Thanks. http://websystique.com/spring-security/spring-security-4-remember-me-example-with-hibernate/ Considered how the session should be maintained at the necessary time.At first, an additional table should be established in the OBD system to store information on sessions.CREATE TABLE persistent_logins ( username VARCHAR(64) NOT NULL, series VARCHAR(64) NOT NULL, token VARCHAR(64) NOT NULL, last_used TIMESTAMP NOT NULL, PRIMARY KEY (series) ); Next, the Spring'a configuration should add the following:<remember-me remember-me-parameter="remember-me" remember-me-cookie="remember-me" token-validity-seconds="86400" data-source-ref="dataSource" /> JSP adds a box check with an attribute name the value of which is equal to stated in remember-me-parameter:<input type="checkbox" id="rememberme" name="remember-me"> After these manipulations, at the end of the authorisation, the browser will have to show up. cookie by name, remember-me-cookie♪

Add the class. User The fields you need, and on the website, put them in. https://github.com/hellokoding/registration-login-spring-xml-maven-jsp-mysql/blob/master/src/main/webapp/WEB-INF/views/registration.jsp#L57 I'd like to know what's happening.

Problem solved by adding pom.xml Apache libraries.commons.logging, like this:<dependency> <groupId>commons-logging</groupId> <artifactId>commons-logging</artifactId> <version>1.2</version> </dependency>

Copies of the site HttpServletResponse It belongs to the container. It may be linked to the many resources of the container, which the application developer does not know in most cases. Usually specific Response related to specific Request and attempted substitution Response may lead to an uncertain state of your software. Don't save or try to replace such resources.The contents of the response should be transmitted to the client at HtpServletResponse.getOutputStream() and stored a folded response in a format that can be transmitted as a flow (directly or through a series). At the same time, it should always be used. Responsejust received from the container.

The user needs to be retrieved before being preserved, the password encrypted, for example by: public void encodeUserPassword(User user){ String hashString = user.getPassword(); ShaPasswordEncoder encoder = new ShaPasswordEncoder(); String hashOutput = encoder.encodePassword(hashString,null); user.setPassword(hashOutput); } and keep it in the OBD system.

Any banal protected connection with the identification of each party.For example, HTTPS + customer SSL♪ It's important not to lose your certificates. Since you don't need these certificates to trust the outside world, there's no need to sign it from the "weight certifying centers," there's no need for self-signed.Generate self-signed Server certificate♪Generate self-signed CA (Certificate Authority, Certificate Centre) customer certificates♪Generate Customer Certificate and sign it with CA from the previous paragraph.When you play with the certificates and keys, the components of the system will have to be built for their use:HTTP-Client Service shall be fitted with HTTPS connections Service check that the server was presented by a known server certificate and no other (CA system cannot be trusted in this case!) He doesn't need a certificate himself. Public key to server certificate♪HTTP-server Service A must verify that the client SSL certification is issued CA and No one else.♪ To that end, he must know the public key of this CA. Unfortunately, this area of my competence ends.When it is, both sides know they're the ones who are being issued for, there's little reason to worry about the security of the data transferred. The reliability of the compound is based on the preservation of CA keys and malicious certificates.I'm counting on the one service-- a lot of services. Depending on where "multiful" and where "one" can make sense to replace the {CA}+{his certificates} by simply {self-signed certificate} or vice versa.

Got it. The right copying is needed not only by UserDetailsService, but also by AuthenticationProvider.

According to the http://docs.spring.io/spring-security/site/docs/current/apidocs/org/springframework/security/core/userdetails/UserDetails.html user characteristic enabled♪ But your sql'niks don't have his sample, so it's default anyway. false♪ You need to add a sample of this properties to the sql'nik. If you want it to always be like trueI have to add true as enabled♪ In the end, it'll be about.authoritiesByUsernameQuery("select user_name, user_is_administrator, user_id, true as enabled from rs_user where user_name=?");

Common libraries can be delivered to the library of the application server. For example, tomcat/lib♪ Then we can remove these libraries from the war assembly. In maven for this, scope = provided♪

There's a parameter to be included in "external" requests. withCredentials = true client in JavaScript (sighs) https://stackoverflow.com/questions/2054316/sending-credentials-with-cross-domain-posts )

Admin and the user have different roles. In spring-security, you limit access to different urls based on roles.

The error was caused by the fact that the picture folder was not included in the project, but written in spring-security configurations. That's why this spring folder didn't find and swear.

Try using. return "redirect:/любой/путь";♪ I'm gonna have to remove the annotation. @ResponseBody♪ @RequestMapping(value = "/deleteUser", method = RequestMethod.POST) public String createAlbum(@RequestParam("name") String name) throws Exception { ... ModelAndView model = new ModelAndView("/main"); ... return "redirect:/любой/путь"; }

You haven't given the names of the fields in the form of an introduction.<security:form-login login-page="/login" default-target-url="/restaurants" authentication-failure-url="/login?error=true" username-parameter="username" password-parameter="password" /> Second, why login-processing-url? This parameter requires a method with this urn that will be processed. Why? You can use standard. In fact, it's because there's no such thing.<c:url var="loginUrl" value="/login" /> <form action="${loginUrl}" method="post"> Thirdly, if you have Spring Security 4, pay attention to this. https://ru.stackoverflow.com/a/524065/210568 ♪Good luck!

