Announcement Announcement Module
Collapse
No announcement yet.
Loosing Authentication after Login Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Loosing Authentication after Login

    Hi,

    I am using Spring Security3.0 and Web flow 2.1 and prime faces

    I am using daoAuthenticationProvider.
    I have couple of questions here.

    1)In my security.xml, I have

    Code:
    <security:http auto-config="true" use-expressions="true">
    		<security:intercept-url pattern="converge/login*" filters="none"/>
    		<security:intercept-url pattern="converge/**" access="isAuthenticated()"/>
    		<security:logout   logout-url="/j_spring_security_logout" logout-success-url="/converge/login" />
    		<security:session-management invalid-session-url="/index.html" />
    		
    		
     </security:http>
    I assume that, the
    Code:
    <security:session-management invalid-session-url="/index.html" />
    helps me getting back to /index.html after logout. That didn't happen. I had to include sessionTimeoutFilter to check if the session valid on each request.

    Is my assumption is correct? If yes, why was I not going back to index.html?

    2) on Login, I call LoginController and set the authority to the SecurityContextHolder. On Login, the flow changes to a different flow. My Authentication is lost.
    Why??

    Thanks for any advice
    Vinaya

  • #2
    Originally posted by vinaya View Post
    I assume that, the
    Code:
    <security:session-management invalid-session-url="/index.html" />
    helps me getting back to /index.html after logout. That didn't happen. I had to include sessionTimeoutFilter to check if the session valid on each request.

    Is my assumption is correct? If yes, why was I not going back to index.html?
    The attribute invalid-session-url detects if an expired session was submitted to the browser. In the case of logout, there is no session. It sounds like you want logout-success-url.

    Originally posted by vinaya View Post
    2) on Login, I call LoginController and set the authority to the SecurityContextHolder. On Login, the flow changes to a different flow. My Authentication is lost.
    Why??
    You cannot use filters=none on the URL you are setting the SecurityContextHolder (i.e. conerge/login) because if you do the SecurityContextPersistenceFilter will not be invoked and will not save the SecurityContext across the session. Additionally, using filters=none causes the application to have a memory leak since the SecurityContextHolder does not get cleared at the the request. Instead you should use something like access="permitAll".

    Comment


    • #3
      Hi Rob,
      Thanks for your quick response.

      <security:session-management invalid-session-url="/index.html" />
      The attribute invalid-session-url detects if an expired session was submitted to the browser. In the case of logout, there is no session. It sounds like you want logout-success-url.
      I am not getting to going back to index.html after login even when I have logout-success-url ="index.html"

      My flow as follows
      1. Welcome page is index.html

      index.html

      Code:
        <meta http-equiv="Refresh" content="0; URL=converge/login">
      login.xml

      Code:
      <flow xmlns="http://www.springframework.org/schema/webflow"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
            xsi:schemaLocation="http://www.springframework.org/schema/webflow 
            http://www.springframework.org/schema/webflow/spring-webflow-2.0.xsd"
            parent="menunavigation" >
      	
      	
      	<view-state id="loginPage">
      		<transition on="authenticate" to="checkAuthentication" >
      			
      		</transition>		
      		<transition on="reset" to=""/>	
      	</view-state>  
      	
      	
      	<action-state id="checkAuthentication">   
      		<evaluate expression="loginController.authenticate()" result="flowScope.isCredentialsValid"/>  
      		<transition to="checkCredentialsValid" />  
      	</action-state> 
      	
      	<decision-state id="checkCredentialsValid">
              <if test="flowScope.isCredentialsValid" then="main" else="loginPage"/>
          </decision-state>	
      	
      </flow>
      LoginController bean in xml is

      [code]
      <bean id="loginController"
      class="com.converge.framework.view.common.bean.aut h.LoginBean">
      <property name="authenticationManager" ref="authenticationManager"></property>

      </bean>
      [code]

