1

I'm just getting started with Spring Security 3.1 and I haven't found a way to implment it on top of a JSF 2.1 web app. I currently have:

A web.xml with:

    <context-param>
    <param-name>contextConfigLocation</param-name>
        <param-value>classpath:applicationContext-business.xml
                     /WEB-INF/applicationContext-security.xml
       </param-value>


<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

   <listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

And my applicationContext-security.xml:

<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans 
                http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                http://www.springframework.org/schema/security 
                http://www.springframework.org/schema/security/spring-security-3.1.xsd">



<http pattern="/resources/**" security="none" />

<http use-expressions="true">
<intercept-url pattern="/administracion/departamentos/**" access="recursoshumanos" />
<intercept-url pattern="/administracion/derechos/**" access="recursoshumanos" />
<intercept-url pattern="/administracion/diasfestivos/**" access="recursoshumanos" />
<intercept-url pattern="/administracion/dias/**" access="recursoshumanos" />
<intercept-url pattern="/administracion/solicitudes/**" access="recursoshumanos" />
<intercept-url pattern="/administracion/empleados/**" access="recursoshumanos" />

</http>


<authentication-manager>
    <authentication-provider>
        <user-service>
            <user name="rod" password="koala" authorities="recursoshumanos" />
            <user name="dianne" password="emu" authorities="jefe" />
            <user name="scott" password="wombat" authorities="jefe" />
        </user-service>
    </authentication-provider>
</authentication-manager>

I'm guessing this example would work with a regular .jsp but I'm probably missing additional steps to make it work with JSF, unfortunately, I haven't been able to find a fully working example so far. What do i need to do? Thanks!

Edit: The problem is that i can still navigate freely to the secured areas of the application without needing to log in.

Edit: BTW, I just noticed that a filter to the root of the web app does indeed trigger the authentication mechanism. It still fails everywhere else though.

Roberto Betancourt
  • 2,375
  • 3
  • 27
  • 35

3 Answers3

3

Authorities should start with

ROLE_

Have a look here Spring Security FAQ and SO

Community
  • 1
  • 1
baba.kabira
  • 3,111
  • 2
  • 26
  • 37
  • I just switched to the "ROLE_" prefix but It's still failing. – Roberto Betancourt Mar 14 '12 at 19:50
  • Edit: BTW, I just noticed that a filter to the root of the web app does indeed trigger the authentication mechanism. It still fails everywhere else though. – Roberto Betancourt Mar 14 '12 at 19:53
  • @dustedrob can you post urls that are passing and url that is caught by spring security, just check if your mappings are correct – baba.kabira Mar 14 '12 at 20:40
  • The only url that is getting caught by Spring Security is the root path: http://localhost:8080/vacaciones. A path that has been declared is not getting caught is http://localhost:8080/vacaciones/faces/administracion/departamentos/List.xhtml which should be covered by the declaration in the security xml. – Roberto Betancourt Mar 14 '12 at 21:27
  • 1
    try adding faces in front of intercept-url pattern i.e /faces/administracion/departamentos/** – baba.kabira Mar 15 '12 at 08:14
  • yes! That did it! I feel so dumb now. I was fully expecting Spring-security to consider the "faces" portion as part of the root context... Thanks! – Roberto Betancourt Mar 15 '12 at 15:46
1

As noted by gbagga, the answer was pretty simple: Add the "faces" part of the path to the patterns. Thanks!

Roberto Betancourt
  • 2,375
  • 3
  • 27
  • 35
0

Configuration seems to be correct. Maybe you are missing the auto-config="true" option in your http definition. See more here

http://static.springsource.org/spring-security/site/docs/2.0.x/reference/ns-config.html#ns-auto-config

What is your problem exactly? You can not login with the specified username/password? Authorization is not applied to your application?

dimcookies
  • 1,930
  • 7
  • 31
  • 37
  • The problem is that i can still navigate freely to the secured areas of the application without needing any sort of authentication. – Roberto Betancourt Mar 14 '12 at 16:52
  • using auto-config didn't make a difference. – Roberto Betancourt Mar 14 '12 at 17:00
  • One more guess, you have defined use-expressions="true" therefore spring security is expecting an expression rather than a role name (check http://static.springsource.org/spring-security/site/docs/3.0.x/reference/el-access.html#el-access-web). Maybe you can use the expression hasRole('recursoshumanos') or remove use-expressions and see what happens – dimcookies Mar 14 '12 at 17:09
  • I'm afraind that didn't work either. I tried it with and without expressions and it's still the same. – Roberto Betancourt Mar 14 '12 at 17:30
  • I have run out of ideas, sorry. For my JSF app, i just followed this tutorial http://www.mularien.com/blog/2008/07/07/5-minute-guide-to-spring-security/ and it worked like a charm. Read on, maybe there is something we are missing – dimcookies Mar 14 '12 at 17:32
  • Thanks. This is driving me crazy! – Roberto Betancourt Mar 14 '12 at 17:38
  • Edit: BTW, I just noticed that a filter to the root of the web app does indeed trigger the authentication mechanism. It still fails everywhere else though. – Roberto Betancourt Mar 14 '12 at 19:53