You can try to hang users, but this will affect resources. You can also keep them in the session, but it'll reduce the safety of the annex. It's really okay. And if I were you, I'd start thinking about this question if only that really had a strong impact on the speed of your application. I think it's called early optimization.By the way, I thought you might want to escape from constant requests to the base, rather than from a regular repetition code?

I understand it is necessary to seek a validation of the login, but at the Hibernate Library and javax.validation, I did not find an annotations that might solve this situation.Of course, there is no such annotations, because in all annexes, different tables, fields and logic for their verification.Tell me, colleagues, is there a library that will help solve my problem, or is it necessary to ask for your own annotation that goes to the OBD system and checks whether there is a user with this key?Yeah, that's right.This is an example from my project: https://github.com/php-coder/mystamps/blob/e2fb2fec835d5f0f1a1e662b1e9783bc0286f961/src/main/java/ru/mystamps/web/validation/jsr303/UniqueLogin.java https://github.com/php-coder/mystamps/blob/e2fb2fec835d5f0f1a1e662b1e9783bc0286f961/src/main/java/ru/mystamps/web/validation/jsr303/UniqueLoginValidator.java https://github.com/php-coder/mystamps/blob/e2fb2fec835d5f0f1a1e662b1e9783bc0286f961/src/main/java/ru/mystamps/web/model/ActivateAccountForm.java#L70-L71

For example, try this:.antMatchers("/user/**").access("hasRole('ROLE_USER')") .antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')") And I advise you to read something, even this: https://habrahabr.ru/post/226791/ (and better of course, Spring Security documentation).

First, we need to get the name of the spring-security laser.public String getCurrentUsername() { Authentication auth = SecurityContextHolder.getContext().getAuthentication(); return auth.getName(); } and send him to hibernate.public User getUserByUsername(String username) { CriteriaQuery<User> criteriaQuery = em.getCriteriaBuilder().createQuery(User.class); Root<User> userRequest = criteriaQuery.from(User.class); Expression&lt;String&gt; exp = userRequest.get("username"); Predicate predicate = exp.in(username); criteriaQuery.where(predicate); try { return em.createQuery(criteriaQuery).getSingleResult(); } catch (NoResultException e) { return new User(); } }

http://www.mkyong.com/spring-security/spring-security-form-login-example/ If you want a more detailed review, turn Security.xml and the controller.

When you write such a thing:public void addResourceHandlers(final ResourceHandlerRegistry registry) { registry.addResourceHandler("/resources/**").addResourceLocations("/resources/"); } That means that the catalogue. /resources You're in the catalogue. /webappsince Spring is using a method to get the way to this resource. ServletContext.getResource()When you call getResource() on a specific application context, and the location path specified doesn't have a specific prefix, you will get back a Resource type that is appropriate to that particular application context. For example, assume the following snippet of code was executed against a ClassPathXmlApplicationContext instance:Resource template = ctx.getResource("some/resource/path/myTemplate.txt);What would be returned would be a ClassPathResource; if the same method was executed against a FileSystemXmlApplicationContext instance, you'd get back a FileSystemResource. For aWebApplicationContext, you'd get back a ServletContextResource, and soon. http://docs.spring.io/autorepo/docs/spring/3.2.x/spring-framework-reference/html/resources.html You'placed everything into a standard Maven catalogue. /resourcesand thus sent the statist to the classpath of the annex. Open up the WAR file and see where these files are-- /WEB-INF/classes♪This is an example of how access to static resources can be configured:spring-mvc-java-config » tree . ├── pom.xml ├── src │   └── main │   ├── java │   └── webapp │   └── WEB-INF │   ├── fonts │   ├── html │   ├── i18n │   └── images │   └── scripts │   └── styles │   └── images WebMvcConfigurerAdapterpublic class WebConfig extends WebMvcConfigurerAdapter { @Override public void addResourceHandlers(ResourceHandlerRegistry registry) { registry.addResourceHandler("/scripts/**").addResourceLocations("/WEB-INF/scripts/"); registry.addResourceHandler("/styles/**").addResourceLocations("/WEB-INF/styles/"); registry.addResourceHandler("/images/**").addResourceLocations("/WEB-INF/images/"); registry.addResourceHandler("/fonts/**").addResourceLocations("/WEB-INF/fonts/"); } } WebSecurityConfigurerAdapterpublic class SecurityConfig extends WebSecurityConfigurerAdapter { @Override public void configure(WebSecurity web) throws Exception { web.ignoring() .antMatchers("/scripts/**") .antMatchers("/styles/**") .antMatchers("/images/**") .antMatchers("/fonts/**"); } } And don't forget to add https://tomcat.apache.org/tomcat-5.5-doc/servletapi/javax/servlet/http/HttpServletRequest.html#getContextPath%28%29 Appendices when you write URL a static resource in JSP, Thymeleaf.