Develop Reference

Configure Spring Security SAML to use SHA-256 as secure hash algorithm

I'm working on an integration between Spring SAML and Microsoft ADFS 3.0. Even it is already stated in the documentation of Spring SAML as:
Open the provider by double-clicking it, select tab Advanced and change
"Secure hash algorithm" to SHA-1
that I understand that Spring SAML supports currently only SHA-1 as hash algorithm, but my requirement is using SHA-256. If I try configure only in ADFS for SHA-256, it doesn't work. I suppose that I have to do something with Spring SAML. Do you have any idea how to do so?

You should configured the Spring security configuration to use SHA-256 signature algorithm.
You could either override the SAMLBootstrap or configure a initializing bean like this:
Spring configuration:
<bean id="samlProperties" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<property name="location" value="classpath:saml.properties" />
</bean>
<bean class="your.package.SAMLConfigurationBean">
<property name="signatureAlgorithm" value="${saml.signatureAlgorithm:SHA1}" />
</bean>
properties file (saml.properties):
saml.signatureAlgorithm=SHA256
Initializing bean:
package your.package;
import org.opensaml.Configuration;
import org.opensaml.xml.security.BasicSecurityConfiguration;
import org.opensaml.xml.signature.SignatureConstants;
import org.springframework.beans.factory.InitializingBean;
public class SAMLConfigurationBean implements InitializingBean {
private String signatureAlgorithm ;
private String digestAlgorithm;
public void setSignatureAlgorithm(String algorithm) {
switch (algorithm) {
case "SHA256" :
signatureAlgorithm = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256;
digestAlgorithm = SignatureConstants.ALGO_ID_DIGEST_SHA256;
break;
case "SHA512" :
signatureAlgorithm = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA512;
digestAlgorithm = SignatureConstants.ALGO_ID_DIGEST_SHA512;
break;
default:
signatureAlgorithm = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1;
digestAlgorithm = SignatureConstants.ALGO_ID_DIGEST_SHA1;
}
}
#Override
public void afterPropertiesSet() throws Exception {
BasicSecurityConfiguration config = (BasicSecurityConfiguration) Configuration.getGlobalSecurityConfiguration();
config.registerSignatureAlgorithmURI("RSA", signatureAlgorithm);
config.setSignatureReferenceDigestMethod(digestAlgorithm);
}
}
You could also skip the configurable part and just settle for this:
Initializing bean:
package your.package;
import org.opensaml.Configuration;
import org.opensaml.xml.security.BasicSecurityConfiguration;
import org.opensaml.xml.signature.SignatureConstants;
import org.springframework.beans.factory.InitializingBean;
public class SAMLConfigurationBean implements InitializingBean {
#Override
public void afterPropertiesSet() throws Exception {
BasicSecurityConfiguration config = (BasicSecurityConfiguration) Configuration.getGlobalSecurityConfiguration();
config.registerSignatureAlgorithmURI("RSA", SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
config.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA256);
}
}

I recommend to refer to this GitHub example project: https://github.com/choonchernlim/spring-security-adfs-saml2
which provides ADFS dedicated configuration information and details how to enable SHA-256 signature.

