses the cached connection and destination -->
<bean id="jmsTemplate" class="org.springframework.jms.core.JmsTemplate">
<property name="connectionFactory" ref="cachedConnectionFactory" />
<property name="sessionTransacted" value="true" />
<property name="pubSubDomain" value="true"/>
</bean>
<bean id="testTopic" class="org.apache.activemq.command.ActiveMQTopic">
<constructor-arg value="test.topic" />
</bean>
<!-- The Spring message listener container configuration -->
<jms:listener-container destination-type="topic"
connection-factory="connectionFactory" transaction-manager="transactionManager"
acknowledge="transacted" concurrency="1">
<jms:listener destination="test.topic" ref="testReceiver"
method="receive" />
</jms:listener-container>
The producer:
#Component("producer")
public class EventProducer {
#Autowired
private JmsTemplate jmsTemplate;
#Transactional
public void produceEvent(String message) {
this.jmsTemplate.convertAndSend("test.topic", message);
}
}
The consumer:
#Component("testReceiver")
public class EventListener {
#Transactional
public void receive(String message) {
System.out.println(message);
}
}
The test:
#Autowired
private EventProducer eventProducer;
public void testMessages() {
for (int i = 1; i <= 10; i++) {
this.eventProducer.produceEvent("message" + i);
}

That's the nature of JMS topics - only current subscribers receive messages by default. You have a race condition and are sending messages before the consumer has established its subscription, after the container is started. This is a common mistake with unit/integration tests with topics where you are sending and receiving in the same application.
With newer versions of Spring, there is a method you can poll to wait until the subscriber is established (since 3.1, I think). Or, you can just wait a little while before starting to send, or you can make your subscriptions durable.

Override persistence.xml property

What would be the proper way to override EclipseLink persistence.xml property when running application on Glassfish application server?
We need some properties to be configured in a separate configuration file which would be available to a client.
I didn't find any EclipseLink-specific classes which accept some user properties. I only found Glassfish PersistenceUnitLoader class which could be tweaked in order to achieve that. But this would be an ugly hack :)

You can create your own EntityManager at runtime:
Map map = new HashMap();
map.put("javax.persistence.jdbc.password", "password");
map.put("javax.persistence.jdbc.user", "root");
EntityManagerFactory emf = Persistence.createEntityManagerFactory("MyPU",map);
EntityManager em = emf.createEntityManager(map);
Some eclipselink property names:
<property name="eclipselink.target-database" value="DERBY"/>
<property name="eclipselink.ddl-generation" value="drop-and-create-tables"/>
<property name="eclipselink.jdbc.driver" value="org.apache.derby.jdbc.ClientDriver"/>
<property name="eclipselink.jdbc.url" value="jdbc:derby://localhost:1527/02DB;create=true"/>
<property name="eclipselink.jdbc.user" value="user"/>
<property name="eclipselink.jdbc.password" value="password"/>

How do I alter CAS configuration to use (email,password) authentication?

How do I alter CAS configuration to use (email,password) authentication for users in liferay rather than the default email verification used by CAS server?
