voyent
Spring Security 3.1.2 integration challenge  XML
Forum Index -> General Help
Author Message
futhark77

Joined: 18/Sep/2009 00:00:00
Messages: 57
Offline


Hello,

I feel ICEfaces does not integrate very well with Spring Security for those designing their own login form (I'm guessing that's a lot of people).

The issue lies with the definition and use of the the login-processing-url property (typically "j_spring_security_check"). How can instruct my icefaces custom form to POST to that url?

I tried setting action="login" with the corresponding nav rule in faces-config.xml. But that won't work, because nav rules must specify <redirect/>: Spring Security 3.2.1 (and probably all of 3.x) no longer supports GET requests because it exposes the password. This also means I can no longer use this kind trick in my login bean:

Code:
 public void login(ActionEvent e) throws java.io.IOException {
          FacesContext.getCurrentInstance().getExternalContext().redirect(
 "/test/j_spring_security_check?j_username=" + userId + "&j_password=" + password);
      }
 


There is a way to have GETs accepted by spring security. But that's something I do not want to continue doing.

According to spring security forums, the other solution is to write spring security authentication by hand in my login bean. But I hate having to do that. It defeats the purpose of the applicationContext.xml file.

Long story short: how do we integrate spring security with a custom icefaces login form?
futhark77

Joined: 18/Sep/2009 00:00:00
Messages: 57
Offline


I have found a solution.

http://stackoverflow.com/questions/5405718/jsf-redirect-to-url-as-post-not-as-get

I wrote myself a tiny submitlogin.xhtml page that posts username/pass to spring security's url.

Code:
 <?xml version='1.0' encoding='UTF-8' ?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml"
       xmlns:h="http://java.sun.com/jsf/html">
   <h:head>
   </h:head>
   <h:body>
     <form id="f" action="/app/j_spring_security_check.iface" method="post">
       <input type="hidden" name="j_username" value="#{loginBean.username}" />
       <input type="hidden" name="j_password" value="#{loginBean.password}" />   
     </form>
     <script>
       document.getElementById("f").submit();     
     </script>
   </h:body>
 </html>
 


My login.xhtml action is set to submitlogin. submitlogin is redirecting to submitlogin.xhtml.

After trying various altenatives I gave up trying to avoid using a separate submitlogin.xhtml. JSF seems to force all actions to end with a redirect (GET).

If anyone has improvements/better approach please let me know.
futhark77

Joined: 18/Sep/2009 00:00:00
Messages: 57
Offline


I could also have looked at this nice tutorial. Its LoginController bean contains code to perform spring security authentication. I won't need that separate submitlogin form anymore.

http://wiki.icesoft.org/display/ICE/Spring+Security
futhark77

Joined: 18/Sep/2009 00:00:00
Messages: 57
Offline


Me again talking to myself :o)

I have found an interesting approach to integrate spring security, if only I could make it work! It consists into dispatching the request to /j_spring_security_check.

http://slackspace.de/articles/custom-login-page-with-jsf-and-spring-security-3-2/

Did anyone succeed to implement this? I am having a problem passing j_username and j_password from my form to spring security.

2012-09-13 13:01:17,447 DEBUG org.springframework.security.ldap.authentication.LdapAuthenticationProvider - Processing authentication request for user:
2012-09-13 13:01:17,448 DEBUG org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Empty Username

I would like a lot to be able to redirect/dispatch to /j_spring_security_check as it shields me from api changes. One example: the icesoft spring security tutorial won't work as is with 3.1.

Thanks.
futhark77

Joined: 18/Sep/2009 00:00:00
Messages: 57
Offline


I found what was missing. My phase listener was not loaded in faces-config.xml. Also, it is important to specify the following in login.xhtml:

Code:
               <ice:form prependId="false">
                         <ice:inputText id="j_username" />
                         <ice:inputSecret id="j_password" />
                         <ice:commandButton value="Login" action="#{loginController2.doLogin}" />
                 </ice:form>
 


This time, I am getting authenticated, but redirection to default-target-url gets stuck. The page appears only after I reload.

