Spring Security with Spring Web Flow
Hi,
I am looking for an example for implementing Spring Security with Spring Webflow
My config.xml is
Code:
<security:authentication-manager >
<security:authentication-provider ref="daoAuthenticationProvider" >
</security:authentication-provider>
</security:authentication-manager>
<bean id="daoAuthenticationProvider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService">
<bean class="com.framework.service.userlogin.UserLoginServiceImpl">
<property name="userLoginDAO">
<ref local="userLoginDAO" />
</property>
<property name="userRolesVwDAO">
<ref local="userRolesVwDAO" />
</property>
<property name="securityRoleDAO">
<ref local="securityRoleDAO" />
</property>
</bean>
</property>
</bean>
<security:http auto-config="true" use-expressions="true">
<security:form-login login-page="/login.faces" login-processing-url="/j_spring_security_check"
default-target-url="/main" authentication-failure-url=""/>
<security:intercept-url pattern="/**" access="isAuthenticated()"/>
<security:session-management invalid-session-url="/login.faces" />
</security:http>
My login.xhtml is
Code:
<!DOCTYPE composition PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:ui="http://java.sun.com/jsf/facelets"
xmlns:c="http://java.sun.com/jsp/jstl/core"
xmlns:p="http://primefaces.prime.com.tr/ui" >
<ui:composition template="/WEB-INF/layouts/template.xhtml">
<ui:define name="title">Login</ui:define>
<ui:define name="menu">
</ui:define>
<ui:define name="heading">
</ui:define>
<ui:define name="body">
<div >
<c:if test="${not empty param.login_error}">
<div class="error">
Your login attempt was not successful, try again.<br />
Reason: #{sessionScope.SPRING_SECURITY_LAST_EXCEPTION.message}
</div>
</c:if>
<p:panel header="Login Information">
<form name="f" action="${request.contextPath}/j_spring_security_check" method="post">
<p>
User:
<br />
<c:if test="${not empty param.login_error}">
<c:set var="username" value="${sessionScope.SPRING_SECURITY_LAST_USERNAME}"/>
</c:if>
<input type="text" name="j_username" />
</p>
<p>
Password:
<br />
<input type="password" name="j_password" />
</p>
<p>
<input type="checkbox" name="_spring_security_remember_me"/>
Don't ask for my password for two weeks
</p>
<p>
<input name="submit" type="submit" value="Login" />
<input name="reset" type="reset" value="Reset" />
Exception : #{SPRING_SECURITY_LAST_EXCEPTION.message}
</p>
</form>
</p:panel>
</div>
<p:messages></p:messages>
</ui:define>
<ui:define name="footer">
</ui:define>
</ui:composition>
</html>
My userDetailsServiceImpl.java has the method
Code:
public UserDetails loadUserByUsername(String userName)
throws UsernameNotFoundException, AuthenticationServiceException {
UserLogin userLogin;
try {
userLogin = getUserLogin(userName);
GrantedAuthority[] userRoles = LoadGrantedAuthority(userLogin);
if (userRoles.length == 0) {
throw new UsernameNotFoundException(
"User has no GrantAuthority");
}
CnvgUser user = new CnvgUser(userLogin, true, true, true, true,
userRoles);
user.setUserLogin(userLogin);
return user;
} catch (UserLoginException e) {
throw new BadCredentialsException("Invalid User Id and or Password");
} catch (UsernameNotFoundException en) {
String msg = "User not found";
this.logger.error(msg, en);
throw new UsernameNotFoundException(msg, en);
}catch (AuthenticationException e) {
throw new BadCredentialsException("Invalid User Id and or Password");
}
}
When I enter a invalid user name. I get the error "Invalid User Id and or Password"
But If I enter a correct login id and an incorrect password, the loadUserByUsername is executed and queries all the roles even if the pwd is in correct. How do I prevent that? But finally BadCredentialsException is raised and I get the Bad Credentials message.
Few Questions I have:
Do I need to have the ExceptionTranslationFilter in my config.xml
Do I need to have filterChainProxy? (I need url security)
After login I need to insert/update few tables. For this do I need to implement AuthenticationManager??
Thanks
Vinaya
