authorizationManager and JSF2 issue

[jbegham]

Hi Spring Security Experts,

acutally I am struggling with a simply JavaServer Faces 2.0 and Spring 3.1 integration. I am new to Spring Security and therefor it might be a silly issue, but for me it is a real showstopper so far.

Spring and Spring Security configuration went well so far. The security URL filtering works but after trying to authorize the user via my own login page, I'm struggling with authorizationManager. It seems that it is not well bound and I cannot figure out, how to access the authorizationManager.
I get a nullpointer exception if I try to access it from within my AuthenticationService (marked red below), so I am not able to wire it correctly.

Here is what I did

web.xml (spring relevant section)

Code:

<context-param>
  <param-name>contextConfigLocation</param-name>
     <param-value>
         /WEB-INF/spring-config.xml
         /WEB-INF/spring-security.xml
     </param-value>
</context-param>
<listener>
  <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<filter>
  <filter-name>springSecurityFilterChain</filter-name>
  <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
  <filter-name>springSecurityFilterChain</filter-name>
	<url-pattern>/*</url-pattern>
           <dispatcher>REQUEST</dispatcher>
	   <dispatcher>FORWARD</dispatcher>
</filter-mapping>

spring-config.xml

Code:

<bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource">
		<property name="driverClassName" value="com.mysql.jdbc.Driver"></property>
		<property name="url" value="jdbc:mysql://localhost:3306/testDB"></property>
		<property name="username" value="test"></property>
		<property name="password" value="test"></property>
	</bean>
	<bean id="sessionFactory"
		class="org.springframework.orm.hibernate3.annotation.AnnotationSessionFactoryBean">
		<property name="dataSource">
			<ref bean="dataSource" />
		</property>
		<property name="hibernateProperties">
			<props>
				<prop key="hibernate.dialect">
					org.hibernate.dialect.MySQLDialect
				</prop>
			</props>
		</property>
	</bean>

spring-security.xml

Code:

<http auto-config="true">
		<intercept-url pattern="/pages/admin/*"
			access="ROLE_ADMIN" />
		<intercept-url pattern="/pages/*" access="ROLE_USER" />
		<form-login login-page="/login.faces"
			authentication-failure-url="/loginfailed.faces" />
	</http>

	<authentication-manager alias="authenticationManager">
		<authentication-provider>
			<user-service>
				<user name="john" password="secret" authorities="ROLE_USER, ROLE_ADMIN" />
			</user-service>
		</authentication-provider>
	</authentication-manager>

login.xhtml

Code:

<h:form>
  <h2>Please login first</h2>
  <p>Username</p>
  <p><h:inputText required="true" value="#{loginBean.username}"/></p>
  <p>Password</p>
  <p><h:inputText required="true" value="#{loginBean.password}"/></p>
  <p><h:commandButton type="submit" id="login" action="#{loginBean.login}" value="login"/></p>
</h:form>

LoginBean.java

Code:

@ManagedBean(name = "loginBean")
@RequestScoped
public class LoginBean extends AbstractBeanBase {

	@ManagedProperty(value = "#{authenticationService}")
	private IAuthenticationService	authenticationService;

	private String					username			= null;

	private String					password			= null;

	public String login() {

		boolean success = authenticationService.login(username, password);

		if (success) {
			return "welcome.xhtml"; 
		} else {
			FacesContext.getCurrentInstance()
					.addMessage(null, new FacesMessage("Login or password wrong."));
			return "login.xhtml";
		}
	}

	public String getUsername() {
		return username;
	}

	public void setUsername(String username) {
		this.username = username;
	}

	public String getPassword() {
		return password;
	}

	public void setPassword(String password) {
		this.password = password;
	}

	public void setAuthenticationService(IAuthenticationService authenticationService) {
		this.authenticationService = authenticationService;
	}
}

AuthenticationService.java

Code:

@ManagedBean(name = "authenticationService")
@SessionScoped
public class AuthenticationService implements IAuthenticationService {
	
	@Resource (name = "authenticationManager")
	private AuthenticationManager authenticationManager; 
	@Override
	public boolean login(String username, String password) {
		try {
			Authentication authenticate = authenticationManager
					.authenticate(new UsernamePasswordAuthenticationToken(
							username, password));
			if (authenticate.isAuthenticated()) {
				SecurityContextHolder.getContext().setAuthentication(
						authenticate);				
				return true;
			}
		} catch (AuthenticationException e) {			
		}
		return false;
	}

	@Override
	public void logout() {
		SecurityContextHolder.getContext().setAuthentication(null);
	}

}

Instead of using @Resource I also have tried @ManagedProperty, which also fails, but directly during applicaiton startup.


Hopefully anybody knows what went wrong.


Thanks in advance
John

[Rob Winch]

Is it just Spring Security that you are unable to inject or is everything? What does your JSF configuration look like (i.e. are you using SpringBeanFacesELResolver. I would suggest running the webflow-primefaces-showcase sample which can be found in Spring Web Flow as a starting point. It also has additional information about integrating Spring Security with JSF.

[jbegham]

Hi Rob,

thanks for the reply. I checked out the primefaces-exmaple and I have seen that there is an additional listener in their web.xml

Code:

<listener>
    <listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
</listener>

After putting it in changing @Ressource to @ManagedPropoerty and then creatingmy getter/setters for the authenticationManager in my AutenthicationService class, authenticationManager now is injected (seen in debugger as org.springframework.security.authentication.Provid erManager) and no longer null

AutenticationService.java

Code:

import javax.faces.bean.ManagedBean;
import javax.faces.bean.ManagedProperty;
import javax.faces.bean.SessionScoped;

import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;


@ManagedBean(name = "authenticationService")
@SessionScoped
public class AuthenticationService implements IAuthenticationService {

    @ManagedProperty (value="#{authenticationManager}")
    private AuthenticationManager authenticationManager; 
    
    @Override
    public boolean login(String username, String password) {
        try {
            Authentication authenticate = authenticationManager
                    .authenticate(new UsernamePasswordAuthenticationToken(
                            username, password));
            if (authenticate.isAuthenticated()) {
                SecurityContextHolder.getContext().setAuthentication(
                        authenticate);                
                return true;
            }
        } catch (AuthenticationException e) {            
        }
        return false;
    }

    @Override
    public void logout() {
        SecurityContextHolder.getContext().setAuthentication(null);
    }

    
    public AuthenticationManager getAuthenticationManager() {
        return authenticationManager;
    }

    
    public void setAuthenticationManager(AuthenticationManager authenticationManager) {
        this.authenticationManager = authenticationManager;
    }
}

So thanks again for providing the link to the examples.
John