Announcement Announcement Module
Collapse
No announcement yet.
JSF/ACEGI : weird behavior securing URLs Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • JSF/ACEGI : weird behavior securing URLs

    Hello,

    I'd like to submit a painful problem I face for 2 days and that drives me crazy !
    My webapp (running on tomcat 5.5) uses Spring/Hibernate/JSF (Sun RI) and now the powerful Acegi System for all of the security requirements.
    Everything seems to work great, except the URL navigation protection!

    As you probably know, JSF has, by design, a "navigation engine" that relies on forwards instead of redirect. The displayed URL in the browser rarely corresponds to the actual displayed page. (in fact, the URL address is the previous navigation).
    As a consequence, the big problem is that any protected URI is nevertheless displayed!
    And it's just when the subsequent navigation happens that my login page appears! Damned.

    I thought I found "the" trivial solution according to some of my search & readings on servlet filters by adding in filter mapping :

    Code:
        <filter-mapping>
            <filter-name>Acegi Filter Chain Proxy</filter-name>
            <url-pattern>/faces/*</url-pattern>
            <dispatcher>FORWARD</dispatcher>
            <dispatcher>REQUEST</dispatcher>
          </filter-mapping>
    But nothing changed. It seems that the forward request is not intercepted by the filter chain ?
    In debug-level mode, I can confirm that there is absolutly no trace of the forward request in the filters trace.

    Any idea? please !

  • #2
    Well, the only workaround I've found was to systematically specify a <redirect/> to each jsf navigation rule.
    Not really satisfying, but that works...

    Comment


    • #3
      Hi ecamps! I'm with the same problem, do you solved it?

      Thanx!

      A Paz!

      Comment


      • #4
        Sorry...
        No I never solved this issue.
        Furthermore, I've shifted from JSF to the GWT framework :-)
        Anyway, Good luck !

        Comment


        • #5
          Got the same problem, I can't intercept navigation.

          In my JSF page, list.jsf, I have a backing bean, CompanyMBean, and some methods, like create(), that navigate to another page, new.jsf.

          Calling #{companyMBean.create} calls CompanyMBean.create method, and render another page, new.jsf, but Acegi check for list.jsf.

          I have a custom AccessDecisionVoter (SecurityRoleVoter) and a LoggerListener (SecurityLoggerListener).

          The flow is above.

          Access the page: /company/list.jsf. Since I'm not logged in, redirect to /login.jsf.

          Code:
          2007-10-04 14:50:50,296 WARN  event.authorization.LoggerListener  -> Security interception failed due to: org.acegisecurity.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext; secure object: FilterInvocation: URL: /company/list.jsf; configuration attributes: [IS_AUTHENTICATED_FULLY, ROLE_CONSYS]
          2007-10-04 14:50:50,296 INFO  business.security.SecurityLoggerListener  -> event ---->>>>> 1191520250296
          2007-10-04 14:50:50,296 INFO  business.security.SecurityLoggerListener  ->              ---->>>>> FilterInvocation: URL: /company/list.jsf
          2007-10-04 14:50:50,437 INFO  event.authorization.LoggerListener  -> Security interception not required for public secure object: FilterInvocation: URL: /login.jsf
          2007-10-04 14:50:50,437 INFO  business.security.SecurityLoggerListener  -> event ---->>>>> 1191520250437
          2007-10-04 14:50:50,437 INFO  business.security.SecurityLoggerListener  ->              ---->>>>> FilterInvocation: URL: /login.jsf
          After login, I can access /list.jsf
          Code:
          2007-10-04 14:53:13,453 INFO  business.security.SecurityRoleVoter  -> -------------------- checking permissions for -> /company/list.jsf
          2007-10-04 14:53:13,453 INFO  business.security.SecurityRoleVoter  -> -------------------- returning -> 1
          2007-10-04 14:53:13,453 INFO  business.security.SecurityRoleVoter  -> -------------------- checking permissions for -> /company/list.jsf
          2007-10-04 14:53:13,453 INFO  business.security.SecurityRoleVoter  -> -------------------- returning -> 1
          2007-10-04 14:53:13,453 INFO  event.authorization.LoggerListener  -> Security authorized for authenticated principal: [email protected]a46fcdc: Username: luciano; Password: [PROTECTED]; Authenticated: true; Details: br.com.business.security.SecurityUserDetails@369fdc; Granted Authorities: ROLE_USER; secure object: FilterInvocation: URL: /company/list.jsf; configuration attributes: [IS_AUTHENTICATED_FULLY, ROLE_CONSYS]
          2007-10-04 14:53:13,453 INFO  business.security.SecurityLoggerListener  -> event ---->>>>> 1191520393453
          2007-10-04 14:53:13,453 INFO  business.security.SecurityLoggerListener  ->              ---->>>>> FilterInvocation: URL: /company/list.jsf
          Click in the commandButton that calls #{companyMBean.create}, the method is called but does not have any effect.

          Code:
          2007-10-04 14:54:23,937 INFO  business.security.SecurityRoleVoter  -> -------------------- checking permissions for -> /company/list.jsf
          2007-10-04 14:54:23,937 INFO  business.security.SecurityRoleVoter  -> -------------------- returning -> 1
          2007-10-04 14:54:23,937 INFO  business.security.SecurityRoleVoter  -> -------------------- checking permissions for -> /company/list.jsf
          2007-10-04 14:54:23,937 INFO  business.security.SecurityRoleVoter  -> -------------------- returning -> 1
          2007-10-04 14:54:23,937 INFO  event.authorization.LoggerListener  -> Security authorized for authenticated principal: [email protected]a46fcdc: Username: luciano; Password: [PROTECTED]; Authenticated: true; Details: br.com.business.security.SecurityUserDetails@369fdc; Granted Authorities: ROLE_USER; secure object: FilterInvocation: URL: /company/list.jsf; configuration attributes: [IS_AUTHENTICATED_FULLY, ROLE_CONSYS]
          2007-10-04 14:54:23,937 INFO  business.security.SecurityLoggerListener  -> event ---->>>>> 1191520463937
          2007-10-04 14:54:23,937 INFO  business.security.SecurityLoggerListener  ->              ---->>>>> FilterInvocation: URL: /company/list.jsf
          2007-10-04 14:54:23,953 INFO  business.mbeans.CompanyMBean  -> create()
          So, I have some questions:

          1) why my SecurityRoleVoter is being called twice?

          2) how can I intercept the navigation?


          Thanks.
          Last edited by sp00ky; Oct 4th, 2007, 03:38 PM.

          Comment


          • #6
            Ęba!!!

            Hi Guys! With little changes finally its running!!! I'll organize may source and configuration xml's e and post here ok?! But, afirm that a blog helped me. This: http://blogs.steeplesoft.com/2006/11...rity-with-jsf/

            Very Good!

            A Paz!

            Comment


            • #7
              Hi Guys! I placed the following listener in my web.xml.

              Code:
              </listener>
              <listener-class>org.acegisecurity.ui.session.HttpSessionEventPublisher</listener-class>  
              </listener>
              Then, my application started to intercept navigation/request.



              A Paz!

              Comment


              • #8
                SOLVED: the question #1 of the RoleVoter being called twice, see here for my implementation:

                http://forum.springframework.org/showthread.php?t=44699

                I still have issues with navigation, since the FilterInvocation is being called, but the URL is still list.jsf, and I want to intercept the <to-view-id> address.

                I made a new post about this issue, since I think that it can be solved by using a MethodSecurityInterceptor, check the link above.

                Comment

                Working...
                X