Can someone explain this behavior? Is iceface having a problem playing nice with spring?
futhark77

Joined: 18/Sep/2009 00:00:00
Messages: 57
Offline


Here is a modified springsecurity-3-icefaces-3-tutorial for your enjoyment.

Below is a diff showing my changes. A few of them are unrelated to the problem I described (spring 3.1.2, session-timeout).

Code:
 --- springsecurity-3-icefaces-3-tutorial/springsecurity/pom.xml 2012-05-03 14:06:10.000000000 -0400
 +++ modified-springsecurity-3-icefaces-3-tutorial/springsecurity/pom.xml        2012-09-13 16:18:05.000000000 -0400
 @@ -26,10 +26,9 @@
      <name>Spring Security 3 ICEfaces 3 tutorial</name>
      <version>1.0</version>
      <properties>
 -       <org.icefaces.version>3.0.1</org.icefaces.version>
 -        <org.springframework.version>3.1.1.RELEASE</org.springframework.version>
 +       <org.icefaces.version>3.1.0</org.icefaces.version>
 +        <org.springframework.version>3.1.2.RELEASE</org.springframework.version>
          <org.springsecurity.version>3.0.7.RELEASE</org.springsecurity.version>
 -        <org.slf4j-version>1.5.10</org.slf4j-version>
          <jsf-version>2.1.3</jsf-version>
      </properties>
  
 @@ -41,6 +40,12 @@
             <version>${ice.version}</version>
         </dependency> -->
          <!-- Define the spring dependencies here -->
 +        <dependency> 
 +  <groupId>org.slf4j</groupId>
 +  <artifactId>slf4j-log4j12</artifactId>
 +  <version>1.7.0</version>
 +</dependency>
 +
          <dependency>
              <groupId>org.springframework</groupId>
              <artifactId>spring-core</artifactId>
 @@ -222,7 +227,7 @@
              <plugin>
                  <groupId>org.apache.maven.plugins</groupId>
                  <artifactId>maven-war-plugin</artifactId>
 -
 +                <version>2.2</version>
  
                  <configuration>
                      <webResources>
 Only in modified-springsecurity-3-icefaces-3-tutorial/springsecurity/src/main/java/org/icesoft/demo/spring/secure/login: LoginController2.java
 diff -u -ur springsecurity-3-icefaces-3-tutorial/springsecurity/src/main/webapp/WEB-INF/applicationContext-security.xml modified-springsecurity-3-icefaces-3-tutorial/springsecurity/src/main/webapp/WEB-INF/applicationContext-security.xml
 --- springsecurity-3-icefaces-3-tutorial/springsecurity/src/main/webapp/WEB-INF/applicationContext-security.xml 2012-05-02 10:32:52.000000000 -0400
 +++ modified-springsecurity-3-icefaces-3-tutorial/springsecurity/src/main/webapp/WEB-INF/applicationContext-security.xml    2012-09-13 16:43:13.000000000 -0400
 @@ -15,7 +15,8 @@
          <intercept-url pattern='/secure/**' access='ROLE_READER' />
  
          <!-- enable form login to use UsernamePasswordAuthenticationFilter [/j_spring_security_check] -->
 -        <form-login login-page="/general/logins/htmlLogin.faces"  
 +        <form-login login-processing-url="/j_spring_security_check.jsp"
 +                    login-page="/general/logins/htmlLogin.faces"  
                      authentication-failure-url="/general/logins/loginFailed.jsf"/>
  
          <!-- logout page uses the default LogoutFilter, no changes are needed as IT accepts a GET call... -->
 Only in modified-springsecurity-3-icefaces-3-tutorial/springsecurity/src/main/webapp/WEB-INF/classes: log4j.properties
 diff -u -ur springsecurity-3-icefaces-3-tutorial/springsecurity/src/main/webapp/WEB-INF/faces-config.xml modified-springsecurity-3-icefaces-3-tutorial/springsecurity/src/main/webapp/WEB-INF/faces-config.xml
 --- springsecurity-3-icefaces-3-tutorial/springsecurity/src/main/webapp/WEB-INF/faces-config.xml        2011-02-25 12:00:54.000000000 -0500
 +++ modified-springsecurity-3-icefaces-3-tutorial/springsecurity/src/main/webapp/WEB-INF/faces-config.xml       2012-09-13 16:41:20.000000000 -0400
 @@ -5,4 +5,11 @@
                xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-facesconfig_2_0.xsd"
                version="2.0">
  
