voyent
Messages posted by: futhark77  XML
Profile for futhark77 -> Messages posted by futhark77 [55] Go to Page: Previous  1, 2, 3, 4 Next 
Author Message
I think I have understood why I was having this problem.

In my app, navigation happens through a a menu (menu bar). An action i fired when a tool is selected. Once the session expires, actions cannot work anymore because posting to the app is no longer possible.

So I need a way to still redirect the client after the session expires. This is where icepush and jsfredirectstrategy come handy. Together they push an ajax redirect to the client.

If I were to use ordinary links for navigation, I wouldn't need icepush nor a jsfRedirectStrategy. It is when I tested this that I started to understand what was going on.
Attached is the updated tutorial for spring security 3.1. I also cleaned up a few unnecessary things. Note I forced the session expiration to 1 minute to test it easily.

Changes are summarized below.

HTH

Code:
 --- springsecurity-3-icefaces-3-tutorial/springsecurity/src/main/webapp/WEB-INF/applicationContext-security.xml 2012-05-02 10:32:52.000000000 -0400
 +++ updated-springsecurity-3-icefaces-3-tutorial/springsecurity/src/main/webapp/WEB-INF/applicationContext-security.xml 2012-09-19 16:41:25.000000000 -0400
 @@ -3,34 +3,29 @@
               xmlns:beans="http://www.springframework.org/schema/beans"
               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
               xsi:schemaLocation="http://www.springframework.org/schema/beans
 -           http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
 -           http://www.springframework.org/schema/security
 -           http://www.springframework.org/schema/security/spring-security-3.0.xsd">
 -
 +             http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
 +             http://www.springframework.org/schema/security
 +             http://www.springframework.org/schema/security/spring-security-3.1.xsd">
 +        
      <!--  key configuration here is an entry point to be used by security intercepts -->
 -    <http realm="Sample Realm" entry-point-ref="authenticationEntryPoint" auto-config="false">
 +    <http auto-config="false">
  
          <custom-filter ref="sessionManagementFilter" before="SESSION_MANAGEMENT_FILTER" />
          <!-- any role that is used to protect a directory, can be multiples -->
          <intercept-url pattern='/secure/**' access='ROLE_READER' />
  
          <!-- enable form login to use UsernamePasswordAuthenticationFilter [/j_spring_security_check] -->
 -        <form-login login-page="/general/logins/htmlLogin.faces"  
 +        <form-login login-page="/general/logins/login.faces"  
                      authentication-failure-url="/general/logins/loginFailed.jsf"/>
  
          <!-- logout page uses the default LogoutFilter, no changes are needed as IT accepts a GET call... -->
          <!-- here is an example logout link:
                  <a href="#{request.contextPath}/j_spring_security_logout">Logout</a> -->
          <logout logout-url="/j_spring_security_logout"
 -                logout-success-url="/general/main.jsf"
 +                logout-success-url="/general/main.jsf?logout"
                  invalidate-session="true"/>
      </http>
  
 -    <beans:bean id="authenticationEntryPoint"
 -        class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
 -        <beans:property name="loginFormUrl" value="/general/logins/login.jsf" />
 -    </beans:bean>
 -
      <!-- test with this before you hook up your LDAP or other Authentication Manager -->
      <authentication-manager alias="authenticationManager">
          <authentication-provider>
 @@ -43,12 +38,13 @@
  
      <beans:bean id="sessionManagementFilter" class="org.springframework.security.web.session.SessionManagementFilter">
          <beans:constructor-arg name="securityContextRepository" ref="httpSessionSecurityContextRepository" />
 -        <beans:property name="invalidSessionUrl" value="/general/logins/sessionExpired.jsf" />
 -        <!-- this permits redirection to session timeout page from javascript/ajax or http -->
 -        <beans:property name="redirectStrategy" ref="jsfRedirectStrategy" />
 +                               <beans:property name="invalidSessionStrategy" ref="jsfInvalidSessionStrategy" />
      </beans:bean>
 +
 +    <beans:bean id="jsfInvalidSessionStrategy" class="com.icesoft.spring.security.JsfInvalidSessionStrategy">
 +        <beans:constructor-arg name="invalidSessionUrl" value="/general/logins/sessionExpired.jsf" />
 +               </beans:bean>
  