#PreAuthorization annotation with custom method doesn't work

I'm trying to call a custom method using Spring #PreAuthorize at the method level in the service layer, but my custom method is not being called. My code:
spring-application-context.xml:
<context:component-scan base-package="com.dice" />
<sec:global-method-security pre-post-annotations="enabled"/>
Component definition:
#Component(value="authorizationService")
public class AuthorizationService implements AuthorizationServiceInt {
public boolean test(String key) {
logger.debug("AUTHORIZATION CALLED: " + key);
return false;
}
}
Controller that calls the util class:
#InjectParam
CustomerUtil customerUtil;
#GET
#Path("/{customerId}/")
#Produces(MediaType.APPLICATION_JSON)
public Response getCustomerInfo(#PathParam("customerId") Integer customerId,
#DefaultValue("") #QueryParam("fields") String partialResponseFields) {
logger.debug("getCustomerInfo called: id: " + customerId + ", uriInfo = " + uriInfo.getPath());
try {
return buildOKResourceResponse(new CustomerActionResource(customerUtil.getCustomerInfo(uriInfo, customerId)),partialResponseFields);
Usage of the component:
#InjectParam
AuthorizationService svc;
#PreAuthorize("#authorizationService.test('special')")
public Customer getCustomerInfo(UriInfo uriInfo, Integer id) {
logger.debug("svc: " + svc.hasPermission("x"));
return populateCustomerInfo(uriInfo, PstUserModelServiceUtil.getPstUserModelByPstUserId(id));
}
I included the InjectParam just to make sure that the AuthorizationService class was being recognized by Spring. And sure enough, the 'AUTHORIZATION CALLED' debug statement appears when I call via the injected class, but does not appear when called via the #PreAuthorization call.
My spring jars:
spring-aop-3.2.0.RELEASE.jar
spring-beans-3.2.0.RELEASE.jar
spring-context-3.2.0.RELEASE.jar
spring-context-support-3.2.2.RELEASE.jar
spring-core-3.2.0.RELEASE.jar
spring-data-commons-1.5.0.RELEASE.jar
spring-data-solr-1.0.0.RELEASE.jar
spring-expression-3.2.0.RELEASE.jar
spring-jdbc-3.2.0.RELEASE.jar
spring-orm-3.2.0.RELEASE.jar
spring-security-acl-3.1.4.RELEASE.jar
spring-security-config-3.1.4.RELEASE.jar
spring-security-core-3.1.4.RELEASE.jar
spring-security-oauth2-1.1.0.BUILD-SNAPSHOT.jar
spring-security-taglibs-3.1.4.RELEASE.jar
spring-security-web-3.1.4.RELEASE.jar
spring-tx-3.2.0.RELEASE.jar
spring-web-3.2.2.RELEASE.jar
spring-webmvc-3.2.2.RELEASE.jar
What am I doing wrong? I have interfaces on both the component class and the class using the component as I read that with aop, the fact that Spring decorates the impl class that an interface is needed for spring to see the underlying implementation.

Spring Security works by creating a proxy of the class that is annotated with the security annotation (i.e. #PreAuthorize). In order for it to be proxied, the class that has the security annotation must be created by Spring and any invocations must be made on the instance created by Spring.
Verify that the class with public Customer getCustomerInfo is created by Spring and not in some other way.

#PreAuthorize: reference property in implementing class

I have service interface
public interface CompoundService<T extends Compound> {
T getById(final Long id);
//...
}
and abstract implementation
public abstract class CompoundServiceImpl<T extends Compound>
implements CompoundService<T> {
//...
private Class<T> compoundClass;
//...
}
Every implementation of Compound requires it's own service interface which extends CompoundService and it's own service class which extends CompoundServiceImpl.
I would now like to add basic security uisng annotations to my methods in CompoundService. As far as I understood I must add them in the interface not the actual implementation. Since a user can have different roles for different implementations of Compound, i must take this into account. Meaning in #PreAuthorize I would like to get the name of the Compound implementation, eg. compoundClass.getSimpleName(). So that I get something like:
public interface CompoundService<T extends Compound> {
#PreAuthorize("hasRole('read_' + #root.this.compoundClass.getSimpleName())")
T getById(final Long id);
//...
}
This is basically what is mentioned here:
https://jira.springsource.org/browse/SEC-1640
however there is no example and I did not really get the solution. So should i use this? or as above #root.this?
My second question is, since this is in an interface which will be implemented by a proxy (from spring) will the experession this.compoundClass actually evaluate properly?
And last but not least how can I actually test this?*
*
I'm not actually creating a finished application but something configurable, like a framework for s specific type of database search. Meaning most authorization and authentication stuff has to come from the implementer.