 +    
 +       <lifecycle>
 +       <phase-listener>
 +            org.icesoft.demo.spring.secure.login.LoginController2
 +        </phase-listener>
 +       </lifecycle>
 +                  
  </faces-config>
 \ No newline at end of file
 diff -u -ur springsecurity-3-icefaces-3-tutorial/springsecurity/src/main/webapp/WEB-INF/includes/content/auth/loginFormSpringAuthenticationManager.xhtml modified-springsecurity-3-icefaces-3-tutorial/springsecurity/src/main/webapp/WEB-INF/includes/content/auth/loginFormSpringAuthenticationManager.xhtml
 --- springsecurity-3-icefaces-3-tutorial/springsecurity/src/main/webapp/WEB-INF/includes/content/auth/loginFormSpringAuthenticationManager.xhtml     2011-02-09 12:14:50.000000000 -0500
 +++ modified-springsecurity-3-icefaces-3-tutorial/springsecurity/src/main/webapp/WEB-INF/includes/content/auth/loginFormSpringAuthenticationManager.xhtml    2012-09-13 16:38:44.000000000 -0400
 @@ -13,17 +13,17 @@
      <div style="color: red;">
          <ice:messages id="loginErrorMessages" />
      </div>
 -    <ice:form id="loginForm" >
 +    <ice:form id="loginForm" prependId="false">
          <ice:panelGrid columns="2" style="width: 500px">
              <ice:outputLabel id="userNameLabel" value="Username:" for="j_username" style="width: 200px; margin-right: 20px;"/>
 -            <ice:inputText id="j_username" value="#{loginFormBean.userName}" style="width:280px;"/>
 +            <ice:inputText id="j_username" style="width:280px;"/>
  
              <ice:outputLabel id="passwordLabel" value="Password:" for="j_password" style="width: 200px; margin-right: 20px;"/>
 -            <ice:inputSecret id="j_password" value="#{loginFormBean.password}" style="width:280px;"/>
 +            <ice:inputSecret id="j_password"  style="width:280px;"/>
  
              <ice:outputText value=" "/>
              <ice:commandButton id="j_submitLogin" value="Login"
 -                               action="#{loginController.loginUsingSpringAuthenticationManager}" />
 +                               action="#{loginController2.doLogin}" />
          </ice:panelGrid>
      </ice:form>
  
 diff -u -ur springsecurity-3-icefaces-3-tutorial/springsecurity/src/main/webapp/WEB-INF/web.xml modified-springsecurity-3-icefaces-3-tutorial/springsecurity/src/main/webapp/WEB-INF/web.xml
 --- springsecurity-3-icefaces-3-tutorial/springsecurity/src/main/webapp/WEB-INF/web.xml 2011-03-03 12:35:44.000000000 -0500
 +++ modified-springsecurity-3-icefaces-3-tutorial/springsecurity/src/main/webapp/WEB-INF/web.xml        2012-09-13 16:09:44.000000000 -0400
 @@ -55,17 +55,20 @@
      <filter-mapping>
          <filter-name>springSecurityFilterChain</filter-name>
          <url-pattern>/*</url-pattern>
 +        <dispatcher>REQUEST</dispatcher>
 +        <dispatcher>FORWARD</dispatcher>
      </filter-mapping>
  
      <listener>
          <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
      </listener>
 +    
      <listener>
          <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
      </listener>
  
      <session-config>
 -        <session-timeout>60</session-timeout>
 +        <session-timeout>1</session-timeout>
      </session-config>
  
  
 Only in modified-springsecurity-3-icefaces-3-tutorial/springsecurity: target
 
 Filename modified-springsecurity-3-icefaces-3-tutorial.zip [Disk] Download
 Description modified tutorial
 Filesize 23867 Kbytes
 Downloaded:  123 time(s)

 
Forum Index -> General Help
Go to:   
Powered by JForum 2.1.7ice © JForum Team