**2012-02-23 07:35:22,659 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - <Loaded 4 services.>
2012-02-23 07:35:22,815 ERROR [org.springframework.web.context.ContextLoader] - <Context initialization failed>
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'centralAuthenticationService' defined in ServletContext resource [/WEB-INF/spring-configuration/applicationContext.xml]: Cannot resolve reference to bean 'authenticationManager' while setting bean property 'authenticationManager'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authenticationManager' defined in ServletContext resource [/WEB-INF/deployerConfigContext.xml]: Cannot create inner bean 'org.jasig.cas.adaptors.jdbc.SearchModeSearchDatabaseAuthenticationHandler#f3941' of type [org.jasig.cas.adaptors.jdbc.SearchModeSearchDatabaseAuthenticationHandler] while setting bean property 'authenticationHandlers' with key [1]; nested exception is org.springframework.beans.factory.CannotLoadBeanClassException: Cannot find class [org.jasig.cas.adaptors.jdbc.SearchModeSearchDatabaseAuthenticationHandler] for bean with name 'org.jasig.cas.adaptors.jdbc.SearchModeSearchDatabaseAuthenticationHandler#f3941' defined in ServletContext resource [/WEB-INF/deployerConfigContext.xml]; nested exception is java.lang.ClassNotFoundException: org.jasig.cas.adaptors.jdbc.SearchModeSearchDatabaseAuthenticationHandler
at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:328)
at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:106)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyPropertyValues(AbstractAutowireCapableBeanFactory.java:1325)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1086)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:517)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456)
at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:291)
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222)
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:288)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:190)
at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:580)
at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:895)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:425)
at org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:276)
at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:197)
at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:47)
at org.jasig.cas.web.init.SafeContextLoaderListener.contextInitialized_aroundBody0(SafeContextLoaderListener.java:62)
at org.jasig.cas.web.init.SafeContextLoaderListener.contextInitialized_aroundBody1$advice(SafeContextLoaderListener.java:44)
at org.jasig.cas.web.init.SafeContextLoaderListener.contextInitialized(SafeContextLoaderListener.java:1)
at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4135)
at org.apache.catalina.core.StandardContext.start(StandardContext.java:4630)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:546)
at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041)
at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964)
at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)
at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)
at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:785)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:445)
at org.apache.catalina.core.StandardService.start(StandardService.java:519)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
at org.apache.catalina.startup.Catalina.start(Catalina.java:581)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authenticationManager' defined in ServletContext resource [/WEB-INF/deployerConfigContext.xml]: Cannot create inner bean 'org.jasig.cas.adaptors.jdbc.SearchModeSearchDatabaseAuthenticationHandler#f3941' of type [org.jasig.cas.adaptors.jdbc.SearchModeSearchDatabaseAuthenticationHandler] while setting bean property 'authenticationHandlers' with key [1]; nested exception is org.springframework.beans.factory.CannotLoadBeanClassException: Cannot find class [org.jasig.cas.adaptors.jdbc.SearchModeSearchDatabaseAuthenticationHandler] for bean with name 'org.jasig.cas.adaptors.jdbc.SearchModeSearchDatabaseAuthenticationHandler#f3941' defined in ServletContext resource [/WEB-INF/deployerConfigContext.xml]; nested exception is java.lang.ClassNotFoundException: org.jasig.cas.adaptors.jdbc.SearchModeSearchDatabaseAuthenticationHandler
at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBean(BeanDefinitionValueResolver.java:281)
at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:120)
at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveManagedList(BeanDefinitionValueResolver.java:353)
at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:153)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyPropertyValues(AbstractAutowireCapableBeanFactory.java:1325)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1086)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:517)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456)
at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:291)
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222)
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:288)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:190)
at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:322)
... 42 more