      LoginBean.java
      Code:
      public class LoginBean implements  Serializable {
       private String username;
       private String password;
       private AuthenticationManager authenticationManager; 
       
       public String getUsername() {
      	return username;
      }
      
      
      
      public void setUsername(String username) {
      	this.username = username;
      }
      
      public String getPassword() {
      	return password;
      }
      
      public void setPassword(String password) {
      	this.password = password;
      }
      
      public LoginBean() {
      	super();
      }	
      
      public void reset(){
      	this.username = null;
      	this.password = null;
      	
      }
      
      
      public boolean authenticate()
      		throws AuthenticationException {
      	
      
      	//need to clear session first
      	 HttpServletRequest request = getRequest();
      	
      	final HttpServletResponse response=getResponse();
      	
      	SecurityContextHolder.clearContext();
      //	request.getSession(false).invalidate();
      	
      		try {
      	
      		final Authentication auth = getAuthenticationManager()
      				.authenticate(authReq);
      		/*
      		 * initialize the security context.
      		 */
      		final SecurityContext secCtx = SecurityContextHolder.getContext();
      		if(secCtx==null){
      			//outcome = "failure";
      		}
      		secCtx.setAuthentication(auth);
      		
      		//}
      	System.out.println("secCtx :" + secCtx);
      	} catch (Exception e) {
      		
      		FacesContext.getCurrentInstance().addMessage(null,
      				new FacesMessage("Invalid Login:","User Name or Password are incorrect"));
      
      		e.printStackTrace();
      		return false;
      	}
      	
      	return true;
      		
      
      
      }
      
      private HttpServletRequest getRequest() {
      	
      	
      	return (HttpServletRequest) FacesContext.getCurrentInstance()
      			.getExternalContext().getRequest();
      }
      
      
      private HttpServletResponse getResponse(){
      	return (HttpServletResponse) FacesContext.getCurrentInstance()
      	.getExternalContext().getResponse();
      }
      
      
      
      public AuthenticationManager getAuthenticationManager() {
      	return authenticationManager;
      }
      
      
      
      public void setAuthenticationManager(AuthenticationManager authenticationManager) {
      	this.authenticationManager = authenticationManager;
      }
      
      
      public void logout() {
      	final HttpServletRequest request = getRequest();
      	final HttpServletResponse response=getResponse();
      	try { 
      		System.out.println("In Logout :" + SecurityContextHolder.getContext());
      	/*
      	 * simulate the SecurityContextLogoutHandler
      	 */
      	SecurityContextLogoutHandler contextLogoutHandler = new  SecurityContextLogoutHandler();
      	contextLogoutHandler.logout(request, response, SecurityContextHolder.getContext().getAuthentication());
      	contextLogoutHandler.setInvalidateHttpSession(true);
      	System.out.println("In Logout 111 :" + SecurityContextHolder.getContext());
      	
      	request.getSession(false).invalidate();
      	
      	System.out.println("secCtx 1111:" + SecurityContextHolder.getContext().getAuthentication());
      	
      	} catch (Exception e1) {
      		String msg = "Could not log out " +e1.getMessage();
      		
      		
      	}        
      	 
      	
      }
      
      }
      global flow:

      Code:
      <?xml version="1.0" encoding="UTF-8"?>
      <flow xmlns="http://www.springframework.org/schema/webflow"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
            xsi:schemaLocation="http://www.springframework.org/schema/webflow 
            http://www.springframework.org/schema/webflow/spring-webflow-2.0.xsd"  
            abstract="true">
      	
      	
      	<end-state id="main" view="flowRedirect:main" />
      	<end-state id="stock" view="flowRedirect:stock" />   
      	<end-state id="supply" view="flowRedirect:supply" />
      	<end-state id="logout" view="externalRedirect:/j_spring_security_logout"></end-state>
      	<global-transitions>		
      		<transition on="loginPage" to="login" />
      		<transition on="searchStock" to="stock"/>
      		<transition on="intro" to="main"/>
      		<transition on="goSupply" to="supply"/>	
      		<transition on="logout" to="logout"/>	
      	</global-transitions>
      	
      	
      	
      </flow>
      I am getting to the loginPage
      When I login passing userId and Pwd, the user is authenticated correctly if not I get an error on the loginPage itself.

