Announcement Announcement Module
Collapse
No announcement yet.
authorizationManager and JSF2 issue Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • authorizationManager and JSF2 issue

    Hi Spring Security Experts,

    acutally I am struggling with a simply JavaServer Faces 2.0 and Spring 3.1 integration. I am new to Spring Security and therefor it might be a silly issue, but for me it is a real showstopper so far.

    Spring and Spring Security configuration went well so far. The security URL filtering works but after trying to authorize the user via my own login page, I'm struggling with authorizationManager. It seems that it is not well bound and I cannot figure out, how to access the authorizationManager.
    I get a nullpointer exception if I try to access it from within my AuthenticationService (marked red below), so I am not able to wire it correctly.

    Here is what I did

    web.xml (spring relevant section)

    Code:
    <context-param>
      <param-name>contextConfigLocation</param-name>
         <param-value>
             /WEB-INF/spring-config.xml
             /WEB-INF/spring-security.xml
         </param-value>
    </context-param>
    <listener>
      <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>
    <filter>
      <filter-name>springSecurityFilterChain</filter-name>
      <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
      <filter-name>springSecurityFilterChain</filter-name>
    	<url-pattern>/*</url-pattern>
               <dispatcher>REQUEST</dispatcher>
    	   <dispatcher>FORWARD</dispatcher>
    </filter-mapping>
    spring-config.xml
    Code:
    <bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource">
    		<property name="driverClassName" value="com.mysql.jdbc.Driver"></property>
    		<property name="url" value="jdbc:mysql://localhost:3306/testDB"></property>
    		<property name="username" value="test"></property>
    		<property name="password" value="test"></property>
    	</bean>
    	<bean id="sessionFactory"
    		class="org.springframework.orm.hibernate3.annotation.AnnotationSessionFactoryBean">
    		<property name="dataSource">
    			<ref bean="dataSource" />
    		</property>
    		<property name="hibernateProperties">
    			<props>
    				<prop key="hibernate.dialect">
    					org.hibernate.dialect.MySQLDialect
    				</prop>
    			</props>
    		</property>
    	</bean>
    spring-security.xml
    Code:
    <http auto-config="true">
    		<intercept-url pattern="/pages/admin/*"
    			access="ROLE_ADMIN" />
    		<intercept-url pattern="/pages/*" access="ROLE_USER" />
    		<form-login login-page="/login.faces"
    			authentication-failure-url="/loginfailed.faces" />
    	</http>
    
    	<authentication-manager alias="authenticationManager">
    		<authentication-provider>
    			<user-service>
    				<user name="john" password="secret" authorities="ROLE_USER, ROLE_ADMIN" />
    			</user-service>
    		</authentication-provider>
    	</authentication-manager>
    login.xhtml
    Code:
    <h:form>
      <h2>Please login first</h2>
      <p>Username</p>
      <p><h:inputText required="true" value="#{loginBean.username}"/></p>
      <p>Password</p>
      <p><h:inputText required="true" value="#{loginBean.password}"/></p>
      <p><h:commandButton type="submit" id="login" action="#{loginBean.login}" value="login"/></p>
    </h:form>
    LoginBean.java
    Code:
    @ManagedBean(name = "loginBean")
    @RequestScoped
    public class LoginBean extends AbstractBeanBase {
    
    	@ManagedProperty(value = "#{authenticationService}")
    	private IAuthenticationService	authenticationService;
    
    	private String					username			= null;
    
    	private String					password			= null;
    
    	public String login() {
    
    		boolean success = authenticationService.login(username, password);
    
    		if (success) {
    			return "welcome.xhtml"; 
    		} else {
    			FacesContext.getCurrentInstance()
    					.addMessage(null, new FacesMessage("Login or password wrong."));
    			return "login.xhtml";
    		}
    	}
    
    	public String getUsername() {
    		return username;
    	}
    
    	public void setUsername(String username) {
    		this.username = username;
    	}
    
    	public String getPassword() {
    		return password;
    	}
    
    	public void setPassword(String password) {
    		this.password = password;
    	}
    
    	public void setAuthenticationService(IAuthenticationService authenticationService) {
    		this.authenticationService = authenticationService;
    	}
    }
    AuthenticationService.java
    Code:
    @ManagedBean(name = "authenticationService")
    @SessionScoped
    public class AuthenticationService implements IAuthenticationService {
    	
    	@Resource (name = "authenticationManager")
    	private AuthenticationManager authenticationManager; 
    	@Override
    	public boolean login(String username, String password) {
    		try {
    			Authentication authenticate = authenticationManager
    					.authenticate(new UsernamePasswordAuthenticationToken(
    							username, password));
    			if (authenticate.isAuthenticated()) {
    				SecurityContextHolder.getContext().setAuthentication(
    						authenticate);				
    				return true;
    			}
    		} catch (AuthenticationException e) {			
    		}
    		return false;
    	}
    
    	@Override
    	public void logout() {
    		SecurityContextHolder.getContext().setAuthentication(null);
    	}
    
    }
    Instead of using @Resource I also have tried @ManagedProperty, which also fails, but directly during applicaiton startup.


    Hopefully anybody knows what went wrong.


    Thanks in advance
    John
    Last edited by jbegham; Jul 30th, 2012, 03:56 PM.

  • #2
    Is it just Spring Security that you are unable to inject or is everything? What does your JSF configuration look like (i.e. are you using SpringBeanFacesELResolver. I would suggest running the webflow-primefaces-showcase sample which can be found in Spring Web Flow as a starting point. It also has additional information about integrating Spring Security with JSF.

    Comment


    • #3
      Hi Rob,

      thanks for the reply. I checked out the primefaces-exmaple and I have seen that there is an additional listener in their web.xml
      Code:
      <listener>
          <listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
      </listener>
      After putting it in changing @Ressource to @ManagedPropoerty and then creatingmy getter/setters for the authenticationManager in my AutenthicationService class, authenticationManager now is injected (seen in debugger as org.springframework.security.authentication.Provid erManager) and no longer null

      AutenticationService.java
      Code:
      import javax.faces.bean.ManagedBean;
      import javax.faces.bean.ManagedProperty;
      import javax.faces.bean.SessionScoped;
      
      import org.springframework.security.authentication.AuthenticationManager;
      import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
      import org.springframework.security.core.Authentication;
      import org.springframework.security.core.AuthenticationException;
      import org.springframework.security.core.context.SecurityContextHolder;
      
      
      @ManagedBean(name = "authenticationService")
      @SessionScoped
      public class AuthenticationService implements IAuthenticationService {
      
          @ManagedProperty (value="#{authenticationManager}")
          private AuthenticationManager authenticationManager; 
          
          @Override
          public boolean login(String username, String password) {
              try {
                  Authentication authenticate = authenticationManager
                          .authenticate(new UsernamePasswordAuthenticationToken(
                                  username, password));
                  if (authenticate.isAuthenticated()) {
                      SecurityContextHolder.getContext().setAuthentication(
                              authenticate);                
                      return true;
                  }
              } catch (AuthenticationException e) {            
              }
              return false;
          }
      
          @Override
          public void logout() {
              SecurityContextHolder.getContext().setAuthentication(null);
          }
      
          
          public AuthenticationManager getAuthenticationManager() {
              return authenticationManager;
          }
      
          
          public void setAuthenticationManager(AuthenticationManager authenticationManager) {
              this.authenticationManager = authenticationManager;
          }
      }
      So thanks again for providing the link to the examples.
      John

      Comment

      Working...
      X