 -    <beans:bean id="jsfRedirectStrategy" class="com.icesoft.spring.security.JsfRedirectStrategy"/>
      <beans:bean id="httpSessionSecurityContextRepository" class="org.springframework.security.web.context.HttpSessionSecurityContextRepository"/>
  
  </beans:beans>
 diff -u -ur springsecurity-3-icefaces-3-tutorial/springsecurity/src/main/webapp/WEB-INF/web.xml updated-springsecurity-3-icefaces-3-tutorial/springsecurity/src/main/webapp/WEB-INF/web.xml
 --- springsecurity-3-icefaces-3-tutorial/springsecurity/src/main/webapp/WEB-INF/web.xml 2011-03-03 12:35:44.000000000 -0500
 +++ updated-springsecurity-3-icefaces-3-tutorial/springsecurity/src/main/webapp/WEB-INF/web.xml 2012-09-19 16:45:57.000000000 -0400
 @@ -60,12 +60,9 @@
      <listener>
          <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
      </listener>
 -    <listener>
 -        <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
 -    </listener>
  
      <session-config>
 -        <session-timeout>60</session-timeout>
 +        <session-timeout>1</session-timeout>
      </session-config>
 
Here is a modified springsecurity-3-icefaces-3-tutorial for your enjoyment.

Below is a diff showing my changes. A few of them are unrelated to the problem I described (spring 3.1.2, session-timeout).

Code:
 --- springsecurity-3-icefaces-3-tutorial/springsecurity/pom.xml 2012-05-03 14:06:10.000000000 -0400
 +++ modified-springsecurity-3-icefaces-3-tutorial/springsecurity/pom.xml        2012-09-13 16:18:05.000000000 -0400
 @@ -26,10 +26,9 @@
      <name>Spring Security 3 ICEfaces 3 tutorial</name>
      <version>1.0</version>
      <properties>
 -       <org.icefaces.version>3.0.1</org.icefaces.version>
 -        <org.springframework.version>3.1.1.RELEASE</org.springframework.version>
 +       <org.icefaces.version>3.1.0</org.icefaces.version>
 +        <org.springframework.version>3.1.2.RELEASE</org.springframework.version>
          <org.springsecurity.version>3.0.7.RELEASE</org.springsecurity.version>
 -        <org.slf4j-version>1.5.10</org.slf4j-version>
          <jsf-version>2.1.3</jsf-version>
      </properties>
  
 @@ -41,6 +40,12 @@
             <version>${ice.version}</version>
         </dependency> -->
          <!-- Define the spring dependencies here -->
 +        <dependency> 
 +  <groupId>org.slf4j</groupId>
 +  <artifactId>slf4j-log4j12</artifactId>
 +  <version>1.7.0</version>
 +</dependency>
 +
          <dependency>
              <groupId>org.springframework</groupId>
              <artifactId>spring-core</artifactId>
 @@ -222,7 +227,7 @@
              <plugin>
                  <groupId>org.apache.maven.plugins</groupId>
                  <artifactId>maven-war-plugin</artifactId>
 -
 +                <version>2.2</version>
  
                  <configuration>
                      <webResources>
 Only in modified-springsecurity-3-icefaces-3-tutorial/springsecurity/src/main/java/org/icesoft/demo/spring/secure/login: LoginController2.java
 diff -u -ur springsecurity-3-icefaces-3-tutorial/springsecurity/src/main/webapp/WEB-INF/applicationContext-security.xml modified-springsecurity-3-icefaces-3-tutorial/springsecurity/src/main/webapp/WEB-INF/applicationContext-security.xml
 --- springsecurity-3-icefaces-3-tutorial/springsecurity/src/main/webapp/WEB-INF/applicationContext-security.xml 2012-05-02 10:32:52.000000000 -0400
 +++ modified-springsecurity-3-icefaces-3-tutorial/springsecurity/src/main/webapp/WEB-INF/applicationContext-security.xml    2012-09-13 16:43:13.000000000 -0400
 @@ -15,7 +15,8 @@
          <intercept-url pattern='/secure/**' access='ROLE_READER' />
  
