Hello,
i develop a modular webapp. One part of this is a JSF-webapp, the frontend, contains only views with controller and a service-layer (REST-client and SOAP-client) , running on Jboss. Another part, the backend, provides webservices (REST-server, SOAP-services) and hold's the connection to the database. Frontend dont have possibility to connect to a database.
My question/problem:
Authentication has to perform from a Login-Page (Frontend) via REST-service or SOAP to the backend. Backend has to connect to database, to check the credentials and to response the result to the frontend and store in session. In a single webapp it is not the problem. There i use a security-config.xml like this :
in bean.xml :
and a java class :
I dont know how i get it working via JAXB or SOAP. For example:
Backend REST class :
and in the UserAuthUtilImpl class:
backend dont need (i think so) in security-config.xml:
[CODE] <security:http auto-config="true">
<security:form-login login-page="/app/main" default-target-url="/app/account" />
<security:logout logout-url="/app/logout" logout-success-url="/app/main" />
</security:http>
[CODE]
If i understand right Spring Security, if an user is authenticated successfully, user-credentials are stored in session. But how do i put the credentials in the session if i get only true or false from backend, because i cant store SecurityContextHolder via JAXB from backend to frontend?
Greetings
i develop a modular webapp. One part of this is a JSF-webapp, the frontend, contains only views with controller and a service-layer (REST-client and SOAP-client) , running on Jboss. Another part, the backend, provides webservices (REST-server, SOAP-services) and hold's the connection to the database. Frontend dont have possibility to connect to a database.
My question/problem:
Authentication has to perform from a Login-Page (Frontend) via REST-service or SOAP to the backend. Backend has to connect to database, to check the credentials and to response the result to the frontend and store in session. In a single webapp it is not the problem. There i use a security-config.xml like this :
Code:
<security:http auto-config="true"> <security:form-login login-page="/app/main" default-target-url="/app/account" /> <security:logout logout-url="/app/logout" logout-success-url="/app/main" /> </security:http> <security:authentication-manager> <security:authentication-provider user-service-ref="userService"> <security:password-encoder ref="encoder" /> </security:authentication-provider> </security:authentication-manager> <bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider"> <property name="userDetailsService" ref="userService" /> <property name="hideUserNotFoundExceptions" value="false" /> </bean> <bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager"> <constructor-arg> <ref bean="daoAuthenticationProvider" /> </constructor-arg> </bean> <bean id="encoder" class="org.springframework.security.authentication.encoding.ShaPasswordEncoder"> <constructor-arg value="512"/> </bean>
Code:
<bean id="userAuthenticationProviderService" class="de.relo.services.impl.UserAuthenticationProviderServiceImpl"> <property name="authenticationManager" ref="authenticationManager" /> </bean>
Code:
... private AuthenticationManager authenticationManager; public AuthenticationManager getAuthenticationManager() { return authenticationManager; } public void setAuthenticationManager(AuthenticationManager authenticationManager) { this.authenticationManager = authenticationManager; } /** * {@inheritDoc} */ @Override public boolean processUserAuthentication(UserEntity user) { try { Authentication request = new UsernamePasswordAuthenticationToken(user.getUserName(), user.getPassword()); Authentication result = authenticationManager.authenticate(request); SecurityContextHolder.getContext().setAuthentication(result); return true; } catch (AuthenticationException ex) { FacesContext.getCurrentInstance().addMessage(null, new FacesMessage(FacesMessage.SEVERITY_ERROR, ex.getMessage(), "Sorry")); return false; } }
Backend REST class :
Code:
public class UserAuthServiceImpl implements RestUserAuthService { @Override public Response login(final String xmlRequestString) { Request request = JAXB.unmarshal(xmlRequestString, Request.class); UserAuthRequest userAuthRequest = request.getAuthRequest(); // contains username and password UserAuthUtil util = new UserAuthUtilImpl(); UserAuthResponse userAuthResponse = util.login(userAuthRequest); Response response = new Response(); response.setAuthResponse(userAuthResponse); return response; } }
Code:
@Override public UserAuthResponse login(final UserAuthRequest userAuthRequest) { String username = userAuthRequest.getUsername(); String password = userAuthRequest.getPassword(); UserAuthResponse userAuthResponse = new UserAuthResponse(); userAuthResponse.setSuccess(authenticate(username, password)); return userAuthResponse; } private boolean authenticate(final String username, final String password) { Authentication auth = new UsernamePasswordAuthenticationToken(username, password); Authentication authResult = authenticationManager.authenticate(auth); SecurityContextHolder.getContext().setAuthentication(authResult); boolean success = authResult.isAuthenticated(); return success; }
[CODE] <security:http auto-config="true">
<security:form-login login-page="/app/main" default-target-url="/app/account" />
<security:logout logout-url="/app/logout" logout-success-url="/app/main" />
</security:http>
[CODE]
If i understand right Spring Security, if an user is authenticated successfully, user-credentials are stored in session. But how do i put the credentials in the session if i get only true or false from backend, because i cant store SecurityContextHolder via JAXB from backend to frontend?
Greetings