Develop Reference

Http Session is Null in AuthenticatedWebSession Wicket And Spring Security

Environment:
<wicket.version>7.7.0</wicket.version>
<spring.version>4.3.8.RELEASE</spring.version>
<springsecurity.version>4.2.3.RELEASE</springsecurity.version>
I have custom class from AuthenticatedWebSession like:
public class WicketSession extends AuthenticatedWebSession {
private static final Logger log = LoggerFactory.getLogger(WicketSession.class);
private static final long serialVersionUID = 1L;
private final HttpSession httpSession;
#SpringBean(name = "authenticationManager")
private AuthenticationManager authenticationManager;
public WicketSession(Request request) {
super(request);
this.httpSession = ((HttpServletRequest) request.getContainerRequest()).getSession();
log.debug("Got httpSession: {}", this.httpSession);
Injector.get().inject(this);
}
#Override
public boolean authenticate(String username, String password) {
try {
final Authentication auth = authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(username, password));
log.debug("Username '{}' is {} auth with authorities: {}",
username, auth.isAuthenticated(), auth.getAuthorities());
if (auth.isAuthenticated()) {
// the authentication object has to be stored in the SecurityContextHolder and in the HttpSession manually, so that the
// security context will be accessible in the next request
SecurityContextHolder.getContext().setAuthentication(auth);
httpSession.setAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY,
SecurityContextHolder.getContext());
return true;
} else {
return false;
}
} catch (AuthenticationException e) {
log.warn("Failed login attempt due to exception!", e);
return false;
}
}
}
Spring Security Config like:
#Configuration
#EnableWebSecurity
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
public SpringSecurityConfig() {
super(false);
}
#Override
#Bean
public UserDetailsService userDetailsService() {
final InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
manager.createUser(User.withUsername("admin").password("admin").roles("ADMIN").build());
manager.createUser(User.withUsername("rudi").password("rudi").roles("USER").build());
return manager;
}
#Bean(name = "authenticationManager")
#Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/user/**").authenticated()
.antMatchers("/admin/**").hasRole("ADMIN")
.antMatchers("/**").permitAll()
.and().formLogin().loginPage("/login")
.and().addFilter(new SecurityContextPersistenceFilter()).securityContext();
}
}
Spring Application Config like:
#PropertySource({"classpath:/META-INF/rcommerce.properties"})
#Configuration
#EnableWebMvc
#EnableTransactionManagement
#Import({
SpringSecurityConfig.class})
public class AppConfig {
#Bean
public AuthenticatedWebApplication webApp() {
return new WicketApplication();
}
}
custom class from AbstractSecurityWebApplicationInitializer like:
public class SecurityWebApplicationInitializer extends AbstractSecurityWebApplicationInitializer {
public SecurityWebApplicationInitializer() {
super(SpringSecurityConfig.class);
}
}
web.xml:
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<display-name>rcommerce</display-name>
<!-- WICKET FILTER-->
<filter>
<filter-name>wicket.rcommerce</filter-name>
<filter-class>org.apache.wicket.protocol.http.WicketFilter</filter-class>
<init-param>
<param-name>applicationFactoryClassName</param-name>
<param-value>org.apache.wicket.spring.SpringWebApplicationFactory</param-value>
</init-param>
<init-param>
<param-name>applicationBean</param-name>
<param-value>webApp</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>wicket.rcommerce</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- MDC FILTER -->
<filter>
<description>A servlet filter that inserts various values retrieved from the incoming http request into the MDC.</description>
<filter-name>MDCInsertingServletFilter</filter-name>
<filter-class>ch.qos.logback.classic.helpers.MDCInsertingServletFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>MDCInsertingServletFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>MoreMdcServletFilter</filter-name>