          <!-- enable form login to use UsernamePasswordAuthenticationFilter [/j_spring_security_check] -->
 -        <form-login login-page="/general/logins/htmlLogin.faces"  
 +        <form-login login-processing-url="/j_spring_security_check.jsp"
 +                    login-page="/general/logins/htmlLogin.faces"  
                      authentication-failure-url="/general/logins/loginFailed.jsf"/>
  
          <!-- logout page uses the default LogoutFilter, no changes are needed as IT accepts a GET call... -->
 Only in modified-springsecurity-3-icefaces-3-tutorial/springsecurity/src/main/webapp/WEB-INF/classes: log4j.properties
 diff -u -ur springsecurity-3-icefaces-3-tutorial/springsecurity/src/main/webapp/WEB-INF/faces-config.xml modified-springsecurity-3-icefaces-3-tutorial/springsecurity/src/main/webapp/WEB-INF/faces-config.xml
 --- springsecurity-3-icefaces-3-tutorial/springsecurity/src/main/webapp/WEB-INF/faces-config.xml        2011-02-25 12:00:54.000000000 -0500
 +++ modified-springsecurity-3-icefaces-3-tutorial/springsecurity/src/main/webapp/WEB-INF/faces-config.xml       2012-09-13 16:41:20.000000000 -0400
 @@ -5,4 +5,11 @@
                xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-facesconfig_2_0.xsd"
                version="2.0">
  
 +    
 +       <lifecycle>
 +       <phase-listener>
 +            org.icesoft.demo.spring.secure.login.LoginController2
 +        </phase-listener>
 +       </lifecycle>
 +                  
  </faces-config>
 \ No newline at end of file
 diff -u -ur springsecurity-3-icefaces-3-tutorial/springsecurity/src/main/webapp/WEB-INF/includes/content/auth/loginFormSpringAuthenticationManager.xhtml modified-springsecurity-3-icefaces-3-tutorial/springsecurity/src/main/webapp/WEB-INF/includes/content/auth/loginFormSpringAuthenticationManager.xhtml
 --- springsecurity-3-icefaces-3-tutorial/springsecurity/src/main/webapp/WEB-INF/includes/content/auth/loginFormSpringAuthenticationManager.xhtml     2011-02-09 12:14:50.000000000 -0500
 +++ modified-springsecurity-3-icefaces-3-tutorial/springsecurity/src/main/webapp/WEB-INF/includes/content/auth/loginFormSpringAuthenticationManager.xhtml    2012-09-13 16:38:44.000000000 -0400
 @@ -13,17 +13,17 @@
      <div style="color: red;">
          <ice:messages id="loginErrorMessages" />
      </div>
 -    <ice:form id="loginForm" >
 +    <ice:form id="loginForm" prependId="false">
          <ice:panelGrid columns="2" style="width: 500px">
              <ice:outputLabel id="userNameLabel" value="Username:" for="j_username" style="width: 200px; margin-right: 20px;"/>
 -            <ice:inputText id="j_username" value="#{loginFormBean.userName}" style="width:280px;"/>
 +            <ice:inputText id="j_username" style="width:280px;"/>
  
              <ice:outputLabel id="passwordLabel" value="Password:" for="j_password" style="width: 200px; margin-right: 20px;"/>
 -            <ice:inputSecret id="j_password" value="#{loginFormBean.password}" style="width:280px;"/>
 +            <ice:inputSecret id="j_password"  style="width:280px;"/>
  