      After successful login, I will be redirected to main flow

      My main flow is
      Code:
      	<view-state id="intro">
      		<transition on="login" to="login">           
              </transition>
      	</view-state>
      The transition her is dummy, there is no action on the intro page.
      intro.xhtml
      Code:
         <ui:composition template="../../layouts/template.xhtml">
          	
      <ui:define name="title">
       
      </ui:define>
      
      			<ui:define name="menu">	
      				<ui:include src="../../layouts/TopMenu.xhtml" />
      			</ui:define>
      			
      			<ui:define name="heading">
      Welcome
      </ui:define>
      			<ui:define name="body">
      	<div class="section">
      	
      
      	Test : #{SPRING_SECURITY_LAST_USERNAME} :  #{SPRING_SECURITY_CONTEXT}
      
      	Request Path :${request.servletPath}
      
      
      <h:messages></h:messages>
      </ui:define>
      </ui:composition>
      
      </html>
      TopMenu.xhtml
      Code:
      	
      	<h:form id="menu">	
      
      <table width="100%">
      <tr>
      <td>
      Name: #{SPRING_SECURITY_LAST_USERNAME}
      #{p:ifGranted('USERADMIN')}
      <p:menubar effect="NONE"  styleClass="wijmo-wijmenu-horizontal">
      	<p:submenu label="Search" rendered="#{p:ifGranted('USERADMIN')}">
      			<p:menuitem value="Stock" url="stock"  />
      			<p:menuitem value="Supply" url="supply"/>		
      	</p:submenu>	
      	<p:menuitem value="Logout" url="logout"  />			
      </p:menubar>
      
      
      
      </td>
      <td>						
      </td>									
      </tr>				
      </table>
      
          
      </h:form>
      </ui:composition>
      Even if the user has the USERADMIN role, the menu is not shown.
      After coming into main, the SecurityContextHolder.getContext().getAuthenticati on() is null.
      Logout.xml
      Code:
      	
      	<on-start>
      		<evaluate expression="loginController.logout()" ></evaluate>
      						
      	</on-start>
      I am not sure, if I need to do this?? When I logout, I am invalidating the session

      Code:
      public void logout() {
      	final HttpServletRequest request = getRequest();
      	final HttpServletResponse response=getResponse();
      	
      	try { 
      		System.out.println("In Logout :" + SecurityContextHolder.getContext());
      	
      	SecurityContextLogoutHandler contextLogoutHandler = new  SecurityContextLogoutHandler();
      	contextLogoutHandler.logout(request, response, SecurityContextHolder.getContext().getAuthentication());
      	contextLogoutHandler.setInvalidateHttpSession(true);
      	System.out.println("In Logout 111 :" + SecurityContextHolder.getContext());
      	
      	request.getSession(false).invalidate();
      	
      	System.out.println("secCtx 1111:" + SecurityContextHolder.getContext().getAuthentication());
      	
      	} catch (Exception e1) {
      		String msg = "Could not log out " +e1.getMessage();
      		
      		
      	}        
      	 
      	
      }
      
      private HttpServletRequest getRequest() {
      	
      	
      	return (HttpServletRequest) FacesContext.getCurrentInstance()
      			.getExternalContext().getRequest();
      }
      
      
      private HttpServletResponse getResponse(){
      	return (HttpServletResponse) FacesContext.getCurrentInstance()
      	.getExternalContext().getResponse();
      }
      But I still can see the SecurityContextHolder.getContext() to be not null but authentication is null and the flow stays in intro.xhtml.

      After logout, as the logout was successful, I expect the flow go back to index.html.
      What is not correct here??

      Thanks
      Vinaya

      Comment


      • #4
        If you want the logout-success-url to be triggered by Spring Security you need to delegate to Spring security for logout by redirecting the browser to the logout url. The instructions for this can be found on this thread. If you are handling logout on your own, then you will need to do the redirect after logout.