<filter-class>com.rudiwijaya.rcommerce.servlet.MoreMdcServletFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>MoreMdcServletFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- SPRING REST SERVLET-->
<servlet>
<servlet-name>spring-web</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextClass</param-name>
<param-value>org.springframework.web.context.support.AnnotationConfigWebApplicationContext</param-value>
</init-param>
<!-- <init-param> -->
<!-- use just the root WebApplicationContext -->
<!-- <param-name>contextConfigLocation</param-name> -->
<!-- <param-value>org.soluvas.sanad.app.ServletConfig</param-value> -->
<!-- <param-value></param-value> -->
<!-- </init-param> -->
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>spring-web</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<!-- SPRING REST FILTER-->
<filter>
<filter-name>httpPutFormFilter</filter-name>
<filter-class>org.springframework.web.filter.HttpPutFormContentFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>httpPutFormFilter</filter-name>
<servlet-name>spring-web</servlet-name>
</filter-mapping>
<!-- The SpringWebApplicationFactory will need access to a Spring Application
context, configured like this... -->
<!-- SPRING CONFIG -->
<context-param>
<param-name>contextClass</param-name>
<param-value>org.springframework.web.context.support.AnnotationConfigWebApplicationContext</param-value>
</context-param>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>com.rudiwijaya.rcommerce.AppConfig</param-value>
</context-param>
<!-- LISTENERS -->
<listener>
<listener-class>ch.qos.logback.classic.selector.servlet.ContextDetachingSCL</listener-class>
</listener>
<listener>
<listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
</listener>
<!-- ERROR PAGE HANDLING -->
<error-page>
<error-code>404</error-code>
<location>/404.html</location>
</error-page>
<!-- TIMEOUT -->
<session-config>
<session-timeout>120</session-timeout>
</session-config>
</web-app>
when I call session.signIn, got error like:
Root cause:
java.lang.NullPointerException
at com.rudiwijaya.rcommerce.WicketSession.authenticate(WicketSession.java:60)
at org.apache.wicket.authroles.authentication.AuthenticatedWebSession.signIn(AuthenticatedWebSession.java:66)
at com.rudiwijaya.rcommerce.pages.LoginButton.doAuthenticate(LoginButton.java:132)
at com.rudiwijaya.rcommerce.pages.LoginButton.onSubmit(LoginButton.java:165)
at org.apache.wicket.ajax.markup.html.form.AjaxButton$1.onSubmit(AjaxButton.java:113)
at org.apache.wicket.ajax.form.AjaxFormSubmitBehavior$AjaxFormSubmitter.onSubmit(AjaxFormSubmitBehavior.java:215)
at org.apache.wicket.markup.html.form.Form.delegateSubmit(Form.java:1307)
at org.apache.wicket.markup.html.form.Form.process(Form.java:976)
at org.apache.wicket.markup.html.form.Form.onFormSubmitted(Form.java:797)
at org.apache.wicket.ajax.form.AjaxFormSubmitBehavior.onEvent(AjaxFormSubmitBehavior.java:171)
at org.apache.wicket.ajax.AjaxEventBehavior.respond(AjaxEventBehavior.java:155)
at org.apache.wicket.ajax.AbstractDefaultAjaxBehavior.onRequest(AbstractDefaultAjaxBehavior.java:601)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.wicket.RequestListenerInterface.internalInvoke(RequestListenerInterface.java:258)
at org.apache.wicket.RequestListenerInterface.invoke(RequestListenerInterface.java:241)
at org.apache.wicket.core.request.handler.ListenerInterfaceRequestHandler.invokeListener(ListenerInterfaceRequestHandler.java:248)
at org.apache.wicket.core.request.handler.ListenerInterfaceRequestHandler.respond(ListenerInterfaceRequestHandler.java:234)
at org.apache.wicket.request.cycle.RequestCycle$HandlerExecutor.respond(RequestCycle.java:895)
at org.apache.wicket.request.RequestHandlerStack.execute(RequestHandlerStack.java:64)
The error (it is httpSession is null) in line:
httpSession.setAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY,
SecurityContextHolder.getContext());
What should I do, please?