Caused by: org.springframework.beans.factory.CannotLoadBeanClassException: Cannot find class [org.jasig.cas.adaptors.jdbc.SearchModeSearchDatabaseAuthenticationHandler] for bean with name 'org.jasig.cas.adaptors.jdbc.SearchModeSearchDatabaseAuthenticationHandler#f3941' defined in ServletContext resource [/WEB-INF/deployerConfigContext.xml]; nested exception is java.lang.ClassNotFoundException: org.jasig.cas.adaptors.jdbc.SearchModeSearchDatabaseAuthenticationHandler
at org.springframework.beans.factory.support.AbstractBeanFactory.resolveBeanClass(AbstractBeanFactory.java:1250)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:433)
at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBean(BeanDefinitionValueResolver.java:270)
... 54 more
Caused by: java.lang.ClassNotFoundException: org.jasig.cas.adaptors.jdbc.SearchModeSearchDatabaseAuthenticationHandler
at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1645)
at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1491)
at org.springframework.util.ClassUtils.forName(ClassUtils.java:257)
at org.springframework.beans.factory.support.AbstractBeanDefinition.resolveBeanClass(AbstractBeanDefinition.java:408)
at org.springframework.beans.factory.support.AbstractBeanFactory.doResolveBeanClass(AbstractBeanFactory.java:1271)
at org.springframework.beans.factory.support.AbstractBeanFactory.resolveBeanClass(AbstractBeanFactory.java:1242)
... 56 more**

To use Liferay user table with email and password fields, you should change the following fragment of the CAS deployerConfigContext.xml:
<property name="authenticationHandlers">
<list>
<!-- | This is the authentication handler that authenticates services by
means of callback via SSL, thereby validating | a server side SSL certificate. + -->
<bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" p:httpClient-ref="httpClient"></bean>
<bean class="org.jasig.cas.adaptors.jdbc.SearchModeSearchDatabaseAuthenticationHandler">
<property name="tableUsers">
<value>User_</value>
</property>
<property name="fieldUser">
<value>emailAddress</value>
</property>
<property name="fieldPassword">
<value>password_</value>
</property>
<property name="passwordEncoder">
<bean class="com.ccm.ci.cas.authentication.handler.LiferayPasswordEncoder">
<!-- Default Liferay Password Encryption is SHA algorithm. If someone changes it in liferay it have to been changed here-->
<constructor-arg name="encodingAlgorithm" value="SHA"></constructor-arg>
</bean>
</property>
<property name="dataSource" ref="dataSource"></property>
</bean>
</list>
</property>
AND
customize CAS with the following class to decode Liferay 6 encoded password (see the password encoder property in the above fragment).
import java.io.UnsupportedEncodingException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Random;
import javax.validation.constraints.NotNull;
import org.jasig.cas.authentication.handler.PasswordEncoder;
import org.vps.crypt.Crypt;
/**
* To authenticate cas over Liferay 6.0.5 database using liferay 6.0.5 hashing
* algorithms.
*
*/
public class LiferayPasswordEncoder implements PasswordEncoder {
public static final String UTF8 = "UTF-8";
public static final String TYPE_CRYPT = "CRYPT";
public static final String TYPE_MD2 = "MD2";
public static final String TYPE_MD5 = "MD5";
public static final String TYPE_NONE = "NONE";
public static final String TYPE_SHA = "SHA";
public static final String TYPE_SHA_256 = "SHA-256";
public static final String TYPE_SHA_384 = "SHA-384";
public static final String TYPE_SSHA = "SSHA";
public static final DigesterImpl digesterImpl = new DigesterImpl();
#NotNull
private static String PASSWORDS_ENCRYPTION_ALGORITHM = TYPE_SHA;
public LiferayPasswordEncoder() {
}
public LiferayPasswordEncoder(final String encodingAlgorithm) {
PASSWORDS_ENCRYPTION_ALGORITHM = encodingAlgorithm;
}
public static final char[] saltChars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789./"
.toCharArray();
public static String encrypt(String clearTextPassword) {
return encrypt(PASSWORDS_ENCRYPTION_ALGORITHM, clearTextPassword, null);
}
public static String encrypt(String clearTextPassword,
String currentEncryptedPassword) {
return encrypt(PASSWORDS_ENCRYPTION_ALGORITHM, clearTextPassword,
currentEncryptedPassword);
}
public static String encrypt(String algorithm, String clearTextPassword,
String currentEncryptedPassword) {
if (algorithm.equals(TYPE_CRYPT)) {
byte[] saltBytes = _getSaltFromCrypt(currentEncryptedPassword);
return encodePassword(algorithm, clearTextPassword, saltBytes);
} else if (algorithm.equals(TYPE_NONE)) {
return clearTextPassword;
} else if (algorithm.equals(TYPE_SSHA)) {
byte[] saltBytes = _getSaltFromSSHA(currentEncryptedPassword);
return encodePassword(algorithm, clearTextPassword, saltBytes);
} else {
return encodePassword(algorithm, clearTextPassword, null);
}
}
protected static String encodePassword(String algorithm,
String clearTextPassword, byte[] saltBytes) {
try {
if (algorithm.equals(TYPE_CRYPT)) {
return Crypt.crypt(saltBytes, clearTextPassword.getBytes(UTF8));
} else if (algorithm.equals(TYPE_SSHA)) {
byte[] clearTextPasswordBytes = clearTextPassword
.getBytes(UTF8);
// Create a byte array of salt bytes appeneded to password bytes
byte[] pwdPlusSalt = new byte[clearTextPasswordBytes.length
+ saltBytes.length];
System.arraycopy(clearTextPasswordBytes, 0, pwdPlusSalt, 0,
clearTextPasswordBytes.length);
System.arraycopy(saltBytes, 0, pwdPlusSalt,
clearTextPasswordBytes.length, saltBytes.length);
// Digest byte array
MessageDigest sha1Digest = MessageDigest.getInstance("SHA-1");
byte[] pwdPlusSaltHash = sha1Digest.digest(pwdPlusSalt);
// Appends salt bytes to the SHA-1 digest.
