ICEfaces 1.7 with Spring Security 2.0.2 (almost full working just few problems...)

[dreampeppers99]

Hi everybody,

I've been working with ICEfaces 1.7.0 and trying to found the perfect/easier way to implement authentication/authorization over jsf applications, then I discovery this article (amazing by the way)
http://www.javaworld.com/javaworld/j...acegi-jsf.html.

But the article was made to use of Acegi Security 1.0.x and I want to use the 2.0.4, so I make the "changes" (most just changes is just rename the packages org.acegisecurity to org.springframework.security) to get it working.
[After read, read fix, read and fix...]

Well I got it working, at least my tomcat console doesn't say anything wrong/warn and I try to lauch the application and the page is the login.jsp (Well done!!!) but when I got acess.... see the history bellow

My configurations

my web.xml

Code:

	<filter>
 		<filter-name>RequestContextFilter</filter-name>
 		<filter-class>
 			org.springframework.web.filter.RequestContextFilter
 		</filter-class>
 	</filter>



	<filter>
		<filter-name>Acegi Filter Chain Proxy</filter-name>
		<filter-class>
			org.springframework.security.util.FilterToBeanProxy
		</filter-class>
		<init-param>
			<param-name>targetClass</param-name>
			<param-value>
				org.springframework.security.util.FilterChainProxy
			</param-value>
		</init-param>
	</filter>

	<filter-mapping>
		<filter-name>Acegi Filter Chain Proxy</filter-name>
		<url-pattern>/*</url-pattern>
		<dispatcher>FORWARD</dispatcher>
     	<dispatcher>REQUEST</dispatcher>	
	</filter-mapping>
	
	 
 	<filter-mapping>
 		<filter-name>RequestContextFilter</filter-name>
 		<servlet-name>Persistent Faces Servlet</servlet-name>
 	</filter-mapping>
	

	<listener>
		<listener-class>
			org.springframework.web.context.ContextLoaderListener
		</listener-class>
	</listener>

My Context Application xml

Code:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xmlns:aop="http://www.springframework.org/schema/aop"
	xmlns:jee="http://www.springframework.org/schema/jee"
	xmlns:lang="http://www.springframework.org/schema/lang"
	xmlns:tx="http://www.springframework.org/schema/tx"
	xmlns:util="http://www.springframework.org/schema/util"
	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
		http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-2.1.xsd
		http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee-2.0.xsd
		http://www.springframework.org/schema/lang http://www.springframework.org/schema/lang/spring-lang-2.0.xsd
		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-2.1.xsd
		http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-2.0.xsd">


	<bean id="filterChainProxy"
		class="org.springframework.security.util.FilterChainProxy">
		<property name="filterInvocationDefinitionSource">
			<value>
				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
				PATTERN_TYPE_APACHE_ANT 
				/error/*=#NONE# 
				/back*=#NONE#
				/**=httpSessionContextIntegrationFilter,logoutFilter,authenticationProcessingFilter,securityContextHolderAwareRequestFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
			</value>
		</property>
	</bean>

	<bean id="httpSessionContextIntegrationFilter"
		class="org.springframework.security.context.HttpSessionContextIntegrationFilter" />

	<bean id="authenticationProcessingFilter"
		class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter">
		<property name="filterProcessesUrl">
			<value>/j_acegi_security_check.jsp</value>
		</property>
		<property name="authenticationFailureUrl">
			<value>/login.jsp</value>
		</property>
		<property name="defaultTargetUrl">
			<value>/index.jsp</value>
		</property>
		<property name="authenticationManager">
			<ref bean="authenticationManager" />
		</property>
	</bean>


	<bean id="securityContextHolderAwareRequestFilter"
		class="org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter" />

	<bean id="authenticationManager"
		class="org.springframework.security.providers.ProviderManager">
		<property name="providers">
			<list>
				<ref local="daoAuthenticationProvider" />
			</list>
		</property>
	</bean>

	<bean id="daoAuthenticationProvider"
		class="org.springframework.security.providers.dao.DaoAuthenticationProvider">
		<property name="userDetailsService" ref="userDetailsService" />
	</bean>



	<bean id="userDetailsService"
		class="br.com.paarquivos.servico.ServicoUsuario">
	</bean>


	<bean id="filterInvocationInterceptor"
		class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
		<property name="authenticationManager"
			ref="authenticationManager" />
		<property name="accessDecisionManager"
			ref="accessDecisionManager" />
		<property name="objectDefinitionSource">
			<value>
				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
				PATTERN_TYPE_APACHE_ANT
				/login.jsp=IS_AUTHENTICATED_ANONYMOUSLY
				/index.jsp=ROLE_ALLACCESS,ROLE_URLACCESS
				/oportunidade.jsp=ROLE_ALLACCESS
			</value>
		</property>
	</bean>