Do you have more than one web container nodes ? With session replication ?
As a general rule you should never keep a hard reference to the Http Session. Especially in Wicket applications! Because if WicketSession is serialized and then deserialized this member field will be null!
Better lookup the HttpSession whenever you need it, i.e. extract((HttpServletRequest) request.getContainerRequest()).getSession(); in a method and call it when you need the session in the methods' bodies.

redirect after authentication

After I integrated spring security into vaadin there of course appeared a need to redirect user after successfull authentication.
I integrated spring security using two servlets - one for vaadin and another - for spring security.
Here my web.xml
<?xml version="1.0"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath:/pmc-web-context.xml
</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
</listener>
<servlet>
<servlet-name>another-pmc-servlet</servlet-name>
<servlet-class>ru.xpoft.vaadin.SpringVaadinServlet</servlet-class>
<init-param>
<param-name>beanName</param-name>
<param-value>pmcVaadin</param-value>
</init-param>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value></param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>another-pmc-servlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<!-- Spring Security -->
<servlet>
<servlet-name>login-pmc-servlet</servlet-name>
<servlet-class>ru.xpoft.vaadin.SpringVaadinServlet</servlet-class>
<init-param>
<param-name>beanName</param-name>
<param-value>loginVaadin</param-value>
</init-param>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value></param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>login-pmc-servlet</servlet-name>
<url-pattern>/login/*</url-pattern>
</servlet-mapping>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
My security context looks like this
<http auto-config="true">
<intercept-url pattern="/*" access="ROLE_USER"/>
<form-login login-page="/login/" default-target-url="/*" authentication-failure-url="/login/?login_error=true"/>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="user" password="pass" authorities="ROLE_USER"/>
<user name="admin" password="admin" authorities="ROLE_ADMIN, ROLE_USER"/>
</user-service>
</authentication-provider>
</authentication-manager>
On my loginUI(bean name loginVaadin) page there is a login form
public class LoginForm extends Window {
private TextField login;
private TextField password;
private Button enter;
private HorizontalLayout buttonLayout;
private FormLayout formLayout;
private Image facebookIcon;
#Override
public void attach() {
setCaption(StringValues.LOGIN_FORM_CAPTION);
setSizeUndefined();
setResizable(false);
setModal(true);
setContent(createLayout());
super.attach();
}
private FormLayout createLayout() {
login = new TextField("Login");
password = new TextField("Password");
enter = new Button("Enter(close)");
final LoginUi ui = (LoginUi) LoginUi.getCurrent();
enter.addClickListener(new ClickListener() {
#Override
public void buttonClick(ClickEvent event) {
String loginValue = login.getValue();
String passwordValue = password.getValue();
AuthenticationService authenticationService = ui.getAuthenticationService();
String result = authenticationService.authorize(loginValue, passwordValue);
if (StringUtils.isBlank(result)) {
LoginForm.this.close();
}
ui.getPage().setLocation("localhost:8080/pmc-web/");
}
});
buttonLayout = new HorizontalLayout();
String pathToFile = VaadinService.getCurrent().getBaseDirectory()
.getAbsolutePath() + "\\WEB-INF\\images\\facebook_icon.png";
FileResource resource = new FileResource(new File(pathToFile));
facebookIcon = new Image(null, resource);
facebookIcon.addClickListener(new MouseEvents.ClickListener() {
#Override
public void click(com.vaadin.event.MouseEvents.ClickEvent event) {
try {
ui.getPage().setLocation(ui.getAuthenticationService()
.redirect(ui.getProperty("oauth.application"), ui.getProperty("oauth.callback")));
} catch (Exception e) {
Notification.show(e.getMessage());
}
}
});
buttonLayout.addComponent(facebookIcon);
buttonLayout.addComponent(enter);
buttonLayout.setComponentAlignment(enter, Alignment.BOTTOM_LEFT);
formLayout = new FormLayout(login, password, buttonLayout);
formLayout.setComponentAlignment(buttonLayout, Alignment.BOTTOM_LEFT);
formLayout.setMargin(true);
return formLayout;
}
}
But how to make it redirect to required me vaadin page with all components(ui bean name pmcVaadin)? Because when I do like this - it's again being intercepted and it shows me loginform again.

First of all shorten and clean up your "createLayout" method. ;)
Try:
ui.getNavigator().navigateTo("pmc-web");