Unit Testing
see http://www.lancegleason.com/blog/2009/12/07/unit-testing-spring-security-with-annotations
Since that is an old tutorial you might need to change the referenced schema versions. But more importantly the SecurityContext.xml configuration shown there does not work with Spring Security 3. See Spring Security - multiple authentication-providers for a proper configuration.
I did not require the mentioned dependencies:
<dependency>
<groupId>org.aspectj</groupId>
<artifactId>aspectjweaver</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core-tiger</artifactId>
</dependency>
it worked without them (however did not create an abstract test class)
root.this
This is in fact correct approach
The problem is that you can't use getSimpleName() of a class parameter. For an in-depth discussion see http://forum.springsource.org/showthread.php?98570-Getting-Payload-Classname-in-Header-Enricher-via-SpEL
The workarounds shown there did not help me much. So I came up with this very simple solution:
Just add the string property String compoundClassSimpleName to CompoundServiceImpl and set it in the constructor (which is called by subclasses):
Public abstract class CompoundServiceImpl<T extends Compound>
implements CompoundService<T> {
private String compoundClassSimpleName;
//...
public ChemicalCompoundServiceImpl(Class<T> compoundClass) {
this.compoundClass = compoundClass;
this.compoundClassSimpleName = compoundClass.getSimpleName();
}
//...
public String getCompoundClassSimpleName(){
return compoundClassSimpleName;
}
}
and her a Service implementing above abstract service:
public class TestCompoundServiceImpl extends CompoundServiceImpl<TestCompound>
implements TestCompoundService {
//...
public TestCompoundServiceImpl() {
super(TestCompound.class);
}
//...
}
And final the #PreAuthorize annotation usage:
public interface CompoundService<T extends Compound> {
#PreAuthorize("hasRole('read_' + #root.this.getCompoundClassSimpleName())")
public T getById(final Long id);
}
For above example the expression will evaluate to a role named "read_TestCompound".
Done!
As often the solution is very simple but getting there is a PITA...
EDIT:
for completeness the test class:
#RunWith(SpringJUnit4ClassRunner.class)
#ContextConfiguration(locations = {
"classpath:ApplicationContext.xml",
"classpath:SecurityContext.xml"
})
public class CompoundServiceSecurityTest {
#Autowired
#Qualifier("testCompoundService")
private TestCompoundService testCompoundService;
public CompoundServiceSecurityTest() {
}
#Before
public void setUp() {
SecurityContextHolder.getContext().setAuthentication(
new UsernamePasswordAuthenticationToken("user_test", "pass1"));
}
#Test
public void testGetById() {
System.out.println("getById");
Long id = 1000L;
TestCompound expResult = new TestCompound(id, "Test Compound");
TestCompound result = testCompoundService.getById(id);
assertEquals(expResult, result);
}
}