        Cheers,

        Comment


        • #5
          Hi Rob,

          My authentication was persistent after I added "securityContextPersistenceFilter" and also included the

          Code:
           <bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
          	<security:filter-chain-map path-type="regex">
          		<security:filter-chain pattern="/converge/*" filters="
          		securityContextPersistenceFilter,
          		exceptionTranslationFilter" /> 
          	</security:filter-chain-map>
            </bean>
          Now when I logout,if I do not have my sessiontimeoutFilter, I donot go the the invalid-session-url="/index.html".
          Do I need to an any other listner to my web.xml to make this effective??
          Like HttpSessionEventPublisher??

          Thanks
          Vinaya

          Comment


          • #6
            Is there a reason you have moved to using the filter-chain-map instead of using the http configuration? While filter-chain-map is a lot more flexible it is also a lot more complicated.

            I'm not sure what your current configuration is, but the session-management@invalid-session-url creates a SessionManagementFilter. The SessionManagementFilter then does its best to determine if someone's session has expired. This might happen if a user leaves the application open for an extended period of time and are logged out due to inactivity. If session timeout is detected it sends the user to the invalid-session-url. If you still have this configuration, you should not need any other configuration. However, if you have moved to configuring the filter-chain-map directly, then you will need to add the SessionManagementFilter.

            Comment


            • #7
              Hi Rob,

              I added filter-chain-map to implement securityContextPersistenceFilter.
              Without that my Authentication was returning null.

              I am using Spring3.0, Webflow 2.1 and Primefaces.
              I was also not able to get the
              #{SPRING_SECURITY_LAST_USERNAME} or
              #{SPRING_SECURITY_CONTEXT}

              I tried ${SPRING_SECURITY_CONTEXT} too with $.
              ${request.servletPath} this has a value though. I also was wondering where these are documented. In another example I saw, #{sessionScope.SPRING_SECURITY_LAST_EXCEPTION.mess age}.

              Thanks
              Vinaya

              Comment


              • #8
                Originally posted by vinaya View Post
                I added filter-chain-map to implement securityContextPersistenceFilter.
                Without that my Authentication was returning null.
                The SecurityContextPersistenceFilter gets added when you use the http namespace, so I'm not sure how using filter-chain-map fixed your issue. It is more likely that you are invoking the filters on the login url. As I mentioned earlier you probably should use the namespace configuration and specify access="permitAll" instead of using filters="none" for the login url.

                Originally posted by vinaya View Post
                I am using Spring3.0, Webflow 2.1 and Primefaces.
                I was also not able to get the
                #{SPRING_SECURITY_LAST_USERNAME} or
                #{SPRING_SECURITY_CONTEXT}

                I tried ${SPRING_SECURITY_CONTEXT} too with $.
                ${request.servletPath} this has a value though. I also was wondering where these are documented. In another example I saw, #{sessionScope.SPRING_SECURITY_LAST_EXCEPTION.mess age}.
                Judging from the filter-chain-map you specified it does not appear that you are using the UsernamePasswordAuthenticationFilter which populates the SPRING_SECURITY_LAST_USERNAME in session. If you are authenticating in some other way, then you will need to keep track of the username password yourself. Similarly, the SPRING_SECURITY_LAST_EXCEPTION attribute is populated using the SimpleUrlAuthenticationFailureHandler within UsernamePasswordAuthenticaitonFilter. If you are not using it, then you will need to keep track of the error message yourself.

                I'm not sure where you saw the SPRING_SECURITY_CONTEXT attribute as that is not a web attribute I am aware of. Typically you can obtain the context using the SpringSecurityContextHolder. You can also access the current Authentication using the jsp tag library.

                Comment


                • #9
                  Hi Rob,

                  I am not sure, what am I missing.
                  Session time out does not work either with name space. Do you think web flow might be doing something here??


                  Vinaya

                  Comment


                  • #10
                    What is the configuration you are using? If you are using the filter-chain-map configuration you last posted, there is nothing in there to manage session expiration. What is the behavior you are seeing (please provide detailed steps)? What is the behavior you expect?

                    Comment


                    • #11
                      Hi Rob,

                      After I login, while redirecting to the main flow, my authentication is lost for some reason. I totally don't understand why my authentication is lost. To make it persistent, I used securityContextPersistenceFilter.