byte[] digestPlusSalt = new byte[pwdPlusSaltHash.length
+ saltBytes.length];
System.arraycopy(pwdPlusSaltHash, 0, digestPlusSalt, 0,
pwdPlusSaltHash.length);
System.arraycopy(saltBytes, 0, digestPlusSalt,
pwdPlusSaltHash.length, saltBytes.length);
// Base64 encode and format string
return Base64.encode(digestPlusSalt);
} else {
return digesterImpl.digest(algorithm, clearTextPassword);
}
} catch (NoSuchAlgorithmException nsae) {
throw new SecurityException("LiferayPasswordEncryption error:"
+ nsae.getMessage(), nsae);
} catch (UnsupportedEncodingException uee) {
throw new SecurityException("LiferayPasswordEncryption error:"
+ uee.getMessage(), uee);
}
}
private static byte[] _getSaltFromCrypt(String cryptString) {
byte[] saltBytes = null;
try {
if (Validator.isNull(cryptString)) {
// Generate random salt
Random random = new Random();
int numSaltChars = saltChars.length;
StringBuilder sb = new StringBuilder();
int x = random.nextInt(Integer.MAX_VALUE) % numSaltChars;
int y = random.nextInt(Integer.MAX_VALUE) % numSaltChars;
sb.append(saltChars[x]);
sb.append(saltChars[y]);
String salt = sb.toString();
saltBytes = salt.getBytes(Digester.ENCODING);
} else {
// Extract salt from encrypted password
String salt = cryptString.substring(0, 2);
saltBytes = salt.getBytes(Digester.ENCODING);
}
} catch (UnsupportedEncodingException uee) {
throw new SecurityException(
"Unable to extract salt from encrypted password: "
+ uee.getMessage(), uee);
}
return saltBytes;
}
private static byte[] _getSaltFromSSHA(String sshaString) {
byte[] saltBytes = new byte[8];
if (Validator.isNull(sshaString)) {
// Generate random salt
Random random = new SecureRandom();
random.nextBytes(saltBytes);
} else {
// Extract salt from encrypted password
try {
byte[] digestPlusSalt = Base64.decode(sshaString);
byte[] digestBytes = new byte[digestPlusSalt.length - 8];
System.arraycopy(digestPlusSalt, 0, digestBytes, 0,
digestBytes.length);
System.arraycopy(digestPlusSalt, digestBytes.length, saltBytes,
0, saltBytes.length);
} catch (Exception e) {
throw new SecurityException(
"Unable to extract salt from encrypted password: "
+ e.getMessage(), e);
}
}
return saltBytes;
}
public String encode(String pwd) {
return encrypt(pwd);
}
}
FINALLY add the following Liferay portal classes (you can found them in Liferay portal sources) to the customized CAS (they are used by the above LiferayPasswordEncoder):
Base64.java
CharPool.java
ClassLoaderObjectInputStream.java
Digester.java
DigesterImpl.java
StringBundler.java
StringPool.java
UnsyncByteArrayInputStream.java
UnsyncByteArrayOutputStream.java
Validator.java
EDIT: added complete deployerConfigContext.xml for the error and CAS version question:
I'm running CAS version 3.4.5, and you?
