Hello,

i develop a modular webapp. One part of this is a JSF-webapp, the frontend, contains only views with controller and a service-layer (REST-client and SOAP-client) , running on Jboss. Another part, the backend, provides webservices (REST-server, SOAP-services) and hold's the connection to the database. Frontend dont have possibility to connect to a database.

My question/problem:

Authentication has to perform from a Login-Page (Frontend) via REST-service or SOAP to the backend. Backend has to connect to database, to check the credentials and to response the result to the frontend and store in session. In a single webapp it is not the problem. There i use a security-config.xml like this :

Code:
 <security:http auto-config="true">
              <security:form-login login-page="/app/main" default-target-url="/app/account" />
              <security:logout logout-url="/app/logout" logout-success-url="/app/main" />
          </security:http>
          
          <security:authentication-manager>
              <security:authentication-provider user-service-ref="userService">
                  <security:password-encoder ref="encoder" />
              </security:authentication-provider>
          </security:authentication-manager>
          
          <bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
              <property name="userDetailsService" ref="userService" />
              <property name="hideUserNotFoundExceptions" value="false" />        
          </bean>
          
          <bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager">
              <constructor-arg>
                  <ref bean="daoAuthenticationProvider" />
              </constructor-arg>
          </bean>
          
  <bean id="encoder" class="org.springframework.security.authentication.encoding.ShaPasswordEncoder">
       <constructor-arg value="512"/>
       </bean>
in bean.xml :

Code:
 <bean id="userAuthenticationProviderService" class="de.relo.services.impl.UserAuthenticationProviderServiceImpl">
          <property name="authenticationManager" ref="authenticationManager" />
      </bean>
and a java class :

Code:
...
private AuthenticationManager authenticationManager;

    public AuthenticationManager getAuthenticationManager() {
        return authenticationManager;
    }

    public void setAuthenticationManager(AuthenticationManager authenticationManager) {
        this.authenticationManager = authenticationManager;
    }

    /**
     * {@inheritDoc}
     */
    @Override
    public boolean processUserAuthentication(UserEntity user) {

        try {
            Authentication request = new UsernamePasswordAuthenticationToken(user.getUserName(), user.getPassword());
            Authentication result = authenticationManager.authenticate(request);
            SecurityContextHolder.getContext().setAuthentication(result);
            return true;
        } catch (AuthenticationException ex) {
            FacesContext.getCurrentInstance().addMessage(null, new FacesMessage(FacesMessage.SEVERITY_ERROR, ex.getMessage(), "Sorry"));
            return false;
        }
    }
I dont know how i get it working via JAXB or SOAP. For example:

Backend REST class :

Code:
 public class UserAuthServiceImpl implements RestUserAuthService {
   
  @Override
      public Response login(final String xmlRequestString) {
          
          Request request = JAXB.unmarshal(xmlRequestString, Request.class);
          UserAuthRequest userAuthRequest = request.getAuthRequest(); // contains username and password
          
          UserAuthUtil util = new UserAuthUtilImpl();
          UserAuthResponse userAuthResponse = util.login(userAuthRequest); 
          
          Response response = new Response();
          response.setAuthResponse(userAuthResponse);
   
          return response;
      }
}
and in the UserAuthUtilImpl class:

Code:
 @Override
      public UserAuthResponse login(final UserAuthRequest userAuthRequest) {        
          String username = userAuthRequest.getUsername();
          String password = userAuthRequest.getPassword();        
          UserAuthResponse userAuthResponse = new UserAuthResponse();
          userAuthResponse.setSuccess(authenticate(username, password));
          return userAuthResponse;
      }
 
  private boolean authenticate(final String username, final String password) {
          Authentication auth = new UsernamePasswordAuthenticationToken(username, password);
          Authentication authResult = authenticationManager.authenticate(auth);        
          SecurityContextHolder.getContext().setAuthentication(authResult);
          boolean success = authResult.isAuthenticated();
          return success;
      }
backend dont need (i think so) in security-config.xml:

[CODE] <security:http auto-config="true">
<security:form-login login-page="/app/main" default-target-url="/app/account" />
<security:logout logout-url="/app/logout" logout-success-url="/app/main" />
</security:http>
[CODE]

If i understand right Spring Security, if an user is authenticated successfully, user-credentials are stored in session. But how do i put the credentials in the session if i get only true or false from backend, because i cant store SecurityContextHolder via JAXB from backend to frontend?

Greetings