	<bean id="accessDecisionManager"
		class="org.springframework.security.vote.AffirmativeBased">
		<property name="allowIfAllAbstainDecisions" value="false" />
		<property name="decisionVoters">
			<list>
				<bean
					class="org.springframework.security.vote.RoleVoter" />
				<bean
					class="org.springframework.security.vote.AuthenticatedVoter" />
			</list>
		</property>
	</bean>




	<bean id="anonymousProcessingFilter"
		class="org.springframework.security.providers.anonymous.AnonymousProcessingFilter">
		<property name="key" value="changeThis" />
		<property name="userAttribute"
			value="anonymousUser,ROLE_ANONYMOUS" />
	</bean>



	<bean id="exceptionTranslationFilter"
		class="org.springframework.security.ui.ExceptionTranslationFilter">
		<property name="authenticationEntryPoint">
			<bean
				class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
				<property name="loginFormUrl" value="/login.jsp" />
				<property name="forceHttps" value="false" />
			</bean>
		</property>
		<property name="accessDeniedHandler">
			<bean
				class="org.springframework.security.ui.AccessDeniedHandlerImpl">
				<property name="errorPage" value="/acessonegado.jsp" />
			</bean>
		</property>
	</bean>



	<bean id="logoutFilter"
		class="org.springframework.security.ui.logout.LogoutFilter">
		<constructor-arg value="/index.jsp" />
		<constructor-arg>
			<list>
				<bean
					class="org.springframework.security.ui.logout.SecurityContextLogoutHandler" />
			</list>
		</constructor-arg>
		<property name="filterProcessesUrl">
			<value>/j_acegi_logout.jsp</value>
		</property>
	</bean>

</beans>

I try to start on index.jsp and the application redirect me to login.jsp, Good PERFECT!!! However... when I click to logon ... I got the follow error just on console... and the page is showed is a blank one.

The console error:

Code:

SEVERE: Servlet.service() for servlet Persistent Faces Servlet threw exception
java.lang.NullPointerException
	at com.icesoft.faces.application.D2DViewHandler.renderResponse(D2DViewHandler.java:454)
	at com.icesoft.faces.application.D2DViewHandler.renderView(D2DViewHandler.java:161)
	at com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:107)
	at com.sun.faces.lifecycle.LifecycleImpl.phase(LifecycleImpl.java:268)
	at com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:137)
	at com.icesoft.faces.webapp.http.core.JsfLifecycleExecutor.apply(JsfLifecycleExecutor.java:18)
	at com.icesoft.faces.webapp.http.core.ReceiveSendUpdates.renderCycle(ReceiveSendUpdates.java:54)
	at com.icesoft.faces.webapp.http.core.ReceiveSendUpdates.service(ReceiveSendUpdates.java:42)
	at ...

If I change the url to localhost:8080/myapp/index.jsp the the follow error is showed on the page. (and redirect to login.jsp)

The error trace on page.

Code:

...
	javax.faces.FacesException: Can't find stream for /j_acegi_security_check.jsp
	com.icesoft.faces.application.D2DViewHandler.renderResponse(D2DViewHandler.java:468)
	com.icesoft.faces.application.D2DViewHandler.renderView(D2DViewHandler.java:161)
	com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:107)
	com.sun.faces.lifecycle.LifecycleImpl.phase(LifecycleImpl.java:268)
	...
	java.lang.NullPointerException
	com.icesoft.faces.application.D2DViewHandler.renderResponse(D2DViewHandler.java:454)
	com.icesoft.faces.application.D2DViewHandler.renderView(D2DViewHandler.java:161)
	com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:107)

When I put a breakpoint on method that authenticate the user ( on daoimplementation) I've noted that the program doesn't pass there, therefore I guess the logic to "login" isn't executed... but why? Thus if the "authenticate method" isn't called something is not right.

Sometimes I feel like that the problem is on this /j_acegi_security_check.jsp

What can I do?

Thanks in advance,

[dreampeppers99]

Just an observation... the code bellow

<filter-mapping>
<filter-name>Acegi Filter Chain Proxy</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>

Make the IDE eclipe claims.
"The content of element type "filter-mapping" must match "(filter-name,(url-pattern|servlet-name))".

On web.xml.... this is necessary?

[Luke Taylor]

Check you are using a web.xml DTD which includes the "dispatcher" element.

