Spring Security with Spring Web Flow
Hi,
I am looking for an example for implementing Spring Security with Spring Webflow
My config.xml is
My login.xhtml isCode:<security:authentication-manager > <security:authentication-provider ref="daoAuthenticationProvider" > </security:authentication-provider> </security:authentication-manager> <bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider"> <property name="userDetailsService"> <bean class="com.framework.service.userlogin.UserLoginServiceImpl"> <property name="userLoginDAO"> <ref local="userLoginDAO" /> </property> <property name="userRolesVwDAO"> <ref local="userRolesVwDAO" /> </property> <property name="securityRoleDAO"> <ref local="securityRoleDAO" /> </property> </bean> </property> </bean> <security:http auto-config="true" use-expressions="true"> <security:form-login login-page="/login.faces" login-processing-url="/j_spring_security_check" default-target-url="/main" authentication-failure-url=""/> <security:intercept-url pattern="/**" access="isAuthenticated()"/> <security:session-management invalid-session-url="/login.faces" /> </security:http>
My userDetailsServiceImpl.java has the methodCode:<!DOCTYPE composition PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:ui="http://java.sun.com/jsf/facelets" xmlns:c="http://java.sun.com/jsp/jstl/core" xmlns:p="http://primefaces.prime.com.tr/ui" > <ui:composition template="/WEB-INF/layouts/template.xhtml"> <ui:define name="title">Login</ui:define> <ui:define name="menu"> </ui:define> <ui:define name="heading"> </ui:define> <ui:define name="body"> <div > <c:if test="${not empty param.login_error}"> <div class="error"> Your login attempt was not successful, try again.<br /> Reason: #{sessionScope.SPRING_SECURITY_LAST_EXCEPTION.message} </div> </c:if> <p:panel header="Login Information"> <form name="f" action="${request.contextPath}/j_spring_security_check" method="post"> <p> User: <br /> <c:if test="${not empty param.login_error}"> <c:set var="username" value="${sessionScope.SPRING_SECURITY_LAST_USERNAME}"/> </c:if> <input type="text" name="j_username" /> </p> <p> Password: <br /> <input type="password" name="j_password" /> </p> <p> <input type="checkbox" name="_spring_security_remember_me"/> Don't ask for my password for two weeks </p> <p> <input name="submit" type="submit" value="Login" /> <input name="reset" type="reset" value="Reset" /> Exception : #{SPRING_SECURITY_LAST_EXCEPTION.message} </p> </form> </p:panel> </div> <p:messages></p:messages> </ui:define> <ui:define name="footer"> </ui:define> </ui:composition> </html>
When I enter a invalid user name. I get the error "Invalid User Id and or Password"Code:public UserDetails loadUserByUsername(String userName) throws UsernameNotFoundException, AuthenticationServiceException { UserLogin userLogin; try { userLogin = getUserLogin(userName); GrantedAuthority[] userRoles = LoadGrantedAuthority(userLogin); if (userRoles.length == 0) { throw new UsernameNotFoundException( "User has no GrantAuthority"); } CnvgUser user = new CnvgUser(userLogin, true, true, true, true, userRoles); user.setUserLogin(userLogin); return user; } catch (UserLoginException e) { throw new BadCredentialsException("Invalid User Id and or Password"); } catch (UsernameNotFoundException en) { String msg = "User not found"; this.logger.error(msg, en); throw new UsernameNotFoundException(msg, en); }catch (AuthenticationException e) { throw new BadCredentialsException("Invalid User Id and or Password"); } }
But If I enter a correct login id and an incorrect password, the loadUserByUsername is executed and queries all the roles even if the pwd is in correct. How do I prevent that? But finally BadCredentialsException is raised and I get the Bad Credentials message.
Few Questions I have:
Do I need to have the ExceptionTranslationFilter in my config.xml
Do I need to have filterChainProxy? (I need url security)
After login I need to insert/update few tables. For this do I need to implement AuthenticationManager??
Thanks
Vinaya
Reply With Quote