Programmatic Form Based Authentication

I am trying to perform the programmatic form based authentication and it seems that
My web.xml:
<web-app>
<context-param>
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value>Development</param-value>
</context-param>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.jsf</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>confirmauthentication.xhtml</welcome-file>
</welcome-file-list>
<session-config>
<session-timeout>10</session-timeout>
</session-config>
<security-constraint>
<display-name>Authentication Ex Login</display-name>
<web-resource-collection>
<web-resource-name>SecuredArea</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>mysqldomain</realm-name>
<form-login-config>
<form-login-page>/authentication.xhtml</form-login-page>
<form-error-page>/error.xhtml</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description/>
<role-name>*</role-name>
</security-role>
</web-app>
My jsf page called authentication.xhtml:
<h:form>
<h:panelGrid border="0" columns="2">
<h:outputText value="Username"/>
<h:inputText value="#{beanJSF.userName}" required="true" />
<h:outputText value="Password"/>
<h:inputSecret value="#{beanJSF.password}" required="true" />
<h:commandButton value="Log in" action="#{beanJSF.submit}">
<f:ajax execute="#form" render="#form" />
</h:commandButton>
<h:messages />
</h:panelGrid>
</h:form>
It seems that when I press the “Log in” button, the submit method is not called and I can’t figure out the reason. The server.log doesn’t display anything when I press the button (This message is not displayed “("I am in the login method!!!!!!!!...”).
My ManagedBean:
#URLMappings(mappings={
#URLMapping(id="success", pattern = "/authentication/", viewId = "/confirmauthentication.jsf")})
public class BeanJSF implements Serializable {
private String password;
private String userName;
// User is the Entity
private User loggedUser;
#EJB
UserEJB services;
public String submit() throws IOException {
System.out.println("I am in the login method!!!!!!!! " + getUserName()+ " " + getPassword());
FacesContext context = FacesContext.getCurrentInstance();
ExternalContext externalContext = context.getExternalContext();
HttpServletRequest request = (HttpServletRequest) externalContext.getRequest();
try {
request.login(userName, password);
User user = services.authenticationUser(userName, password);
this.setLoggedUser(user);
return "home?faces-redirect-true";
} catch (ServletException e) {
// Handle unknown username/password in request.login().
context.addMessage(null, new FacesMessage(FacesMessage.SEVERITY_ERROR,"Unknown login", null));
return null;
}
}
public void logout() throws IOException {
ExternalContext externalContext = FacesContext.getCurrentInstance().getExternalContext();
externalContext.invalidateSession();
externalContext.redirect(externalContext.getRequestContextPath() + "/authentication.xhtml");
}
//+ setters and getters for username, password and loggedUser
}
And my EJB is:
#Stateless
public class UserEJB{
#PersistenceContext(unitName = "PyPersistenceUnit")
private EntityManager entityManager;
public UserEJB(){}
#TransactionAttribute(TransactionAttributeType.REQUIRED)
public User authenticationUser(String userName, String password){
try{
User user = entityManager.createNamedQuery(User.FIND_USER,User.class). setParameter("userName", userName).setParameter("password", password).getSingleResult();
return user;
}
catch(NonUniqueResultException ex){
ex.printStackTrace();
return null;
}
catch(NoResultException ex){
ex.printStackTrace();
return null;
}
}

Your bean is not managed by JSF and hence JSF is not able to find the bean anywhere.
Add the JSF bean management annotations to the class.
#ManagedBean
#RequestScoped
public class BeanJSF implements Serializable {
// ...
}

PreAuthentication with Spring Security -> Based on URL parameters

The customer want to have the following scenario:
Customer hands out link (webapp address) with 2 parameters to the webapp user. Based on these variables the user will take on specific roles in the webapp.
I don't want any authorization in it. There should only be the authentication check which looks at these url parameters and checks if they are valid and will connect the user to the appropriate role.
How can I realize this?! Is there already a solution available?
Thanks!
regards Matthias