[dreampeppers99]

I'm using the http://java.sun.com/dtd/web-app_2_3.dtd DTD...

Just to be more clear my login page: (when I try to access a protected url the framework sends to this page)

Code:

<h:form>
      <h:panelGrid columns="2">
            <h:outputLabel value="User Name" for="j_username" />
            <h:inputText id="j_username" 
            value="#{loginBacking.userId}"  size="40" maxlength="80"></h:inputText>
            <h:outputLabel value="Password" for="j_password" />
            <h:inputSecret id="j_password" 
                value="#{loginBacking.password}" size="40" maxlength="80"
                redisplay="true"></h:inputSecret>
        </h:panelGrid>
        <h:commandButton action="login" value="Login" />
        
        <ice:messages id="messages" layout="table" globalOnly="true"
                showSummary="true" showDetail="false" />
    </h:form>

My login button is mapped to navigation case:

Code:

<navigation-rule>
	        <from-view-id>/login.jsp</from-view-id>
	        <navigation-case>
	                <from-outcome>login</from-outcome>
	                <to-view-id>/j_acegi_security_check.jsp</to-view-id>
	        </navigation-case>
	</navigation-rule>
		
		<navigation-rule>
        <from-view-id>*</from-view-id>
        <navigation-case>
                <from-outcome>logout</from-outcome>
                <to-view-id>/j_acegi_logout.jsp</to-view-id>
        </navigation-case>
</navigation-rule>

[dreampeppers99]

Check you are using a web.xml DTD which includes the "dispatcher" element.

Just changing the dtd it will work? Which dtd I need to use?
THanks in advance,

[Luke Taylor]

Just look at the DTD for the 2.3 web.xml - it doesn't have the dispatcher element.

If you want your XML editor to work properly you should use an XML DTD or schema which is valid for the file you are editing. Try using the 2.4 specification and DTD or XSD and you shouldn't have the problem with eclipse.

[dreampeppers99]

I fix the DTD scheme but the "problem" (almost untrackable) persist...
I guess the integration between these framework is very unclean, hard ... I couldn't get any answer, so I try to create a filter (javax.servlet.Filter implements) and make all this with "the hands" is possible?

[user]--has-->[role]---take access--->[resources]

user{john, pwd, roleadm}
role{roleadm}
resources{roleadm,buy.jsf}
resources{roleadm,sell.jsf}
resources{roleadm,reports.jsf}

I imagine use it based on url scheme.
But how I can discovery the url from request... (and so take a decision based on role from user, on session managed bean)

public class MySecurityFilter implements Filter{
doFilter(res, req) {
//how can I deal with the url from request....
}
}

[dreampeppers99]

I'm still thinking that it was happening because of "j_acegi_security_check.jsp". I said it because the application is loaded by tomcat and none error or warning is showed and the user is sent to login.jsp page, but when Try to login it doesn't works... you can mark a breakpoint on method (userdetailservice) and the application doesn't reach there.... maybe this scheme "j_acegi_security_check" has changed or the ICEFaces has something 'more' to do (ps: I already post it on official ICEFaces forum)....

[Luke Taylor]

Why do you have a "j_acegi_security_check.jsp" ? Disclaimer: I don't know anything about icefaces etc.

[dreampeppers99]

Why do you have a "j_acegi_security_check.jsp" ? Disclaimer: I don't know anything about icefaces etc.

(I think that knoledgement 'bout icefaces is not required... or the icefaces has something really especific, I saw a spring security like a "security" indepent... but logically I can be wrong... anyway)

Thanks so much Luke, for your atention!!!

Well I follow the article, as I said before.
And in this article they use a filter to authenticaion process that requires a filterProcessUrl and the url was that. (I don't have this jsp on my project, I guess it is offered by spring security framework). I imagine that a request is sent to this url (by navigation case) and the spring security handle it.. but it isn't happening.

My (slice) appcontext.xml

Code:

<bean id="authenticationProcessingFilter"
		class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter">
		<property name="filterProcessesUrl">
			<value>/j_acegi_security_check.jsp</value>
		</property>
...

The same "thing" is made for the logout process /j_acegi_logout.jsp

Code:

<bean id="logoutFilter"
		class="org.springframework.security.ui.logout.LogoutFilter">
		<constructor-arg value="/index.jsp" />
		<constructor-arg>
			<list>
				<bean
					class="org.springframework.security.ui.logout.SecurityContextLogoutHandler" />
			</list>
		</constructor-arg>
		<property name="filterProcessesUrl">
			<value>/j_acegi_logout.jsp</value>
		</property>
	</bean>