                      My security configuration is

                      Code:
                       <security:http auto-config="true" use-expressions="true" >
                      		<security:intercept-url pattern="converge/login*" access="permitAll"/>
                      		<security:intercept-url pattern="converge/**" access="isAuthenticated()"/>
                      		<security:logout   logout-url="/j_spring_security_logout" logout-success-url="/index.html" />
                      		<security:session-management invalid-session-url="/index.html" />	
                       </security:http>
                      I am looking for the below
                      1. user login takes the user to a welcome page, which is intro.xhtml in my case
                      2. Based on the user roles (ADMIN,TRDER, etc) the menu's will be displayed. The menu.xhtml is a included in the template
                      3.On logout, session should be cleared and the user should be sent back to the intdex.html which will redirect to login page.

                      Thanks
                      Vinaya

                      Comment


                      • #12
                        Originally posted by vinaya View Post
                        I am looking for the below
                        1. user login takes the user to a welcome page, which is intro.xhtml in my case
                        2. Based on the user roles (ADMIN,TRDER, etc) the menu's will be displayed. The menu.xhtml is a included in the template
                        3.On logout, session should be cleared and the user should be sent back to the intdex.html which will redirect to login page.
                        What are the URLs are being requested? What happens instead? Did you try turning up logging for Spring Security? What do your logs look like? What does your web.xml look like?

                        Comment


                        • #13
                          The Login url is
                          http://localhost:8080/Booking/conver...execution=e1s1

                          The main url is
                          http://localhost:8080/Booking/conver...execution=e2s1

                          I see the only on statement of Spring Security
                          Code:
                          10:41:02,393  [,]  DEBUG [org.springframework.security.authentication.ProviderManager] Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
                          after this I see
                          Code:
                          10:41:02,393  [,]  DEBUG [org.springframework.orm.ibatis.SqlMapClientTemplate] Opened SqlMapSession [com.ibatis.sqlmap.engine.impl.SqlMapSessionImpl@1189b1d] for iBATIS operation
                          10:41:02,393  [,]  DEBUG [org.springframework.jdbc.datasource.DataSourceUtils] Fetching JDBC Connection from DataSource
                          10:41:07,128  [,]  DEBUG [java.sql.Connection] {conn-100000} Connection
                          10:41:07,143  [,]  DEBUG [org.springframework.orm.ibatis.SqlMapClientTemplate] Obtained JDBC Connection [[email protected]] for iBATIS operation
                          10:41:07,846  [,]  DEBUG [java.sql.Connection] {conn-100000} Preparing Statement:           select USER_ID, ACTIVE_IND, USER_TYPE_CODE, SECURITY_ROLE, EMPLOYEE_CODE, BUYER_IND, SELLER_IND,       OEM_PURCH_MGR_IND, OEM_SALES_MGR_IND, COMPANY_NAME, SECURITY_ANSWER     from NECXADM.USER_LOGIN                      where                (                             LOGIN =             ?                                    )                              
                          10:41:08,096  [,]  DEBUG [java.sql.PreparedStatement] {pstm-100001} Executing Statement:           select USER_ID, ACTIVE_IND, USER_TYPE_CODE, SECURITY_ROLE, EMPLOYEE_CODE, BUYER_IND, SELLER_IND,       OEM_PURCH_MGR_IND, OEM_SALES_MGR_IND, COMPANY_NAME, BUSINESS_TYPE_CODE, ACCOUNT_CODE,       SECURITY_ANSWER     from USER_LOGIN                      where                (                             LOGIN =             ?                                    )                              
                          10:41:08,643  [,]  DEBUG [org.springframework.orm.ibatis.SqlMapClientTemplate] Opened SqlMapSession [com.ibatis.sqlmap.engine.impl.SqlMapSessionImpl@4e1c94] for iBATIS operation
                          10:41:08,987  [,]  INFO  [STDOUT] secCtx :[email protected]eb1cb: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@ce2eb1cb: Principal: com.framework.persistent.acegiext.userdetails.CnvgUser@0: Username: JEVANS; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: USERADMIN; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff6a82: RemoteIpAddress: 127.0.0.1; SessionId: B31860E7EBD259C09AF79DBDC13F5C36; Granted Authorities: USERADMIN
                          
