0

I'm trying to integrate Spring-Security 5.1.4.RELEASE in an already working JSF 2.2-Primefaces 6.1 APP in order to securize it. When I try to access to the protected page "logged.xhtml" spring triggers and takes me to the login page "login.xhtml", so Spring seems to work fine.

The problem is that once I have configured Spring all Primefaces p:commandLink stop working (and some "Action" methods in other Primefaces components). The JSF Sun components ( xmlns:h="http://java.sun.com/jsf/html" ) like "h:outputLink" continue working but a h:commmandButton with f:ajax fails too.

I don't see why the Primefaces components or the JSF ones with f:ajaxare broken...

This is my faces-config.xml:

<application>
    <el-resolver>org.springframework.web.jsf.el.SpringBeanFacesELResolver</el-resolver>

    <resource-bundle>
        <base-name>messages</base-name>
        <var>msg</var>
    </resource-bundle>

    <message-bundle>messages</message-bundle>

    <locale-config>
        <default-locale>en</default-locale>
        <supported-locale>en</supported-locale>
        <supported-locale>es</supported-locale>
    </locale-config>
</application>

This is my WEB.XML:

<servlet>
    <servlet-name>Faces Servlet</servlet-name>
    <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>

<servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>*.xhtml</url-pattern>
</servlet-mapping>

<context-param>
    <description>State saving method: 'client' or 'server' (=default). See JSF Specification 2.5.2</description>
    <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
    <param-value>client</param-value>
</context-param>

<context-param>
    <param-name>javax.servlet.jsp.jstl.fmt.localizationContext</param-name>
    <param-value>resources.application</param-value>
</context-param>

<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

<context-param>
    <param-name>javax.faces.DEFAULT_SUFFIX</param-name>
    <param-value>.xhtml</param-value>
</context-param>

<context-param>
    <param-name>javax.faces.PROJECT_STAGE</param-name>
    <param-value>Production</param-value>
</context-param>

<session-config>
    <session-timeout>30</session-timeout>
</session-config>

<welcome-file-list>
    <welcome-file>index.xhtml</welcome-file>
</welcome-file-list>

This is my security initializer:

public class SecurityWebInitializer extends AbstractSecurityWebApplicationInitializer{

}

This is my security configuration:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {

    auth.inMemoryAuthentication().withUser(User.withDefaultPasswordEncoder().username("admin").password("1234").roles("ADMIN").build());
    auth.inMemoryAuthentication().withUser(User.withDefaultPasswordEncoder().username("usu").password("1234").roles("NORMAL").build());
}

@Override
protected void configure(HttpSecurity http) throws Exception {

    http
    .authorizeRequests()
        .antMatchers("/logged.xhtml").authenticated()
        .anyRequest().permitAll()
        .and()
    .formLogin()
        .loginPage("/login.xhtml").defaultSuccessUrl("/logged.xhtml").failureUrl("/error.xhtml")
        .permitAll()
        .and()
    .logout().logoutUrl("/logout")
        .permitAll(); 

}

}

EDIT:

After checking the browser console I see that every time I press any Primefaces link/button the following error appears:

XHR POST localhost:8080/springtest/index.xhtml [HTTP/1.1 403 Forbidden 2ms]

I believe that there is a problem with the permissions but after reviewing my SecurityConfig file I don't see the problem.

The following line should restrict the access to the protected page:

.antMatchers("/logged.xhtml").authenticated()

And this line should allow ALL trafic in the rest of pages:

.anyRequest().permitAll()

What I'm doing wrong?

Any suggestion?

Thanks in advance!