              <ice:outputText value=" "/>
              <ice:commandButton id="j_submitLogin" value="Login"
 -                               action="#{loginController.loginUsingSpringAuthenticationManager}" />
 +                               action="#{loginController2.doLogin}" />
          </ice:panelGrid>
      </ice:form>
  
 diff -u -ur springsecurity-3-icefaces-3-tutorial/springsecurity/src/main/webapp/WEB-INF/web.xml modified-springsecurity-3-icefaces-3-tutorial/springsecurity/src/main/webapp/WEB-INF/web.xml
 --- springsecurity-3-icefaces-3-tutorial/springsecurity/src/main/webapp/WEB-INF/web.xml 2011-03-03 12:35:44.000000000 -0500
 +++ modified-springsecurity-3-icefaces-3-tutorial/springsecurity/src/main/webapp/WEB-INF/web.xml        2012-09-13 16:09:44.000000000 -0400
 @@ -55,17 +55,20 @@
      <filter-mapping>
          <filter-name>springSecurityFilterChain</filter-name>
          <url-pattern>/*</url-pattern>
 +        <dispatcher>REQUEST</dispatcher>
 +        <dispatcher>FORWARD</dispatcher>
      </filter-mapping>
  
      <listener>
          <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
      </listener>
 +    
      <listener>
          <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
      </listener>
  
      <session-config>
 -        <session-timeout>60</session-timeout>
 +        <session-timeout>1</session-timeout>
      </session-config>
  
  
 Only in modified-springsecurity-3-icefaces-3-tutorial/springsecurity: target
 
I found what was missing. My phase listener was not loaded in faces-config.xml. Also, it is important to specify the following in login.xhtml:

Code:
               <ice:form prependId="false">
                         <ice:inputText id="j_username" />
                         <ice:inputSecret id="j_password" />
                         <ice:commandButton value="Login" action="#{loginController2.doLogin}" />
                 </ice:form>
 


This time, I am getting authenticated, but redirection to default-target-url gets stuck. The page appears only after I reload.

Can someone explain this behavior? Is iceface having a problem playing nice with spring?
Me again talking to myself :o)

I have found an interesting approach to integrate spring security, if only I could make it work! It consists into dispatching the request to /j_spring_security_check.

http://slackspace.de/articles/custom-login-page-with-jsf-and-spring-security-3-2/

Did anyone succeed to implement this? I am having a problem passing j_username and j_password from my form to spring security.

2012-09-13 13:01:17,447 DEBUG org.springframework.security.ldap.authentication.LdapAuthenticationProvider - Processing authentication request for user:
2012-09-13 13:01:17,448 DEBUG org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Empty Username

I would like a lot to be able to redirect/dispatch to /j_spring_security_check as it shields me from api changes. One example: the icesoft spring security tutorial won't work as is with 3.1.

Thanks.
I aligned my config on ICEsoft Spring Security tutorial. The JsfRedirectStrategy class seems to be fixing my problem.

Session expiration was a lot easier to handle in the past. At least when not using ajax (my situation). When the session expired, the user got redirected to my login page as specified in my web.xml. As simple as that.
My problem persists after upgrading to Spring Security 3.1.2. This is getting desperate.

I aligned my web.xml and applicationContext.xml against the iceface tutorial. Still no luck. I will review my files one more time.

One of the only things I have left to try is to define a custom SessionManagementFilter like the tutorial does. I am not using ajax requests but who knows.

My problem happens after session expiration if I am on a secured page.

POST https://srv/app/secured.iface
GET https://srv/app/login.iface <- never completes

In firebug I see something odd with the GET. Does it ring a bell to anyone?

Code:
XML Parsing Error: no element found Location: moz-nullprincipal:{ffa0486b-e3e7-4ac0-9513-5fc9bc1b1502} Line Number 1, Column 1:


If I am on a public page, the redirect works fine.
The SessionManagementFilter class changed in Spring Security v3.1 compared to v3.0. Here is a possible solution. The end result does not quite help me but I got past the errors you have posted.

http://stackoverflow.com/questions/10143539/jsf-2-spring-security-3-x-and-richfaces-4-redirect-to-login-page-on-session-tim
I could also have looked at this nice tutorial. Its LoginController bean contains code to perform spring security authentication. I won't need that separate submitlogin form anymore.

http://wiki.icesoft.org/display/ICE/Spring+Security
I have found a solution.

http://stackoverflow.com/questions/5405718/jsf-redirect-to-url-as-post-not-as-get

I wrote myself a tiny submitlogin.xhtml page that posts username/pass to spring security's url.

