Announcement Announcement Module
Collapse
No announcement yet.
Problem PrettyFaces + Spring security Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Problem PrettyFaces + Spring security

    Hello guys

    I am trying to clean my URLs, so I decided to use the framework PrettyFaces
    Everything is working well, except the login page !!
    If I do not put rules I can log in without any issues, but as soon as I am adding rules to clean the login page, I have the error : Bad Credential exception.

    So it is working with this configuration :

    In the web-security.xml

    Code:
    	<http auto-config="true"  >
    			
    		<!-- Login page -->			
    		<form-login 
    			login-page='/pages/login.jsf'
    			default-target-url="/pages/redirect.jsp"  />
    			
    			<logout logout-success-url="/pages/login.jsf"/>
    			
    		<!-- ANY AUTHENTIFIED USER -->
    		<intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
    
    		
    	</http>
    
    
     ......
    And as soon as I do that :

    Code:
    	<http auto-config="true"  >
    			
    		<!-- Login page -->			
    		<form-login 
    			login-page='/Login'
    			default-target-url="/pages/redirect.jsp"  />
    			
    			<logout logout-success-url="/Login"/>
    			
    
    		<!-- ANY AUTHENTIFIED USER -->
    		<intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />		
    	</http>
    Pretty-Faces.xml

    Code:
    	<url-mapping id="Login">
    		<pattern value="/Login" /> 
    		<view-id>/pages/login.jsf</view-id>
    	</url-mapping>
    I have the error !

    First thing, if I try to go to http://mywebapp:0000/Login with this configuration the browser is flashing (like there is a redirection problem), so in order to have access to the page I have to add in the web-security.xml :

    Code:
    <intercept-url pattern="/Login" filters="none" />
    After that I can try to log in and I have the error of the Bad Credentials :/

    My bean :

    Code:
    public void doLogin() throws IOException, ServletException {
    
    String rep = new StringBuilder("/j_spring_security_check?j_username=")
    				.append(this.getEmail()).append("&j_password=").append(
    						this.getPassword()).append(
    						"&_spring_security_remember_me=off").toString();
    
    		try {
    
    
    ExternalContext context = FacesContext.getCurrentInstance()
    						.getExternalContext();
    
    				RequestDispatcher dispatcher = ((ServletRequest) context
    						.getRequest()).getRequestDispatcher(rep);
    
    				dispatcher.forward((ServletRequest) context.getRequest(),
    						(ServletResponse) context.getResponse());
    
    				FacesContext.getCurrentInstance().responseComplete();
    
    	}
    
    
    
    My listener :
    
    
    public void beforePhase(PhaseEvent arg0) {
    
    		/*
    		 * Before render response phase, grab any authentication errors
    		 * generated by the Spring Security filters and create a faces message
    		 * for the GUI.
    		 */
    		Exception e = (Exception) FacesContext.getCurrentInstance()
    				.getExternalContext().getSessionMap().get(
    						WebAttributes.AUTHENTICATION_EXCEPTION);
    
    		if (e != null) {
    			/*
    			 * Add the error message to the FacesContext for display in the
    			 * rich:messages component.
    			 */
    
    			if (e instanceof BadCredentialsException) {
    
    				FacesContext.getCurrentInstance().getExternalContext()
    						.getSessionMap().put(
    								WebAttributes.AUTHENTICATION_EXCEPTION, null);
    				Utils.addErrorMessage(Utils.getProp().getProperty(
    						"SpringSecurity.badCredentials"));
    
    			} else {
    				Utils.addErrorMessage(Utils.getProp().getProperty(
    						"Login.unexpectedError"));
    			}
    		}
    
    	}

    Any clue ? I have been on this issue for 2 days and I do not know what to do !!!

    Thank you !

  • #2
    Any ideas

    Comment


    • #3
      "Bad Credentials" just means there was an authentication failure - you will find this referenced throughout the forum history.

      Without more analysis, such as a stacktrace, some indication of what you are authenticating against, your configuration, debug log output etc, then nobody will be able to provide much useful feedback.

      Have you tried using a debugger, for example? Given the exception stacktrace, you should be able to debug right into the relevant Spring Security code.

      Comment


      • #4
        Ok

        Thanks !! I did not think of giving more details !!!!

        Ok so first, I am using :

        Spring Security 3.0.3
        Spring 3.0.3
        JDK 1.6.21
        Hibernate
        Richfaces 3.3.3
        Pretty Faces 3.0.1
        Apache Tomcat 6.0.24

        So here my configurations :

        Pretty-Faces.xml

        Code:
        <pretty-config xmlns="http://ocpsoft.com/prettyfaces/2.0.4" 
                       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
                       xsi:schemaLocation="http://ocpsoft.com/prettyfaces/2.0.4
                                           		http://ocpsoft.com/xml/ns/prettyfaces/ocpsoft-pretty-faces-2.0.4.xsd">
        	
        	<url-mapping id="Login">
        		<pattern value="/Login/" /> 
        		<view-id>/pages/login.jsf</view-id>
        	</url-mapping>
        ...
        </pretty-config>
        My Web.xml