Here it is my complete deployerConfigContext.xml file. I think there is some error in your file introduced while adding the fragment above. In fact the missing bean is defined in that file. Please try to merge the following file with your (given the differences in database url, username and password, etc..):
<?xml version="1.0" encoding="UTF-8"?>
<!-- | deployerConfigContext.xml centralizes into one file some of the declarative
configuration that | all CAS deployers will need to modify. | | This file declares
some of the Spring-managed JavaBeans that make up a CAS deployment. | The beans declared
in this file are instantiated at context initialization time by the Spring | ContextLoaderListener
declared in web.xml. It finds this file because this | file is among those declared
in the context parameter "contextConfigLocation". | | By far the most common change
you will need to make in this file is to change the last bean | declaration to replace
the default SimpleTestUsernamePasswordAuthenticationHandler with | one implementing
your approach for authenticating usernames and passwords. + -->
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p" xmlns:sec="http://www.springframework.org/schema/security" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<bean id="propertyPlaceholder" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<property name="searchSystemEnvironment" value="true"></property>
</bean>
<!-- | This bean declares our AuthenticationManager. The CentralAuthenticationService
service bean | declared in applicationContext.xml picks up this AuthenticationManager
by reference to its id, | "authenticationManager". Most deployers will be able to
use the default AuthenticationManager | implementation and so do not need to change
the class of this bean. We include the whole | AuthenticationManager here in the
userConfigContext.xml so that you can see the things you will | need to change in
context. + -->
<bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl">
<!-- | This is the List of CredentialToPrincipalResolvers that identify what
Principal is trying to authenticate. | The AuthenticationManagerImpl considers them
in order, finding a CredentialToPrincipalResolver which | supports the presented
credentials. | | AuthenticationManagerImpl uses these resolvers for two purposes.
First, it uses them to identify the Principal | attempting to authenticate to CAS
/login . In the default configuration, it is the DefaultCredentialsToPrincipalResolver
| that fills this role. If you are using some other kind of credentials than UsernamePasswordCredentials,
you will need to replace | DefaultCredentialsToPrincipalResolver with a CredentialsToPrincipalResolver
that supports the credentials you are | using. | | Second, AuthenticationManagerImpl
uses these resolvers to identify a service requesting a proxy granting ticket. |
In the default configuration, it is the HttpBasedServiceCredentialsToPrincipalResolver
that serves this purpose. | You will need to change this list if you are identifying
services by something more or other than their callback URL. + -->
<property name="credentialsToPrincipalResolvers">
<list>
<!-- | UsernamePasswordCredentialsToPrincipalResolver supports the UsernamePasswordCredentials
that we use for /login | by default and produces SimplePrincipal instances conveying
the username from the credentials. | | If you've changed your LoginFormAction to
use credentials other than UsernamePasswordCredentials then you will also | need
to change this bean declaration (or add additional declarations) to declare a CredentialsToPrincipalResolver
that supports the | Credentials you are using. + -->
<bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"></bean>
<!-- | HttpBasedServiceCredentialsToPrincipalResolver supports HttpBasedCredentials.
It supports the CAS 2.0 approach of | authenticating services by SSL callback, extracting
the callback URL from the Credentials and representing it as a | SimpleService identified
by that callback URL. | | If you are representing services by something more or other
than an HTTPS URL whereat they are able to | receive a proxy callback, you will need
to change this bean declaration (or add additional declarations). + -->
<bean class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver"></bean>
</list>
</property>
<!-- | Whereas CredentialsToPrincipalResolvers identify who it is some Credentials
might authenticate, | AuthenticationHandlers actually authenticate credentials. Here
we declare the AuthenticationHandlers that | authenticate the Principals that the
CredentialsToPrincipalResolvers identified. CAS will try these handlers in turn |
until it finds one that both supports the Credentials presented and succeeds in authenticating.