Code:
 <?xml version='1.0' encoding='UTF-8' ?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml"
       xmlns:h="http://java.sun.com/jsf/html">
   <h:head>
   </h:head>
   <h:body>
     <form id="f" action="/app/j_spring_security_check.iface" method="post">
       <input type="hidden" name="j_username" value="#{loginBean.username}" />
       <input type="hidden" name="j_password" value="#{loginBean.password}" />   
     </form>
     <script>
       document.getElementById("f").submit();     
     </script>
   </h:body>
 </html>
 


My login.xhtml action is set to submitlogin. submitlogin is redirecting to submitlogin.xhtml.

After trying various altenatives I gave up trying to avoid using a separate submitlogin.xhtml. JSF seems to force all actions to end with a redirect (GET).

If anyone has improvements/better approach please let me know.
Hello,

I feel ICEfaces does not integrate very well with Spring Security for those designing their own login form (I'm guessing that's a lot of people).

The issue lies with the definition and use of the the login-processing-url property (typically "j_spring_security_check"). How can instruct my icefaces custom form to POST to that url?

I tried setting action="login" with the corresponding nav rule in faces-config.xml. But that won't work, because nav rules must specify <redirect/>: Spring Security 3.2.1 (and probably all of 3.x) no longer supports GET requests because it exposes the password. This also means I can no longer use this kind trick in my login bean:

Code:
 public void login(ActionEvent e) throws java.io.IOException {
          FacesContext.getCurrentInstance().getExternalContext().redirect(
 "/test/j_spring_security_check?j_username=" + userId + "&j_password=" + password);
      }
 


There is a way to have GETs accepted by spring security. But that's something I do not want to continue doing.

According to spring security forums, the other solution is to write spring security authentication by hand in my login bean. But I hate having to do that. It defeats the purpose of the applicationContext.xml file.

Long story short: how do we integrate spring security with a custom icefaces login form?
I did not encounter this particular error but I have encountered this type of huge exception. If you read the last stack trace you will find the cause. In your case, the problem seems to be:

Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'sessionManagementFilter' defined in ServletContext resource [/WEB-INF/applicationContext.xml]: Error setting property values; nested exception is org.springframework.beans.NotWritablePropertyException: Invalid property 'invalidSessionUrl' of bean class [org.springframework.security.web.session.SessionManagementFilter]: Bean property 'invalidSessionUrl' is not writable or has an invalid setter method. Does the parameter type of the setter match the return type of the getter?

In other words, review your applicationContext.xml file. It seems you are trying to set property invalidSessionUrl of a bean named sessionManagementFilter, which is not allowed.
The last directives I used could hardly be simpler:

Code:
         <intercept-url pattern="/tool1.iface" access="ROLE_XYZ"/>
         <intercept-url pattern="/tool2.iface" access="ROLE_XYZ"/>
         <intercept-url pattern="/**" security="none"/>
 


My problem persisted in spite of cleaning up my config. I am now upgrading to Spring Security to v3.1.2.
I have a spring security configuration problem. Some combination of intercept-url directives seem to be in cause. After commenting them all I could finally see my request complete.

Firebug has been helpful here. It showed the redirect request getting stuck and the absence of icefaces session expiration messages. It gave me the idea to look at my security constraints. In the past I had problems with spring security blocking access to icefaces resources.

I guess resources have been reorganized since 1.8.1. I'll try to rerework my intercept-url constraints to make them more 'upgrade friendly'.
My app is using spring security for user authentication. When the user explicitly logs out, the app does a simple redirect to "/j_spring_security_logout" (as defined in spring security xml config).

That didn't work immediately. I eventually found the redirect was made to "/j_spring_security_logout.iface".

I was just wondering, who exactly is adding this extension? JSF? ICEfaces? Is it normal?

Code:
    <navigation-rule>
         <navigation-case>
             <from-outcome>logout</from-outcome>
             <!-- had to adopt extension because it is forced anyway -->
             <to-view-id>/j_spring_security_logout.iface</to-view-id>
             <redirect/>
         </navigation-case>
     </navigation-rule>
 


Thanks!
 
Profile for futhark77 -> Messages posted by futhark77 [55] Go to Page: Previous  1, 2, 3, 4 Next 
Go to:   
Powered by JForum 2.1.7ice © JForum Team