                          10:41:09,003  [,]  DEBUG [org.springframework.webflow.execution.AnnotatedAction] Clearing action execution attributes map[[empty]]
                          10:41:09,003  [,]  DEBUG [org.springframework.webflow.execution.ActionExecutor] Finished executing [EvaluateAction@1e37ad5 expression = loginController.authenticate(), resultExpression = flowScope.isCredentialsValid]; result = yes
                          10:41:09,003  [,]  DEBUG [org.springframework.webflow.engine.Transition] Executing [Transition@f4c45 on = *, to = checkCredentialsValid]
                          10:41:09,003  [,]  DEBUG [org.springframework.webflow.engine.Transition] Exiting state 'checkAuthentication'
                          10:41:09,003  [,]  DEBUG [org.springframework.webflow.engine.DecisionState] Entering state 'checkCredentialsValid' of flow 'login'
                          10:41:09,003  [,]  DEBUG [org.springframework.webflow.engine.Transition] Executing [Transition@5885a4 on = flowScope.isCredentialsValid, to = main]
                          10:41:09,003  [,]  DEBUG [org.springframework.webflow.engine.Transition] Exiting state 'checkCredentialsValid'
                          10:41:09,003  [,]  DEBUG [org.springframework.webflow.engine.EndState] Entering state 'main' of flow 'login'
                          10:41:09,003  [,]  DEBUG [org.springframework.webflow.execution.ActionExecutor] Executing [email protected]31
                          10:41:09,003  [,]  DEBUG [org.springframework.webflow.execution.ActionExecutor] Executing [email protected]468117
                          10:41:09,018  [,]  DEBUG [org.springframework.webflow.execution.ActionExecutor] Finished executing [email protected]468117; result = success
                          10:41:09,018  [,]  DEBUG [org.springframework.webflow.execution.ActionExecutor] Finished executing [email protected]31; result = success
                          10:41:09,018  [,]  DEBUG [org.springframework.webflow.engine.Transition] Completed transition execution.  As a result, the flow execution has ended
                          10:41:09,018  [,]  DEBUG [org.springframework.webflow.engine.Transition] Completed transition execution.  As a result, the flow execution has ended
                          10:41:09,018  [,]  DEBUG [org.springframework.webflow.engine.Transition] Completed transition execution.  As a result, the flow execution has ended
                          10:41:09,018  [,]  DEBUG [org.springframework.webflow.execution.repository.impl.DefaultFlowExecutionRepository] Removing flow execution '[Ended execution of 'login']' from repository
                          10:41:09,018  [,]  DEBUG [org.springframework.webflow.conversation.impl.SessionBindingConversationManager] Ending conversation 1
                          10:41:09,018  [,]  DEBUG [org.springframework.webflow.conversation.impl.SessionBindingConversationManager] Unlocking conversation 1
                          10:41:09,018  [,]  DEBUG [org.springframework.webflow.mvc.servlet.FlowHandlerAdapter] Sending flow definition redirect to '/Booking/converge/main'
                          My web.xml

                          Code:
                          <?xml version="1.0" encoding="UTF-8"?>
                          <web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">
                           
                           <context-param>
                              <param-name>contextConfigLocation</param-name>
                              <param-value>/WEB-INF/web-application-config.xml</param-value>
                            </context-param>
                            <context-param>
                              <param-name>javax.faces.DEFAULT_SUFFIX</param-name>
                              <param-value>.xhtml</param-value>
                            </context-param>
                            <context-param>
                          	<param-name>primefaces.THEME</param-name>
                          	<param-value>blitzer</param-value>
                            </context-param>  
                            <listener>
                              <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
                            </listener>
                            
                            <!-- 
                          		SPRING MVC
                          	-->
                            
                            
                            <servlet>
                              <servlet-name>Spring MVC Dispatcher Servlet</servlet-name>
                              <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
                              <init-param>
                                <param-name>contextConfigLocation</param-name>
                                <param-value />
                              </init-param>
                              <load-on-startup>2</load-on-startup>
                            </servlet>
                            