Lazy/Eager loading/fetching in Neo4j/Spring-Data

I have a simple setup and encountered a puzzling (at least for me) problem:
I have three pojos which are related to each other:
#NodeEntity
public class Unit {
#GraphId Long nodeId;
#Indexed int type;
String description;
}
#NodeEntity
public class User {
#GraphId Long nodeId;
#RelatedTo(type="user", direction = Direction.INCOMING)
#Fetch private Iterable<Worker> worker;
#Fetch Unit currentUnit;
String name;
}
#NodeEntity
public class Worker {
#GraphId Long nodeId;
#Fetch User user;
#Fetch Unit unit;
String description;
}
So you have User-Worker-Unit with a "currentunit" which marks in user that allows to jump directly to the "current unit". Each User can have multiple workers, but one worker is only assigned to one unit (one unit can have multiple workers).
What I was wondering is how to control the #Fetch annotation on "User.worker". I actually want this to be laoded only when needed, because most of the time I only work with "Worker".
I went through http://static.springsource.org/spring-data/data-neo4j/docs/2.0.0.RELEASE/reference/html/ and it isn't really clear to me:
worker is iterable because it should be read only (incoming relation) - in the documentation this is stated clarly, but in the examples ''Set'' is used most of the time. Why? or doesn't it matter...
How do I get worker to only load on access? (lazy loading)
Why do I need to annotate even the simple relations (worker.unit) with #Fetch. Isn't there a better way? I have another entity with MANY such simple relations - I really want to avoid having to load the entire graph just because i want to the properties of one object.
Am I missing a spring configuration so it works with lazy loading?
Is there any way to load any relationships (which are not marked as #Fetch) via an extra call?
From how I see it, this construct loads the whole database as soon as I want a Worker, even if I don't care about the User most of the time.
The only workaround I found is to use repository and manually load the entities when needed.
------- Update -------
I have been working with neo4j quite some time now and found a solution for the above problem that does not require calling fetch all the time (and thus does not load the whole graph). Only downside: it is a runtime aspect:
import org.aspectj.lang.ProceedingJoinPoint;
import org.aspectj.lang.annotation.Around;
import org.aspectj.lang.annotation.Aspect;
import org.aspectj.lang.annotation.Pointcut;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.data.mapping.model.MappingException;
import org.springframework.data.neo4j.annotation.NodeEntity;
import org.springframework.data.neo4j.support.Neo4jTemplate;
import my.modelUtils.BaseObject;
#Aspect
public class Neo4jFetchAspect {
// thew neo4j template - make sure to fill it
#Autowired private Neo4jTemplate template;
#Around("modelGetter()")
public Object autoFetch(ProceedingJoinPoint pjp) throws Throwable {
Object o = pjp.proceed();
if(o != null) {
if(o.getClass().isAnnotationPresent(NodeEntity.class)) {
if(o instanceof BaseObject<?>) {
BaseObject<?> bo = (BaseObject<?>)o;
if(bo.getId() != null && !bo.isFetched()) {
return template.fetch(o);
}
return o;
}
try {
return template.fetch(o);
} catch(MappingException me) {
me.printStackTrace();
}
}
}
return o;
}
#Pointcut("execution(public my.model.package.*.get*())")
public void modelGetter() {}
}
You just have to adapt the classpath on which the aspect should be applied: my.model.package..get())")
I apply the aspect to ALL get methods on my model classes. This requires a few prerequesites:
You MUST use getters in your model classes (the aspect does not work on public attributes - which you shouldn't use anyways)
all model classes are in the same package (so you need to adapt the code a little) - I guess you could adapt the filter
aspectj as a runtime component is required (a little tricky when you use tomcat) - but it works :)
ALL model classes must implement the BaseObject interface which provides:
public interface BaseObject {
public boolean isFetched();
}
This prevents double-fetching. I just check for a subclass or attribute that is mandatory (i.e. the name or something else except nodeId) to see if it is actually fetched. Neo4j will create an object but only fill the nodeId and leave everything else untouched (so everything else is NULL).
i.e.
#NodeEntity
public class User implements BaseObject{
#GraphId
private Long nodeId;
String username = null;
#Override
public boolean isFetched() {
return username != null;
}
}
If someone finds a way to do this without that weird workaround please add your solution :) because this one works, but I would love one without aspectj.
Base object design that doenst require a custom field check
One optimization would be to create a base-class instead of an interface that actually uses a Boolean field (Boolean loaded) and checks on that (so you dont need to worry about manual checking)
public abstract class BaseObject {
private Boolean loaded;
public boolean isFetched() {
return loaded != null;
}
/**
* getLoaded will always return true (is read when saving the object)
*/
public Boolean getLoaded() {
return true;
}
/**
* setLoaded is called when loading from neo4j
*/
public void setLoaded(Boolean val) {
this.loaded = val;
}
}
This works because when saving the object "true" is returned for loaded. When the aspect looks at the object it uses isFetched() which - when the object is not yet retrieved will return null. Once the object is retrieved setLoaded is called and the loaded variable set to true.
How to prevent jackson from triggering the lazy loading?
(As an answer to the question in the comment - note that I didnt try it out yet since I did not have this issue).
With jackson I suggest to use a custom serializer (see i.e. http://www.baeldung.com/jackson-custom-serialization ). This allows you to check the entity before getting the values. You simply do a check if it is already fetched and either go on with the whole serialization or just use the id:
public class ItemSerializer extends JsonSerializer<BaseObject> {
#Override
public void serialize(BaseObject value, JsonGenerator jgen, SerializerProvider provider)
throws IOException, JsonProcessingException {
// serialize the whole object
if(value.isFetched()) {
super.serialize(value, jgen, provider);
return;
}
// only serialize the id
jgen.writeStartObject();
jgen.writeNumberField("id", value.nodeId);
jgen.writeEndObject();
}
}
Spring Configuration
This is a sample Spring configuration I use - you need to adjust the packages to your project:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:neo4j="http://www.springframework.org/schema/data/neo4j"
xmlns:tx="http://www.springframework.org/schema/tx"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd
http://www.springframework.org/schema/data/neo4j http://www.springframework.org/schema/data/neo4j/spring-neo4j-2.0.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-2.5.xsd">
<context:annotation-config/>
<context:spring-configured/>
<neo4j:repositories base-package="my.dao"/> <!-- repositories = dao -->
<context:component-scan base-package="my.controller">
<context:exclude-filter type="annotation" expression="org.springframework.stereotype.Controller"/> <!-- that would be our services -->
</context:component-scan>
<tx:annotation-driven mode="aspectj" transaction-manager="neo4jTransactionManager"/>
<bean class="corinis.util.aspects.Neo4jFetchAspect" factory-method="aspectOf"/>
</beans>
AOP config
this is the /META-INF/aop.xml for this to work:
<!DOCTYPE aspectj PUBLIC
"-//AspectJ//DTD//EN" "http://www.eclipse.org/aspectj/dtd/aspectj.dtd">
<aspectj>
<weaver>
<!-- only weave classes in our application-specific packages -->
<include within="my.model.*" />
</weaver>
<aspects>
<!-- weave in just this aspect -->
<aspect name="my.util.aspects.Neo4jFetchAspect" />
</aspects>
</aspectj>

