Announcement Announcement Module
Collapse
No announcement yet.
Spring Security with Spring Web Flow Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring Security with Spring Web Flow

    Hi,

    I am looking for an example for implementing Spring Security with Spring Webflow

    My config.xml is

    Code:
    <security:authentication-manager >
    		<security:authentication-provider ref="daoAuthenticationProvider" >
    		</security:authentication-provider>
    	</security:authentication-manager>  
    	
    	<bean id="daoAuthenticationProvider"
    		class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
    		<property name="userDetailsService">
    			<bean class="com.framework.service.userlogin.UserLoginServiceImpl">
    				<property name="userLoginDAO">
    					<ref local="userLoginDAO" />
    				</property>
    				<property name="userRolesVwDAO">
    					<ref local="userRolesVwDAO" />
    				</property>
    				<property name="securityRoleDAO">
    					<ref local="securityRoleDAO" />
    				</property>
    			
    			</bean>
    		</property>
    	</bean>
    		
    
     <security:http auto-config="true" use-expressions="true">
    		
    		<security:form-login login-page="/login.faces" login-processing-url="/j_spring_security_check" 
    		default-target-url="/main" authentication-failure-url=""/>
    		<security:intercept-url pattern="/**" access="isAuthenticated()"/>
    		<security:session-management invalid-session-url="/login.faces" />
     </security:http>
    My login.xhtml is

    Code:
    <!DOCTYPE composition PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml"
    	    		xmlns:ui="http://java.sun.com/jsf/facelets"
    				xmlns:c="http://java.sun.com/jsp/jstl/core"
    	  			xmlns:p="http://primefaces.prime.com.tr/ui"	>
    <ui:composition template="/WEB-INF/layouts/template.xhtml">
    
    <ui:define name="title">Login</ui:define>
    
    <ui:define name="menu">
    			
    			</ui:define>
    
    
    			<ui:define name="heading">
      
    </ui:define>
    
    <ui:define name="body">
    <div >
    	<c:if test="${not empty param.login_error}">
    		<div class="error">
    			Your login attempt was not successful, try again.<br />
    			Reason: #{sessionScope.SPRING_SECURITY_LAST_EXCEPTION.message}
    		</div>
    	</c:if>
    	<p:panel header="Login Information">
    		<form name="f" action="${request.contextPath}/j_spring_security_check" method="post">
    			<p>
    			
    				User:
    				<br />
    				<c:if test="${not empty param.login_error}">
    					<c:set var="username" value="${sessionScope.SPRING_SECURITY_LAST_USERNAME}"/>
    				</c:if>
    				<input type="text" name="j_username"  />
    			</p>
    			<p>
    				Password:
    				<br />
    				<input type="password" name="j_password" />				
    			</p>
    			<p>
    				<input type="checkbox" name="_spring_security_remember_me"/> 
    				Don't ask for my password for two weeks
    			</p>
    			<p>
    				<input name="submit" type="submit" value="Login" />
    				<input name="reset" type="reset" value="Reset" />
    				
    				Exception :  #{SPRING_SECURITY_LAST_EXCEPTION.message}
    			</p>
    		</form>
    	</p:panel>
    </div>
    <p:messages></p:messages>
    </ui:define>
    <ui:define name="footer">
    				
    			</ui:define>
    </ui:composition>
    </html>
    My userDetailsServiceImpl.java has the method

    Code:
    	public UserDetails loadUserByUsername(String userName)
    			throws UsernameNotFoundException, AuthenticationServiceException {
    		UserLogin userLogin;
    		try {
    			userLogin = getUserLogin(userName);
    			GrantedAuthority[] userRoles = LoadGrantedAuthority(userLogin);
    			if (userRoles.length == 0) {
    				throw new UsernameNotFoundException(
    						"User has no GrantAuthority");
    			} 
    			CnvgUser user = new CnvgUser(userLogin, true, true, true, true,
    					userRoles);
    			user.setUserLogin(userLogin);
    			return user;
    		} catch (UserLoginException e) {
    			throw new BadCredentialsException("Invalid User Id and or Password");
    			
    			
    		} catch (UsernameNotFoundException en) {
    			String msg = "User not found";
    			this.logger.error(msg, en);
    			throw new UsernameNotFoundException(msg, en);
    		}catch (AuthenticationException e) {
    			throw new BadCredentialsException("Invalid User Id and or Password");
    		}
    	
    
    		
    
    	}
    When I enter a invalid user name. I get the error "Invalid User Id and or Password"

    But If I enter a correct login id and an incorrect password, the loadUserByUsername is executed and queries all the roles even if the pwd is in correct. How do I prevent that? But finally BadCredentialsException is raised and I get the Bad Credentials message.

    Few Questions I have:

    Do I need to have the ExceptionTranslationFilter in my config.xml
    Do I need to have filterChainProxy? (I need url security)
    After login I need to insert/update few tables. For this do I need to implement AuthenticationManager??

    Thanks
    Vinaya
Working...
X