Spring Security 3 provides an API for configuring authentication and authorization. Authentication is possible against any number of repositories and databases. Authorization is applied at either the web resource level using Servlet Filters and/or at the business/service method level using aspects and annotations.
About This Tutorial
The purpose of this tutorial is to demonstrate how application developers can use both Spring Security 3.1.2 and ICEfaces 3.1 in the same application. Both technologies leverage the Servlet API so it is essential one understands how the various parts of the web.xml file are organized to accommodate both frameworks. Its also important to be mindful that Spring Security is highly configurable. The example below shows only one extension (Session Management). There are several others filters and configuration options your requirements may warrant. Note that the official Spring-Webflow release has not been updated to fix a problem with overloading methods in the FacesContext that throw UnsupportedOperationExceptions, so the maven Pom included in the tutorial refers to a temporary build location for Spring-Webflow.
Tutorial Use Case
The simple business case for this tutorial is a "product documentation" web application. Some of the documentation is publicly available and some of it requires authorization. To satisfy this requirement all content requiring authorization is accessible behind the spring intercept pattern "/secure/*"
This tutorial uses Spring Security 3.1.2, Spring Framework 3.0.6, JSF 2.1.6 and ICEfaces 3.1. The project has been modified to use Maven as the build environment.
Porting from Spring Security 3.0.6 and ICEFaces 3.0.1
In changing from the previous tutorial, users will note the following changes:
1) The security-config.xml file will need to name a new up-to-date Spring Security schema as in the following example:
The web.xml below contains additional parameters showing where the spring configuration is located, the Spring Security filter chain, the context loader listener, and the SessionEventPublisher. These should be added to any existing ICEfaces web.xml configuration parameters show below in step 3.