Found the answer to all the questions myself:
#Iterable: yes, iterable can be used for readonly
#load on access: per default nothing is loaded. and automatic lazy loading is not available (at least as far as I can gather)
For the rest:
When I need a relationship I either have to use #Fetch or use the neo4jtemplate.fetch method:
#NodeEntity
public class User {
#GraphId Long nodeId;
#RelatedTo(type="user", direction = Direction.INCOMING)
private Iterable<Worker> worker;
#Fetch Unit currentUnit;
String name;
}
class GetService {
#Autowired private Neo4jTemplate template;
public void doSomethingFunction() {
User u = ....;
// worker is not avaiable here
template.fetch(u.worker);
// do something with the worker
}
}

Not transparent, but still lazy fetching.
template.fetch(person.getDirectReports());
And #Fetch does the eager fetching as was already stated in your answer.

I like the aspect approach to work around the limitation of the current spring-data way to handle lazy loading.
#niko - I have put your code sample in a basic maven project and tried to get that solution to work with little success:
https://github.com/samuel-kerrien/neo4j-aspect-auto-fetching
For some reasons the Aspect is initialising but the advice doesn't seem to get executed. To reproduce the issue, just run the following JUnit test:
playground.neo4j.domain.UserTest

Localizing enum values in resource bundle

I have a problem with i18n enums in my JSF application. When I started, I had enums with the text defined inside. But now, I have keys tied to message bundles in the enum.
Example one of my enums:
public enum OrderStatus implements CustomEnum {
PENDING("enum.orderstatus.pending"),
CANCELED("enum.orderstatus.canceled");
/**
* key in message bundle
*/
private String name;
OrderStatus(String name) {
this.name = name;
}
#Override
public String getName() {
return name;
}
}
In the view layer, I use something like:
<!-- input -->
<h:selectOneMenu value="#{order.status}">
<f:selectItems value="#{flowUtils.orderStatuses}"/>
</h:selectOneMenu>
<!-- output -->
<h:outputText value="#{order.status}"/>
and in Java:
public class FlowUtils {
public List<SelectItem> getOrderStatuses() {
ArrayList<SelectItem> l = new ArrayList<SelectItem>();
for(OrderStatus c: OrderStatus.values()) {
// before i18n
// l.add(new SelectItem(c, c.getName()));
// after i18n
l.add(new SelectItem(c, FacesUtil.getMessageValue(c.getName())));
}
return l;
}
}
public class FacesUtil {
public static String getMessageValue(String name) {
FacesContext context = FacesContext.getCurrentInstance();
return context.getApplication().getResourceBundle(context, "m").getString(name);
}
}
It worked well, but when I needed to output #{order.status}, I needed to convert it.
So I implemented a converter, but got in trouble with conversion of String to Object in the getAsObject() method.
web.xml:
<converter>
<converter-for-class>model.helpers.OrderStatus</converter-for-class>
<converter-class>model.helpers.EnumTypeConverter</converter-class>
</converter>
Java:
public class EnumTypeConverter implements Converter {
#Override
public Object getAsObject(FacesContext context, UIComponent comp,
String value) throws ConverterException {
// value = localized value :(
Class enumType = comp.getValueBinding("value").getType(context);
return Enum.valueOf(enumType, value);
}
#Override
public String getAsString(FacesContext context, UIComponent component,
Object object) throws ConverterException {
if (object == null) {
return null;
}
CustomEnum type = (CustomEnum) object;
ResourceBundle messages = context.getApplication().getResourceBundle(context, "m");
String text = messages.getString(type.getName());
return text;
}
}
I'm entangled now with that. Anybody know how to internationalize multiple Enums efficiently?

The value which is passed through the converter is not the option label as you seem to expect, but the option value. The best practice is to not do this in the model side, but in the view side, because the model shouldn't need to be i18n aware.
As to the approach, you're basically unnecessarily overcomplicating things. Since JSF 1.2 there's a builtin EnumConverter which will kick in automatically and since JSF 2.0 you can iterate over a generic array or List in f:selectItems by the new var attribute without the need to duplicate the values over a List<SelectItem> in the model.
Here's how the bean can look like:
public class Bean {
private OrderStatus orderStatus;
private OrderStatus[] orderStatuses = OrderStatus.values();
// ...
}
And here's how the view can look like (assuming that msg refers to the <var> as you've definied in <resource-bundle> in faces-config.xml):
<h:selectOneMenu value="#{bean.orderStatus}">
<f:selectItems value="#{bean.orderStatuses}" var="orderStatus"
itemValue="#{orderStatus}" itemLabel="#{msg[orderStatus.name]}" />
</h:selectOneMenu>
That's all.
Unrelated to the problem, you've typos in the enum name and message keys, it should be:
PENDING("enum.orderstatus.pending"),
CANCELLED("enum.orderstatus.cancelled");
And, more clean would be to keep the bundle keys out the enum and use enum itself as part of bundle key. E.g.
PENDING,
CANCELLED;
<h:selectOneMenu value="#{bean.orderStatus}">
<f:selectItems value="#{bean.orderStatuses}" var="orderStatus"
itemValue="#{orderStatus}" itemLabel="#{msg['enum.orderstatus.' += orderStatus]}" />
</h:selectOneMenu>
enum.orderstatus.PENDING = Pending
enum.orderstatus.CANCELLED = Cancelled

