Spring Security 2.0, JSF and Authentication

Hi,

I'm trying to implement spring security 2.0 in combination with JSF and i stick to the following guide:
http://www.javakaffee.de/blog/2006/0...-backing-bean/ (which covers Acegi 1.0.1)

I'm pretty far right now (by means of porting it to Spring Security 2.0), which means that I'm able to login and logout correctly.

The only problem is left (at least, I hope so) is that it is still possible to go to the "secured" pages without a login...
so this must be an authentication problem with org.springframework.security.intercept.web.FilterS ecurityInterceptor and objectDefinitionSource ?!

I'd appreciate any help.. thanks in advance


here are my configs:

applicationContext.xml

Code:

---

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
      xmlns:security="http://www.springframework.org/schema/security"
      xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
                          http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">

   
    <bean id="springFilterChainProxy" class="org.springframework.security.util.FilterChainProxy">
        <security:filter-chain-map path-type="ant">
            <security:filter-chain pattern="/**" filters="httpSessionContextIntegrationFilter,securityRequestFilter,exceptionTranslationFilter,filterSecurityInterceptor"/>
        </security:filter-chain-map>
    </bean>
 
   
    <!-- httpSessionContextIntegrationFilter -->
   
    <bean id="httpSessionContextIntegrationFilter" class="org.springframework.security.context.HttpSessionContextIntegrationFilter">
        <property name="contextClass">
            <value>org.springframework.security.context.SecurityContextImpl</value>
        </property>
    </bean>
   
   
    <!-- securityRequestFilter -->
   
    <bean id="securityRequestFilter" class="org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter" />
   
   
    <!-- exceptionTranslationFilter -->
   
    <bean id="exceptionTranslationFilter" class="org.springframework.security.ui.ExceptionTranslationFilter">
        <property name="authenticationEntryPoint">
            <bean class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
                <property name="loginFormUrl" value="/login.jsf"/>
                <property name="forceHttps" value="false"/>
            </bean>
        </property>
        <property name="accessDeniedHandler">
            <bean class="org.springframework.security.ui.AccessDeniedHandlerImpl">
                <property name="errorPage" value="/accessDenied.jsf"/>
            </bean>
        </property>
    </bean>

   
    <!-- filterSecurityInterceptor -->
 
    <bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
        <property name="providers">
            <list>
                <ref local="daoAuthenticationProvider" />
            </list>
        </property>
    </bean>

    <bean id="daoAuthenticationProvider" class="org.springframework.security.providers.dao.DaoAuthenticationProvider">
        <property name="userDetailsService">
            <bean class="org.springframework.security.userdetails.memory.InMemoryDaoImpl">
                <property name="userProperties">
                    <bean class="org.springframework.beans.factory.config.PropertiesFactoryBean">
                        <property name="location" value="/WEB-INF/user.properties"/>
                    </bean>
                </property>
            </bean>
        </property>
    </bean>

    <bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased">
        <property name="allowIfAllAbstainDecisions" value="false"/>
        <property name="decisionVoters">
            <list>
                <bean class="org.springframework.security.vote.RoleVoter"/>
                <bean class="org.springframework.security.vote.AuthenticatedVoter"/>
            </list>
        </property>
    </bean> 
   
    <bean id="filterSecurityInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
        <property name="authenticationManager" ref="authenticationManager"/>
        <property name="accessDecisionManager" ref="accessDecisionManager"/>
        <property name="objectDefinitionSource">
            <security:filter-invocation-definition-source path-type="ant" lowercase-comparisons="true">
                <security:intercept-url pattern="/profiles/admin/**" access="ROLE_ADMIN"/>
                <security:intercept-url pattern="/profiles/**" access="ROLE_USER,ROLE_ADMIN"/>   
            </security:filter-invocation-definition-source> 
        </property>
    </bean>

   
    <!-- Costum authenticationController -->
   
    <bean id="authenticationController" class="com.example.user.security.AuthenticationController" scope="session">
        <property name="authenticationManager">
            <ref bean="authenticationManager"/>
        </property>
    </bean>
 
    <!-- This beans are optional; it isn't used by any other bean as it only listens and logs -->
    <bean id="loggerListenerAuthentication" class="org.springframework.security.event.authentication.LoggerListener"/>
    <bean id="loggerListenerAuthorization" class="org.springframework.security.event.authorization.LoggerListener"/>
         
</beans>

---

web.xml (spring related parts):

Code:

---

    <!-- Spring config -->
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>
   
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/applicationContext.xml</param-value>
    </context-param>
   
    <filter>
        <filter-name>RequestContextFilter</filter-name>
        <filter-class>org.springframework.web.filter.RequestContextFilter</filter-class>
    </filter>
   
    <filter-mapping>
        <filter-name>RequestContextFilter</filter-name>
        <servlet-name>Faces Servlet</servlet-name>
    </filter-mapping>
   
   
    <!-- Spring Security config -->
    <filter>
        <filter-name>Spring Security Filter Chain Proxy</filter-name>
        <filter-class>org.springframework.security.util.FilterToBeanProxy</filter-class>
        <init-param>
            <param-name>targetBean</param-name>
            <param-value>springFilterChainProxy</param-value>
        </init-param>
    </filter>

    <filter-mapping>
        <filter-name>Spring Security Chain Proxy</filter-name>
        <servlet-name>Faces Servlet</servlet-name>
        <dispatcher>FORWARD</dispatcher>
        <dispatcher>REQUEST</dispatcher>
    </filter-mapping>

---

I am in the process of trying to integrate JSF, Spring Web Flow, and Spring Security myself. While trying to find some pointers how to accomplish this I came across this posting (as well as many others) and decided that I should pass along some of the information I found.

A recent article on Java World covers JSF and Acegi integration
http://www.javaworld.com/javaworld/j...acegi-jsf.html

The above article references an article on IBM Developer Works site which also covers JSF and Acegi integration which I think is very helpful.

http://www.ibm.com/developerworks/ja...rary/j-acegi4/

I am still in the process of applying this to Spring Security (as opposed to Acegi) and my particular application, but these articles seem to provide some good hints at how to make JSF and Spring Security work together. There are several other links I found, but there seem to be some issues with those implementations. I will try to post back my results when I get something working.

Since we are using Spring Web Flow 2.0 and Facelets as well, I was able to use the booking-faces sample which comes with the download as a template for configuring Spring Security on our application.