I have a project where Spring is used with JSF (using PrimeFaces). Up until now we have used xml configuration for Spring Security, but I have been tasked with porting it to java based configuration.
I have now went from the xml config in applicationContext.xml :
<!-- Security Config -->
<security:http security="none" pattern="/javax.faces.resource/**"/>
<security:http auto-config="true" use-expressions="true">
<security:intercept-url pattern="/login.xhtml" access="permitAll"/>
<security:intercept-url pattern="/**" access="permitAll"/>
<security:form-login login-page="/login.xhtml"
login-processing-url="/do_login"
authentication-failure-url="/login.xhtml"
authentication-success-handler-ref="authSuccessHandler"
username-parameter="email"
password-parameter="password"/>
<security:logout logout-success-url="/login.xhtml"
logout-url="/do_logout"
delete-cookies="JSESSIONID"/>
</security:http>
<bean id="userDetails" class="com.madmob.madmoney.security.UserDetailsServiceImpl"></bean>
<bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
<constructor-arg name="strength" value="10" />
</bean>
<bean id="authSuccessHandler" class="com.madmob.madmoney.security.UserAuthenticationSuccessHandler"></bean>
<security:authentication-manager>
<security:authentication-provider user-service-ref="userDetails">
<security:password-encoder ref="encoder" />
</security:authentication-provider>
</security:authentication-manager>
and the following from web.xml :
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
To the following java based configuration :
import javax.sql.DataSource;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
UserAuthenticationSuccessHandler authSuccessHandler;
@Autowired
DataSource dataSource;
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth)
throws Exception {
auth.jdbcAuthentication().usersByUsernameQuery("SELECT email, passowrd, enabled FROM app_user WHERE email = ?")
.authoritiesByUsernameQuery("SELECT role_name FROM role WHERE role_id = (SELECT role_id FROM user_role WHERE email = ?)")
.dataSource(dataSource).passwordEncoder(new BCryptPasswordEncoder(10));
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/javax.faces.resource/**");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.authorizeRequests().anyRequest().authenticated()
.and()
.formLogin().loginPage("/login.xhtml").loginProcessingUrl("/do_login")
.failureUrl("/login.xhtml").successHandler(authSuccessHandler)
.usernameParameter("email").passwordParameter("password").permitAll()
.and()
.logout().logoutSuccessUrl("/login.xhtml").logoutUrl("/do_logout")
.deleteCookies("JSESSIONID");
// temp user add form
// TODO remove
http.antMatcher("/userForm.xhtml").authorizeRequests().anyRequest().permitAll();
}
}
and
import java.util.EnumSet;
import javax.servlet.DispatcherType;
import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;
public class SpringSecurityInitializer extends AbstractSecurityWebApplicationInitializer {
protected EnumSet<DispatcherType> getSecurityDispatcherTypes() {
return EnumSet.of(DispatcherType.REQUEST, DispatcherType.ERROR, DispatcherType.ASYNC, DispatcherType.FORWARD);
}
}
Login worked fine on the xml based configuration, but since switching if I try to login Tomcat returns 404 with : The requested resource is not available.
All pages are also accessible regardless of logged in or not.
Below is my login form :
<h:form id="loginForm" prependId="false" styleClass="panel-body">
<div>
<p:inputText id="email" required="true" label="email"
value="#{loginBean.email}" styleClass="form-control f-75"
placeholder="Email Address"></p:inputText>
<h:message for="email" styleClass="validationMsg"/>
</div>
<div class="spacer"/>
<div>
<p:password id="password" required="true" label="password"
value="#{loginBean.password}" placeholder="Password"></p:password>
<h:message for="password" styleClass="validationMsg"/>
<h:messages globalOnly="true" styleClass="validationMsg" />
</div>
<div class="spacer"/>
<p:commandButton id="login" value="Log in"
actionListener="#{loginBean.login}" ajax="false"/>
</h:form>
and the login method in my backing bean :
/**
* Forwards login parameters to Spring Security
*/
public void login(ActionEvent loginEvt){
// setup external context
logger.info("Starting login");
ExternalContext context = FacesContext.getCurrentInstance().getExternalContext();
// setup dispatcher for spring security
logger.info("Setup dispatcher");
RequestDispatcher dispatcher = ((ServletRequest) context.getRequest())
.getRequestDispatcher("/do_login");
try {
// forward request
logger.info("Forwarding request to spring security");
dispatcher.forward((ServletRequest) context.getRequest(),
(ServletResponse) context.getResponse());
} catch (ServletException sEx) {
logger.error("The servlet has encountered a problem", sEx);
} catch (IOException ioEx) {
logger.error("An I/O error has occured", ioEx);
} catch (Exception ex) {
logger.error("An error has occured", ex);
}
// finish response
FacesContext.getCurrentInstance().responseComplete();
}
This is running on Java 1.8, Tomcat 7, Spring and Spring Security 3.2.5, JSF 2.1, Primefaces 5
Things I have tried since encountering the problem :
SpringSecurityInitializer since initially I only used SecurityConfig. j_spring_security_check), by not specifying the processing url and forwarding to that instead.getSecurityDispatcherTypes method to SpringSecurityInitializer to match the config from web.xmlI found the issue. The problem lies with :
http.antMatcher("/userForm.xhtml").authorizeRequests().anyRequest().permitAll();
This was just purely incorrect chaining of the methods on my part by the looks of it. I don't really understand why it caused the issue with login processing url not being found instead of just unexpected access behavior, but I changed that entire snippet of the method to look as follows :
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests().antMatchers("/userForm.xhtml").permitAll() //TODO remove temp user add form
.anyRequest().authenticated()
.and()
.formLogin().loginPage("/login.xhtml").loginProcessingUrl("/do_login")
.failureUrl("/login.xhtml").successHandler(authSuccessHandler)
.usernameParameter("email").passwordParameter("password").permitAll()
.and()
.logout().logoutSuccessUrl("/login.xhtml").logoutUrl("/do_logout")
.deleteCookies("JSESSIONID");
}
This of course also makes a lot more sense, but I primarily separated them initially because as the comment specifies, the userForm.xhtml is temporary.