I have posted my solution here: Internationalization of multiple enums (translation of enum values) - but still hoping for further enhancement.
EDIT: with the help of #Joop Eggen, we have come up with a really cool solution:
EDIT again: complete and ready-to-use solution:
Make a class
public final class EnumTranslator {
public static String getMessageKey(Enum<?> e) {
return e.getClass().getSimpleName() + '.' + e.name();
}
}
Make it a custom EL function
<?xml version="1.0" encoding="UTF-8"?>
<facelet-taglib
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-facelettaglibrary_2_0.xsd"
version="2.0">
<namespace>http://example.com/enumi18n</namespace>
<function>
<function-name>xlate</function-name>
<function-class>your.package.EnumTranslator</function-class>
<function-signature>String getMessageKey(java.lang.Enum)</function-signature>
</function>
</facelet-taglib>
Add the taglib to your web.xml
<context-param>
<param-name>javax.faces.FACELETS_LIBRARIES</param-name>
<param-value>/WEB-INF/enumi18n.taglib.xml</param-value>
</context-param>
Have properties files enum_en.properties and enum_yourlanguage.properties like this
TransferStatus.NOT_TRANSFERRED = Not transferred
TransferStatus.TRANSFERRED = Transferred
Add the properties files as resource bundles to your faces-config.xml
<resource-bundle>
<base-name>kk.os.obj.jsf.i18n.enum</base-name>
<var>enum</var>
</resource-bundle>
Add the custom taglib to your xhtml files
<html ... xmlns:l="http://example.com/enumi18n">
And - voilà - you can now access the translated enum values in jsf:
<h:outputText value="#{enum[l:xlate(order.transferStatus)]}" />

Well, enum is just another class. There is nothing stopping you from adding parsing and to-string conversion methods that will parse and output locale-sensitive messages.
Maybe it violates Single Responsible Principle (does it?), but I believe making enum responsible for parsing and returning locale-aware values is the right thing to do.
Just add two methods like this:
public String toString(FacesContext context) {
// need to modify the method
FacesUtil.getMessageValue(context, name);
}
public OrderStatus parse(FacesContext context, String theName) {
for (OrderStatus value : values()) {
if (value.toString(context).equals(theName) {
return value;
}
}
// think of something better
return null;
}
I hope I got the code right, as I am not checking it with IDE now... Is this what you were looking for?

I calculate the message key in the enum like as shown below; so no need to maintain the keys with additional attributes on the enum
public String getMessageKey() {
return String.format("enum_%s_%s", this.getClass().getSimpleName(),
this.name());
}
Then I use it like this
<p:selectOneMenu id="type"
value="#{xyzBean.type}" required="true">
<f:selectItems
value="#{xyzBean.possibleTypes}"
var="type" itemLabel="#{msg[type.messageKey]}">
</f:selectItems>
</p:selectOneMenu>
with having configured a org.springframework.context.support.ReloadableResourceBundleMessageSource in the app context
<bean id="msg"
class="org.springframework.context.support.ReloadableResourceBundleMessageSource">
<property name="basename" value="/resources/locale/messages" />
<property name="useCodeAsDefaultMessage" value="true" />
<property name="cacheSeconds" value="1" />
</bean>

In case anyone is looking for a simple utility library to handle enum internationalization, please take a look at https://github.com/thiagowolff/litefaces-enum-i18n
The artifact is also available in Maven Central:
<dependency>
<groupId>br.com.litecode</groupId>
<artifactId>litefaces-enum-i18n</artifactId>
<version>1.0.1</version>
</dependency>
Basically, you just need to add the artifact to your project and define the enum respective keys following the described enum naming conventions. The translations (and also CSS class names) can be retrieved using the provided EL functions.