                            
                            <servlet>
                              <servlet-name>Faces Servlet</servlet-name>
                              <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
                              <load-on-startup>1</load-on-startup>
                            </servlet>
                            <!-- Just here so the JSF implementation can initialize -->
                            
                            <servlet-mapping>
                              <servlet-name>Faces Servlet</servlet-name>
                              <url-pattern>*.faces</url-pattern>
                            </servlet-mapping>
                           
                           
                          	
                          	<filter>
                          	<filter-name>extensionsFilter</filter-name>
                          	<filter-class>org.apache.myfaces.webapp.filter.ExtensionsFilter</filter-class>
                              <init-param>
                                  <param-name>uploadMaxFileSize</param-name>
                                  <param-value>20m</param-value>        
                              </init-param>
                          </filter>
                          
                          <!-- extension mapping for adding <script/>, <link/>, and other resource tags to JSF-pages  -->
                          <filter-mapping>
                              <filter-name>extensionsFilter</filter-name>
                                 <servlet-name>Faces Servlet</servlet-name>
                          </filter-mapping>
                          
                          <!-- extension mapping for serving page-independent resources (javascript, stylesheets, images, etc.)  -->
                            <filter-mapping>
                          		<filter-name>extensionsFilter</filter-name>
                          		<url-pattern>*.faces</url-pattern>
                          	</filter-mapping>
                          	<filter-mapping>
                          		<filter-name>extensionsFilter</filter-name>
                          		<url-pattern>/faces/*</url-pattern>
                          	</filter-mapping>
                          	 <filter-mapping>
                          		<filter-name>extensionsFilter</filter-name>
                          		<url-pattern>/converge/*</url-pattern>		
                          	</filter-mapping>
                          	
                          	
                          
                          <filter>
                          	<filter-name>springSecurityFilterChain</filter-name>
                          	<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
                          </filter>
                          <filter-mapping>
                          	<filter-name>springSecurityFilterChain</filter-name>
                           <servlet-name>/converge/*</servlet-name>
                          </filter-mapping>
                          
                          
                          
                          <!-- 
                            		Spring Security Facelets tag library declaration 
                            	-->
                           <!--  	<context-param>
                            		<param-name>javax.faces.FACELETS_LIBRARIES</param-name>
                            		<param-value>/WEB-INF/springsecurity.taglib.xml</param-value>
                            	</context-param> --> 
                          
                             
                          <!-- 
                          	<listener>
                          		<listener-class>
                          			com.converge.framework.SessionListener
                          		</listener-class>
                          	</listener>
                          	<filter>
                          		<filter-name>SessionTimeoutFilter</filter-name>
                          		<filter-class>com.converge.framework.SessionTimeoutFilter</filter-class>
                          	</filter>
                          	
                          	<filter-mapping>
                          		<filter-name>SessionTimeoutFilter</filter-name>
                          		<url-pattern>/converge/*</url-pattern>	
                          	</filter-mapping>
                           -->
                          </web-app>

                          Comment


                          • #14
                            What URL are you requesting for logout?

                            Originally posted by vinaya View Post
                            Code:
                            <filter-mapping>
                            	<filter-name>springSecurityFilterChain</filter-name>
                             <servlet-name>/converge/*</servlet-name>
                            </filter-mapping>
                            The filter-mapping for springSecurityFilterChain should be the first one in your web.xml (i.e before extensionsFilter). It should also map to the url of /*.

                            Code:
                            <filter-mapping>
                              <filter-name>springSecurityFilterChain</filter-name>
                              <url-pattern>/*</url-pattern>
                            </filter-mapping>
                            If I were you I would start trying to run one of the sample applications. Once you get one of them working, try to modify it to do what you want. At that point it should be a matter of plugging it into your existing application.

                            Comment


                            • #15
                              Thanks Rob,

                              I changed my order of the filters and every thing is working fine.
                              Thanks a lot

                              Vinaya

                              Comment

                              Working...
                              X