My project is JSF with Spring security.
I logged success with spring security and redirect my home, but is still anonymous. I user security tags and does not work. My class UserDetailsService:
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
UsuarioDetails usuario = userMapper.findByUsername(username);
if (Objects.isNull(usuario)) throw new UsernameNotFoundException(username);
return usuario;
}
and
protected void configure(HttpSecurity http) {
try {
List<Transacao> transacoes = transacaoDao.findAll();
http.csrf().disable();
http.authorizeRequests().antMatchers("/", "/index.xhtml", "/javax.faces.resource/**").permitAll();
http.authorizeRequests().anyRequest().authenticated()
.and()
.formLogin().loginPage("/template/login.xhtml").usernameParameter("username").passwordParameter("password")
.permitAll()
.failureUrl("/template/login.jsf?error=true").defaultSuccessUrl("/index.xhtml")
.and().exceptionHandling().accessDeniedPage("/403.xhtml")
.and().logout().logoutSuccessUrl("/login.xhtml").invalidateHttpSession(true).deleteCookies("JSESSIONID")
.and().httpBasic()
.and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);;
for(Transacao t : transacoes) {
http.authorizeRequests().antMatchers(t.getUrl()).access(t.getNome());
}
}
catch (Exception ex) {
throw new RuntimeException(ex);
}
}
My UserDetails have username, password and roles. When the login redirect to home page, in my controller i inpected:
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
The Authentication is anonymusUser. And a user um my home page tags don't show elements:
<sec:authorize access="hasRole('PROCESSO')">
<h:outputLabel value="Show my"></h:outputLabel>
</sec:authorize>
I think you should remove this line from your HttpSecurity configuration:
and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
You say that on redirection after login the user becomes anonymusUser, and that makes sense while you are using stateless session creation strategy.
What happens there is that you get logged, but as you are using stateless, the authorization you got on the login process is lost as soon as the request ends, so while handling the redirect which performs the default success url handler the context does not find any authentication saved for this request (better said, even no context search for session authentication is performed).
I found very helpfull this article from baeldung.com: Control the Session with Spring Security.
This are some quotes from it:
2. When Is The Session Created?
We can control exactly when our session gets created and how Spring Security will interact with it:
always – a session will always be created if one doesn’t already exist
ifRequired – a session will be created only if required (default)
- never – the framework will never create a session itself but it will use one if it already exists
- stateless – no session will be created or used by Spring Security
And this:
3. Under The Hood
Before executing the Authentication process, Spring Security will run a filter responsible with storing the Security Context between requests – the SecurityContextPersistenceFilter. The context will be stored according to a strategy – HttpSessionSecurityContextRepository by default – which uses the HTTP Session as storage.
For the strict create-session=”stateless” attribute, this strategy will be replaced with another – NullSecurityContextRepository – and no session will be created or used to keep the context.
Finally, just say that you should not use stateless session creation strategy unless you are ready to provide and handle the credentials in every request