PS: let me know whether you need any further information about the project

Kukeltje
  • 12,223
  • 4
  • 24
  • 47
Jesus Schneider
  • 103
  • 1
  • 11
  • Checked the browser console? And browser network tab? Why not? Tried using a searchengine? What did you fid? Did it help? See [ask] – Kukeltje Jul 11 '19 at 20:21
  • And you did not notice the PrimeFaces components loosing look and feel? – Kukeltje Jul 11 '19 at 20:28
  • Hi! I have searched on google a lot, but JSF-Spring integration topic gives a lot of shity results, nothing simillar to what happens to me. Im not in front of the PC right now but I will check the javascript console later. I believe that Jquery/javascript has stopped working, because is the main difference between h:outputLink and p:commandlink – Jesus Schneider Jul 11 '19 at 20:51
  • There are no failures in the Primefaces aspect, just with some component functionalities... – Jesus Schneider Jul 11 '19 at 20:53
  • And I'm almost 100% sure the css should have failed too (unless you are using a CDN solution for the css and not for the javascript. And if there are no 40x errors in the network tab, check the source in the html of the javascript and css. Something like 'resource not found' in there where the URL of the script or css should be? – Kukeltje Jul 11 '19 at 20:57
  • https://stackoverflow.com/questions/13822978/primefaces-css-skin-not-showing-in-login-page-also-javascript-undefined-errors and https://stackoverflow.com/questions/39086947/make-jsf-resources-publicly-accessible-with-spring-security – Kukeltje Jul 11 '19 at 21:07
  • Ok, I have checked the browser console and every time I press any Primefaces link/button the following error appears: **XHR POST http://localhost:8080/springtest/index.xhtml [HTTP/1.1 403** Forbidden 2ms] As you correctly stated there is a problem with the permissions but after reviewing my SecurityConfig file I don't see the problem... The following line should restrict the access to the protected page: **.antMatchers("/logged.xhtml").authenticated()** And this line should allow ALL trafic in the rest of pages: **.anyRequest().permitAll()** Could tell me what I'm doing wrong? THANKS! – Jesus Schneider Jul 12 '19 at 08:50
  • Sorry, no I am not a Spring-Security user, so I have no idea, nor any incentive to try to find out... I hope someone else can/will – Kukeltje Jul 12 '19 at 09:13
  • The curious thing is that when I access to some public page writing the URL in the browser it works, but all JQUERY used by Primefaces components seems forbbiden... – Jesus Schneider Jul 12 '19 at 09:16
  • GET vs POST... ? Inspect details about the requests that work and ones that don't. Run spring Security in debug mode.... debug... – Kukeltje Jul 12 '19 at 09:59
  • I was getting a 403 error undercover because I was navigating with a commandLink via AJAX. So, when the 403 Forbidden error triggered the page didn't update and remained the same. I'm almost 100% sure that I have missconfigured Spring Security, but I'm new to it and not sure... Any more experienced person with Spring Security? – Jesus Schneider Jul 12 '19 at 11:59
  • Debugging also means setting breakpoints in code (everything you use is open source).... – Kukeltje Jul 12 '19 at 12:56

1 Answers1

1

I want to answer this question in case someone else needs it:

When using TEMPLATES for composing a JSF page ALWAYS put the "csrf" token in every single form on it. It is not enough putting the token in one place.

<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
Jesus Schneider
  • 103
  • 1
  • 11
  • Jsf already has csrf built in. So no need for it in spring security (you can disable it there can you?) And why did you remove the jsf and primefaces tags? – Kukeltje Jul 12 '19 at 20:45
  • I didn't remove any primefaces tag. Most of the pages I work with are composed by 3 or 4 templates and, originally, I just added the spring "csrf" token JUST in the main template. The problem is that the rest os templates also have forms and primefaces components that, when used, send POST requests via those forms. I hope I explain myself. – Jesus Schneider Jul 12 '19 at 22:22
  • But influences the jsf behaviour, so I'd say a jsf/Primefaces tag is justified – Kukeltje Jul 13 '19 at 15:50
  • I have just added the tag again. By the way, could you tell me how to specify the token natively with JSF? – Jesus Schneider Jul 13 '19 at 18:35
  • You don't need to https://stackoverflow.com/questions/7722159/csrf-xss-and-sql-injection-attack-prevention-in-jsf. Contrary to all hyped client-side js frameworks that are supposed to be 'easy' yo use, where you need to add all sorts of owasp like things to become safe... JSF has this built-in – Kukeltje Jul 13 '19 at 20:45