I already solved the problem.
For those who are interested ....
web.xml
<!-- ===== SPRING CONFIG ===== -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/applicationContext.xml
/WEB-INF/applicationContext-security.xml
</param-value>
</context-param>
applicationContext.xml
<context:component-scan base-package="at.beko.rainstar2" />
<tx:annotation-driven transaction-manager="transactionManager" />
applicationContext-security.xml
<!-- Configuring security not finished!! -->
<http create-session="never" use-expressions="true" auto-config="false"
entry-point-ref="preAuthenticatedProcessingFilterEntryPoint">
<intercept-url pattern="/authError.xhtml" access="permitAll" />
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<custom-filter position="PRE_AUTH_FILTER" ref="preAuthFilter" />
<session-management session-fixation-protection="none" />
</http>
<beans:bean id="userDetailsServiceImpl"
class="at.beko.rainstar2.service.impl.UserDetailsServiceImpl" />
<beans:bean id="preAuthenticatedProcessingFilterEntryPoint"
class="at.beko.rainstar2.model.LinkForbiddenEntryPoint" />
<beans:bean id="preAuthenticationProvider"
class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<beans:property name="preAuthenticatedUserDetailsService"
ref="userDetailsServiceImpl" />
</beans:bean>
<beans:bean id="preAuthFilter"
class="at.beko.rainstar2.service.filter.UrlParametersAuthenticationFilter">
<beans:property name="authenticationManager" ref="appControlAuthenticationManager" />
</beans:bean>
<authentication-manager alias="appControlAuthenticationManager">
<authentication-provider ref="preAuthenticationProvider" />
</authentication-manager>
LinkForbiddenEntryPoint.java
public class LinkForbiddenEntryPoint implements AuthenticationEntryPoint {
#Override
public void commence(HttpServletRequest request,
HttpServletResponse response, AuthenticationException authException)
throws IOException, ServletException {
HttpServletResponse httpResponse = (HttpServletResponse) response;
httpResponse.sendRedirect("/rainstar2-webapp/authError.xhtml");
}
}
UrlParametersAuthenticationFilter.java
public class UrlParametersAuthenticationFilter extends
AbstractPreAuthenticatedProcessingFilter {
#Override
protected Object getPreAuthenticatedPrincipal(HttpServletRequest request) {
if (request.getParameterMap().size() == 2) {
return true;
}
return false;
}
#Override
protected Object getPreAuthenticatedCredentials(HttpServletRequest request) {
String[] credentials = new String[2];
credentials[0] = request.getParameter("param1");
credentials[1] = request.getParameter("param2");
return credentials;
}
}
UserDetailsServiceImpl.java
#SuppressWarnings("deprecation")
public class UserDetailsServiceImpl implements
AuthenticationUserDetailsService<Authentication> {
#Override
public UserDetails loadUserDetails(Authentication token)
throws UsernameNotFoundException {
UserDetails userDetails = null;
String[] credentials = (String[]) token.getPrincipal();
boolean principal = Boolean.valueOf(token.getCredentials().toString());
if (credentials != null && principal == true) {
String name = credentials[0];
if ("admin".equalsIgnoreCase(name)) {
userDetails = getAdminUser(name);
} else if ("händler".equalsIgnoreCase(name)) {
userDetails = getRetailerUser(name);
} else if ("user".equalsIgnoreCase(name)) {
userDetails = getUserUser(name);
}
}
if (userDetails == null) {
throw new UsernameNotFoundException("Could not load user : "
+ token.getName());
}
return userDetails;
}
private UserDetails getAdminUser(String username) {
Collection<GrantedAuthority> grantedAuthorities = new ArrayList<GrantedAuthority>();
grantedAuthorities.add(new GrantedAuthorityImpl("ROLE_USER"));
grantedAuthorities.add(new GrantedAuthorityImpl("ROLE_RETAILER"));
grantedAuthorities.add(new GrantedAuthorityImpl("ROLE_ADMIN"));
return new User(username, "notused", true, true, true, true,
grantedAuthorities);
}
private UserDetails getRetailerUser(String username) {
Collection<GrantedAuthority> grantedAuthorities = new ArrayList<GrantedAuthority>();
grantedAuthorities.add(new GrantedAuthorityImpl("ROLE_USER"));
grantedAuthorities.add(new GrantedAuthorityImpl("ROLE_RETAILER"));
return new User(username, "notused", true, true, true, true,
grantedAuthorities);
}
private UserDetails getUserUser(String username) {
Collection<GrantedAuthority> grantedAuthorities = new ArrayList<GrantedAuthority>();
grantedAuthorities.add(new GrantedAuthorityImpl("ROLE_USER"));
return new User(username, "notused", true, true, true, true,
grantedAuthorities);
}
}

The way I have resolved this with similar situations is to to use a servlet filter to grab the parameters. I would recommend extending the org.springframework.web.filter.GenericFilterBean.
From these parameters, create an auth object of some sort (such as a token), that can be passed into the AuthenticationManager which you can autowire in (or get in some other method).
You will then need to have an AuthenticationProvider that can handle your auth object and generate a UserDetails object with the GrantedAuthority collection you need to satisfy the specific roles you want the user to have.