        Code:
        <?xml version="1.0" encoding="UTF-8"?>
        <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5">
          <context-param>
            <param-name>javax.faces.DEFAULT_SUFFIX</param-name>
            <param-value>.xhtml</param-value>
          </context-param>
          <context-param>
            <param-name>facelets.REFRESH_PERIOD</param-name>
            <param-value>2</param-value>
          </context-param>
          <context-param>
            <param-name>facelets.DEVELOPMENT</param-name>
            <param-value>true</param-value>
          </context-param>
          <context-param>
            <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
            <param-value>client</param-value>
          </context-param>
          <context-param>
            <param-name>com.sun.faces.validateXml</param-name>
            <param-value>true</param-value>
          </context-param>
          <context-param>
            <param-name>com.sun.faces.verifyObjects</param-name>
            <param-value>true</param-value>
          </context-param>
          <context-param>
            <param-name>org.ajax4jsf.SKIN</param-name>
            <param-value>darkX</param-value>
          </context-param>
          <listener>
            <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
          </listener>
          <filter>
            <filter-name>springSecurityFilterChain</filter-name>
            <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
          </filter>
          <filter-mapping>
            <filter-name>springSecurityFilterChain</filter-name>
            <url-pattern>/*</url-pattern>
            <dispatcher>FORWARD</dispatcher>
            <dispatcher>REQUEST</dispatcher>
          </filter-mapping>
          <filter>
            <filter-name>Pretty Filter</filter-name>
            <filter-class>com.ocpsoft.pretty.PrettyFilter</filter-class>
          </filter>
          <filter-mapping>
            <filter-name>Pretty Filter</filter-name>
            <url-pattern>/*</url-pattern>
            <dispatcher>FORWARD</dispatcher>
            <dispatcher>REQUEST</dispatcher>
            <dispatcher>ERROR</dispatcher>
          </filter-mapping>
          <filter>
            <display-name>Ajax4jsf Filter</display-name>
            <filter-name>ajax4jsf</filter-name>
            <filter-class>org.ajax4jsf.Filter</filter-class>
            <init-param>
              <param-name>createTempFiles</param-name>
              <param-value>true</param-value>
            </init-param>
          </filter>
          <filter-mapping>
            <filter-name>ajax4jsf</filter-name>
            <servlet-name>Faces Servlet</servlet-name>
            <dispatcher>REQUEST</dispatcher>
            <dispatcher>FORWARD</dispatcher>
            <dispatcher>INCLUDE</dispatcher>
          </filter-mapping>
          <listener>
            <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
          </listener>
          <servlet-mapping>
            <servlet-name>Faces Servlet</servlet-name>
            <url-pattern>*.jsf</url-pattern>
          </servlet-mapping>
          <welcome-file-list>
            <welcome-file>index.jsp</welcome-file>
          </welcome-file-list>
          <security-constraint>
            <web-resource-collection>
              <web-resource-name>Secured Application</web-resource-name>
              <url-pattern>/*</url-pattern>
            </web-resource-collection>
            <user-data-constraint>
              <transport-guarantee>CONFIDENTIAL</transport-guarantee>
            </user-data-constraint>
          </security-constraint>
          <login-config>
            <auth-method>BASIC</auth-method>
          </login-config>
        </web-app>
        And my web-application-security.xml

        Code:
        <?xml version="1.0" encoding="UTF-8"?>
        <beans:beans xmlns="http://www.springframework.org/schema/security"
          xmlns:beans="http://www.springframework.org/schema/beans"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://www.springframework.org/schema/beans 
                   http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                   http://www.springframework.org/schema/security 
                   http://www.springframework.org/schema/security/spring-security-3.0.xsd"> 
        	<http auto-config="true"  >
        			
        		<!-- Login page -->			
        		<form-login 
        			login-page='/Login/'
        			default-target-url='/pages/redirect.jsp'  />
        		<logout logout-success-url='/Login/'/>
        			
                     <intercept-url pattern="/Login/" filters="none" />	
        	</http>
        
        	<authentication-manager alias="authenticationManager">
        	    <authentication-provider user-service-ref="userDetailsService" >
        	    	<password-encoder hash="sha"/>
        	    </authentication-provider>
        	</authentication-manager>
          
        	<!-- Enable @Secured Annotations  -->
        	<global-method-security 
        		secured-annotations="enabled"
        		jsr250-annotations="enabled" />
        	
        	<beans:bean id="userDetailsService" class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl">
        		<beans:property name="dataSource" ref="0dataSource" />
        		<beans:property name="usersByUsernameQuery">
        			<beans:value>
        				select USR_EMAIL,USR_PASSWORD,USR_ACTIVE FROM user u
        				where (u.USR_EXPIRATION_DATE &gt; CURDATE() OR u.USR_EXPIRATION_DATE is null)
        				and u.USR_EMAIL=?
        			</beans:value>
        		</beans:property>
        	</beans:bean>
        </beans:beans>
        I have the following stack :

        Code:
        org.springframework.security.authentication.BadCredentialsException: Bad credentials
        	at org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:127)
        	at org.springframework.security.authentication.ProviderManager.doAuthentication(ProviderManager.java:130)
        	at org.springframework.security.authentication.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:48)
        	at org.springframework.security.authentication.ProviderManager.doAuthentication(ProviderManager.java:148)
        	at org.springframework.security.authentication.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:48)
        	at org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:97)
        	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:199)
        	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
        	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
        	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
        	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:57)
        	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
        	at org.springframework.security.web.session.ConcurrentSessionFilter.doFilter(ConcurrentSessionFilter.java:109)
        	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
        	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:149)
        	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
        	at 
         ...
        The login/password are stored in the DB.

        Yes I debugged but there is nothing to see, the login and password are correct before I forward the request to spring security then after I am ending up with the bad credential execption in the listener.

        Hope it helps a little bit !!!
        Last edited by denebj; Aug 20th, 2010, 03:55 PM.

        Comment


        • #5
          You have a stacktrace, so take a look at the the code.

          The user isn't being found - the UsernameNotFoundException is hidden by default to avoid leaking information to the client.

          Break the problem down - the faces stuff is just adding extra complexity. Write a test case which loads the part of your application context that contains the AuthenticationManager, and call the bean directly (passing a UsernamePasswordAuthenticationToken instance to it). Make sure you can get that working before you add the web stuff.

          Comment

          Working...
          X