Basic Roo + GWT + Spring Security Question

[spark0r]

Hi All,

Question regarding basic Spring Security setup. I've setup a basic Roo Web App + GWT + Spring Security and am trying to get the login page to show up. At the moment I've modified the applicationContextSecurity.xml for database storage. My problem is that it does look like it's trying to redirect me to the login page to access the website now (as I expected it to) but it can't find the /login.jsp page. I'm guessing I need to setup some sort of url route to point any /login.jsp requests to src/main/webapp/WEB-INF/views/login.jsp. But a mornings worth of searches haven't turned up a whole lot of information. Would anybody here have a direction to point me for this one?

I've included the applicationContext-security.xml file below:

<?xml version="1.0" encoding="UTF-8"?>

<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schem...-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">

<global-method-security secured-annotations="enabled">
</global-method-security>

<!-- HTTP security configurations -->
<http auto-config="true">
<!-- Don't set any role restrictions on login.jsp -->
<intercept-url pattern="/login.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" />

<!-- Restrict access to ALL other pages -->
<intercept-url pattern="/**" access="ROLE_USER" />

<!-- Set the login page and what to do if login fails -->
<form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?login_error=1" />
</http>

<!-- Configure Authentication mechanism -->
<authentication-manager alias="authenticationManager">
<!-- SHA-256 values can be produced using 'echo -n your_desired_password | sha256sum' (using normal *nix environments) -->
<authentication-provider>
<jdbc-user-service data-source-ref="dataSource"
authorities-by-username-query="select username,authority from users where username=?"/>

</authentication-provider>
</authentication-manager>

</beans:beans>

Thanks much in advance,

Ryan

[spark0r]

Hi Everybody,

So as a quick update the file is being found now. the problem was a difference of filetypes. login.jsp vs. login.jspx Anyway, now that the file is being found it's in a redirect loop. I haven't made any changes to login.jspx so I'm at a bit of a loss here, Anybody else run into this?

Thanks again,

Ryan

[spark0r]

Hi All,

so I've resolved my problems with to many redirects and finding the page and am on to a problem with the standard login.jspx supplied by "security setup". In particular the error is:

Javax.servlet.jsp.JspTagException: No message found under code 'security_login_title' for locale 'en_US'.

I'll be honest, I'm a little unclear as to the thread etiquette at this point. We've moved past my initial problem and on to others. Should I consider this thread closed and open a new one with my current problem? or just keep them all in this thread? More experienced posters thoughts?

Thanks again all,

Ryan

[ratkins]

I've been through the same cycle; if you create a Spring Securified GWT app via Roo, the generated login.jspx can't find its taglibs. Even after I cut all the taglibs out of the jspx and it renders, I still couldn't get it to work.

So I tried a different tack and created a non-GWT app via Roo and did "setup security"; everything works, with the standard flavour of JSP/HTML scaffold. I then tried to "backport" the Spring Security config (and login page) to my other demo project, so I could have the login page protecting my GWT (SmartGWT actually) page.

I've kinda got it to work but it's a bit of a mess. The structure generated under src/main/webapp is vastly different for a "pure" Roo app vs a GWT Roo app (I had to fiddle around to get my GWT .js in the right place to get served properly). And also, from what I understand from some other threads here[1], you've also got to clue GWT in on login information by putting hooks in some other places. This meshes with what I'm seeing, which is the server happily showing me my GWT pages after I've logged out unless I do a force-refresh, at which point I get bounced to the login page as expected.

So, anyone from the Spring/Roo team out there with an example of a best-practice way of getting GWT and Spring Security to play nice together?

[1] http://forum.springsource.org/showthread.php?t=58874 (and http://forum.springsource.org/showthread.php?t=82139)


Cheers, Robert.

[spark0r]

Hiyahs Robert,

Glad to know I'm not the only one that's struggled with this, hopefully there will be somebody with a bit more experience who will be able to help us both out here.

All the Best,

Ryan

[yoshiz]

Hello there,

I've been struggling with roo, gwt and spring security aswell. Has anyone of you made any progress which you would like to share with us?

Kind regards,
Jochen

[elmentecato]

I see this is an old thread, but I still see the problems outlined above in the latest Spring Roo release (1.2.0.RC1).

The issue is that the spring security configuration that is created after the "security setup" command when you have a gwt application, is basically the same for a "web mvc" application, and several assumptions are made that no longer apply. Namely, that there's a WEB-INF/tags directory, that the path "/login" redirects to "/views/login.jspx" or so, etc.

To make spring security work quickly, simply change applicationContext-security.xml by deleting the form-login tag and modifying this line:

HTML Code:

<intercept-url pattern="/**" access="permitAll" />

so that it becomes:

HTML Code:

<intercept-url pattern="/**" access="isAuthenticated()" />

what this will do, is present the default login html form that spring security has to enable you to login to your app. If you then want to have your own login page, you could start by copying the source code of this page and save it to say /login.html. Then you can add back the form-login tag and replace "/login" with "/login.html". After this, you'll want to customize your login page, and then add support for either redirecting to this page or presenting some login dialog when an asynchronous service is called and authentication/authorization is no longer valid. It'd be nice if this would be provided automatically by the "secure setup" when "web gwt setup" has been specified.

I will create an issue in Spring Roo project in JIRA, unless somebody tells me it's not necessary either because there's one already or this will be provided in 1.2.0. I wasn't able to find any issue related to this problem.