+ -->
<property name="authenticationHandlers">
<list>
<!-- | This is the authentication handler that authenticates services by
means of callback via SSL, thereby validating | a server side SSL certificate. + -->
<bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" p:httpClient-ref="httpClient"></bean>
<bean class="org.jasig.cas.adaptors.jdbc.SearchModeSearchDatabaseAuthenticationHandler">
<property name="tableUsers">
<value>User_</value>
</property>
<property name="fieldUser">
<value>emailAddress</value>
</property>
<property name="fieldPassword">
<value>password_</value>
</property>
<property name="passwordEncoder">
<bean class="com.ccm.ci.cas.authentication.handler.LiferayPasswordEncoder">
<!-- Default Liferay Password Encryption is SHA algorithm. If someone changes it in liferay it have to been changed here-->
<constructor-arg name="encodingAlgorithm" value="SHA"></constructor-arg>
</bean>
</property>
<property name="dataSource" ref="dataSource"></property>
</bean>
</list>
</property>
</bean>
<!-- This bean defines the security roles for the Services Management application.
Simple deployments can use the in-memory version. More robust deployments will want
to use another option, such as the Jdbc version. The name of this should remain "userDetailsService"
in order for Spring Security to find it. -->
<!-- <sec:user name="##THIS SHOULD BE REPLACED##" password="notused" authorities="ROLE_ADMIN"
/> -->
<sec:user-service id="userDetailsService">
<sec:user name="##THIS SHOULD BE REPLACED##" password="notused" authorities="ROLE_ADMIN"></sec:user>
</sec:user-service>
<!-- Bean that defines the attributes that a service may return. This example uses
the Stub/Mock version. A real implementation may go against a database or LDAP server.
The id should remain "attributeRepository" though. -->
<bean id="attributeRepository" class="org.jasig.services.persondir.support.StubPersonAttributeDao">
<property name="backingMap">
<map>
<entry key="uid" value="uid"></entry>
<entry key="eduPersonAffiliation" value="eduPersonAffiliation"></entry>
<entry key="groupMembership" value="groupMembership"></entry>
</map>
</property>
</bean>
<!-- Sample, in-memory data store for the ServiceRegistry. A real implementation
would probably want to replace this with the JPA-backed ServiceRegistry DAO The name
of this bean should remain "serviceRegistryDao". -->
<bean id="serviceRegistryDao" class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl">
<property name="registeredServices">
<list>
<bean class="org.jasig.cas.services.RegisteredServiceImpl">
<property name="id" value="0"></property>
<property name="name" value="HTTP"></property>
<property name="description" value="Only Allows HTTP Urls"></property>
<property name="serviceId" value="http://**"></property>
</bean>
<bean class="org.jasig.cas.services.RegisteredServiceImpl">
<property name="id" value="1"></property>
<property name="name" value="HTTPS"></property>
<property name="description" value="Only Allows HTTPS Urls"></property>
<property name="serviceId" value="https://**"></property>
</bean>
<bean class="org.jasig.cas.services.RegisteredServiceImpl">
<property name="id" value="2"></property>
<property name="name" value="IMAPS"></property>
<property name="description" value="Only Allows HTTPS Urls"></property>
<property name="serviceId" value="imaps://**"></property>
</bean>
<bean class="org.jasig.cas.services.RegisteredServiceImpl">
<property name="id" value="3"></property>
<property name="name" value="IMAP"></property>
<property name="description" value="Only Allows IMAP Urls"></property>
<property name="serviceId" value="imap://**"></property>
</bean>
</list>
</property>
</bean>
<!-- Data source definition -->
<bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource">
<property name="driverClassName">
<value>com.mysql.jdbc.Driver</value>
</property>
<property name="url">
<value>jdbc:mysql://10.4.2.14:3306/lportal_${user.name}</value>
</property>
<property name="username">
<value>${user.name}</value>
</property>
<property name="password">
<value>${user.name}</value>
</property>
<property name="initialSize" value="1"></property>
<property name="maxIdle" value="5"></property>
<property name="maxActive" value="50"></property>
<property name="maxWait" value="10000"></property>
<property name="validationQuery" value="select 1"></property>
<property name="testOnBorrow" value="false"></property>
<property name="testWhileIdle" value="true"></property>
<property name="timeBetweenEvictionRunsMillis" value="10000"></property>
<property name="minEvictableIdleTimeMillis" value="30000"></property>
<property name="numTestsPerEvictionRun" value="-1"></property>
</bean>
</beans>