5

Is there a way to integrate Spring Security 4 (Mainly for managing user access levels and which views they can access) and JSF 2?

I found this neat thing which allows you to mix both Spring Boot, and JSF 2 with PrimeFaces 5. Great stuff. I want to see if you can kick it up another level.

Normally you would configure Spring Security for Spring MVC like so:

WebSecurityConfig.java

@Configuration
@EnableWebMvcSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .antMatchers("/", "/home").permitAll()
                .anyRequest().authenticated()

                .and()

                .formLogin()
                .loginPage("/login")
                .permitAll()

                .and()

                .logout()
                .permitAll();
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
                .inMemoryAuthentication()
                .withUser("Zyst").password("password").roles("USER");
    }
}

And then those would as far as I know, do correct me if I'm mistaken, look in your MvcConfig to see what it actually means by "/home" and the like:

MvcConfig.java

@Configuration
public class MvcConfig extends WebMvcConfigurerAdapter {

    @Override
    public void addViewControllers(ViewControllerRegistry registry) {
        registry.addViewController("/home").setViewName("home");
        registry.addViewController("/").setViewName("home");
        registry.addViewController("/hello").setViewName("hello");
        registry.addViewController("/login").setViewName("login");
    }
}

However, I've been googling for a few hours and cannot really find a conclusive answer how to configure Spring Security for JSF. Can you implement your front end using JSF and then make that managed by Spring Security, so, for example Links, ie: localhost:8080/home instead of localhost:8080/home.xhtml are properly managed and served? And so that user levels defined in WebSecurityConfig.java can only access pages relevant to themselves.

From what I've (briefly) investigated it might not be possible due to Faces and Mvc being different technologies that don't particularly play well together. However, if possible I'd like to make sure of whether it's possible or not.

And if it IS possible, can you provide either a working example, or a link to somewhere that goes more in depth? I did google quite a bit but it's 100% possible I ended up missing something.

Any and all answers are greatly appreciated.

Aritz
  • 30,971
  • 16
  • 136
  • 217
Erick
  • 2,488
  • 6
  • 29
  • 43
  • 2
    "*However, I've been googling for a few hours and cannot really find a conclusive answer how to configure Spring Security for JSF*". Nothing different from what you do to configure Spring Security while using Spring MVC alone on top Spring. JSF can also be used on top of the Spring framework. So is Spring Security. Spring MVC and PrimeFaces in this context are stories apart (Yes, you initially tagged both of them [Spring MVC] and [PrimeFaces] for some unclear reasons). – Tiny Apr 22 '15 at 06:27

1 Answers1

8

There's no problem in using Spring Boot, Spring Security, JSF and Spring Core all together, in the end, JSF views are resolved as urls and that's what you work in Spring Security with. That's an example for the configuration in my own application, which I've pruned a bit to minimize the code amount. The code is self-explanatory:

@Configuration
@EnableWebMvcSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        // Have to disable it for POST methods:
        // http://stackoverflow.com/a/20608149/1199132
        http.csrf().disable();

        // Logout and redirection:
        // http://stackoverflow.com/a/24987207/1199132
        http.logout()
                .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
                .invalidateHttpSession(true)
                .logoutSuccessUrl(
                        "/login.xhtml");

        http.authorizeRequests()
                // Some filters enabling url regex:
                // http://stackoverflow.com/a/8911284/1199132
                .regexMatchers(
                        "\\A/page1.xhtml\\?param1=true\\Z",
                        "\\A/page2.xhtml.*")
                .permitAll()
                //Permit access for all to error and denied views
                .antMatchers("/500.xhtml", "/denied.xhtml")
                .permitAll()
                // Only access with admin role
                .antMatchers("/config/**")
                .hasRole("ADMIN")
                //Permit access only for some roles
                .antMatchers("/page3.xhtml")
                .hasAnyRole("ADMIN", "MANAGEMENT")
                //If user doesn't have permission, forward him to login page
                .and()
                .formLogin()
                .loginPage("/login.xhtml")
                .loginProcessingUrl("/login")
                .defaultSuccessUrl("/main.xhtml")
                .and().exceptionHandling().accessDeniedPage("/denied.xhtml");
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth)
            throws Exception {
        //Configure roles and passwords as in-memory authentication
        auth.inMemoryAuthentication()
                .withUser("administrator")
                .password("pass")
                .roles("ADMIN");
        auth.inMemoryAuthentication()
                .withUser("manager")
                .password("pass")
                .roles("MANAGEMENT");
    }
}

Of course, this code works with *.xhtml suffixed urls, as they're served by the JSF Servlet. If you want to avoid this suffix, you should use a url rewriting tool as Prettyfaces. But that's another story that has already been widely discussed in StackOverflow.

Also, remember to target your login form to the configured login processing url to let Spring Security handle the authentication and redirection to your main page. What I usually do is to use a non-JSF form and apply the Primefaces styles on it:

<form id="login_form" action="#{request.contextPath}/login" method="post">
    <p>
        <label for="j_username" class="login-form-tag">User</label> <input
            type="text" id="username" name="username" class="ui-corner-all"
            required="required" />
    </p>
    <p>
        <label for="j_password" class="login-form-tag">Password</label>
        <input type="password" id="password" name="password"
            class="ui-corner-all" required="required" />
    </p>
    <p>
        <button type="submit"
            class="ui-button ui-widget ui-state-default ui-corner-all ui-button-text-only">
            <span class="ui-button-text">Login</span>
        </button>
    </p>
</form>

See also:

Aritz
  • 30,971
  • 16
  • 136
  • 217
  • I have worked with Prettyfaces before, I agree: My question is quite mixed up, and I do apologize I'm fairly inexperienced with the Java Web stack, which leads to some silly mistakes. I was mostly wondering if I could use the MVC approach which seems pretty novel. I'll let this question sit for ~24 hours before marking you are the correct answer to see if other people have other approaches to manage this. Thanks for the answer. – Erick Apr 22 '15 at 07:01
  • How can you integrate the security taglibs with this approach? – Cenobyte321 Aug 18 '15 at 05:23
  • @Nab the same as the traditional approach, but using java to declare the context params instead of the traditional web.xml configuration. – Aritz Aug 18 '15 at 06:12
  • @XtremeBiker, yes, it actually worked with this: http://stackoverflow.com/questions/7915134/how-to-use-the-spring-security-facelets-tag-library-in-jsf/15378140#15378140 – Cenobyte321 Aug 23 '15 at 03:11