JSF 2.0 + Spring Security 2.x

I using JSF 2.0 + Icefaces 2.0 and try to implement spring security 2.06 (not 3.x due to compatible problems with Icefaces 2.0).
I follow this guide (I think it is for JSF 1.x and Icefaces 1.8):
http://facestutorials.icefaces.org/tutorial/spring-security-basic.html
But I have problem to integrate the spring framework. I have added these lines to web.xml:
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Then I have a file, applicationContext.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-2.0.2.xsd">
<security:http auto-config="true" access-denied-page="/pages/accessDenied.xhtml">
<security:intercept-url pattern="/secured/**" access="ROLE_ALLACCESS, ROLE_URLACCESS"/>
<security:form-login login-page="/pages/springSecurityLogin.xhtml"
default-target-url="/secured/welcome.xhtml"/>
<security:logout logout-success-url="/pages/logoutSuccess.xhtml"/>
</security:http>
<security:authentication-provider user-service-ref="userDetailsService"/>
<bean id="userDetailsService" class="security.UserDetailsServiceImpl">
<constructor-arg ref="userRepository"/>
</bean>
<bean id="userRepository" class="security.UserDaoImpl"/>
</beans>
The userDetailsService class is implemented according to:
package security;
import org.springframework.dao.DataAccessException;
import org.springframework.security.GrantedAuthority;
import org.springframework.security.GrantedAuthorityImpl;
import org.springframework.security.userdetails.UserDetails;
import org.springframework.security.userdetails.UserDetailsService;
import org.springframework.security.userdetails.UsernameNotFoundException;
public class UserDetailsServiceImpl implements UserDetailsService {
private UserDAO userDAO;
public UserDetailsServiceImpl(UserDAO userDAO) {
this.userDAO = userDAO;
}
public UserDetails loadUserByUsername(String username)
throws UsernameNotFoundException, DataAccessException {
AppUser user = userDAO.findUser(username);
if (user == null)
throw new UsernameNotFoundException("User not found: " + username);
else {
return makeUser(user);
}
}
private org.springframework.security.userdetails.User makeUser(AppUser user) {
return new org.springframework.security.userdetails.User(user.getLogin(), user
.getPassword(), true, true, true, true,
makeGrantedAuthorities(user));
}
private GrantedAuthority[] makeGrantedAuthorities(AppUser user) {
GrantedAuthority[] result = new GrantedAuthority[user.getRoles().size()];
int i = 0;
for (String role : user.getRoles()) {
result[i++] = new GrantedAuthorityImpl(role);
}
return result;
}
}
I also has a login bean:
package web.bean.security;
import org.springframework.security.ui.AbstractProcessingFilter;
import javax.faces.application.FacesMessage;
import javax.faces.bean.ManagedBean;
import javax.faces.context.FacesContext;
import javax.faces.event.ActionEvent;
#ManagedBean(name="login")
public class Login {
// properties
private String userId;
private String password;
/**
* default empty constructor
*/
public Login() {
Exception ex = (Exception) FacesContext
.getCurrentInstance()
.getExternalContext()
.getSessionMap()
.get(AbstractProcessingFilter.SPRING_SECURITY_LAST_EXCEPTION_KEY);
if (ex != null)
FacesContext.getCurrentInstance().addMessage(
null,
new FacesMessage(FacesMessage.SEVERITY_ERROR, ex
.getMessage(), ex.getMessage()));
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
public String getUserId() {
return userId;
}
public void setUserId(String userId) {
this.userId = userId;
}
public void login(ActionEvent e) throws java.io.IOException {
FacesContext.getCurrentInstance().getExternalContext().redirect("/spring-authentication/j_spring_security_check?j_username=" + userId + "&j_password=" + password);
}
}
The problem is when I running a jsf file which using the login bean:
The requested resource () is not available.
I'm using Tomcat 7.
Can you please help me?
Best Regards /kungcc

I think you need to add the webapplication name before the /j_spring_security_check
like /WebAppName/j_spring_security_check that will aply the spring on all what comes after /webAppName

Does omitting /spring-authentication in the login() method of login bean help?
public void login(ActionEvent e) throws java.io.IOException {
FacesContext.getCurrentInstance().getExternalContext().redirect("/j_spring_security_check?j_username=" + userId + "&j_password=" + password);
}