Hy .What i am trying to do is to integrate Spring security with a Jsf+spring IOC +hibernate application.I have managed to set the login page and filter some other pages.So far so good, but when i tried to put @Secured or @PreAuthorize annotation on methods inside managedBeans (inside Dao's the annotation do work), i realized they do absolutely nothing. I have read that i need FORCE class proxies. Spring uses proxy based aop,the managed bean implements an interface hence jdk dynamic proxy instead of class proxy is used. So i did this in my config file:
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:aop="http://www.springframework.org/schema/aop"** xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.0.xsd"> <aop:aspectj-autoproxy proxy-target-class="true"/> //the rest of the beans </beans>
The applicationContext-security Xml looks like this:
<?xml version="1.0" encoding="UTF-8"?> <!-- - Sample namespace-based configuration - - $Id: applicationContext-security.xml 3019 2008-05-01 17:51:48Z luke_t $ --> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> <global-method-security secured-annotations="enabled" jsr250-annotations="enabled"/> <http pattern="/css/**" security="none" /> <http pattern="/pages/login.xhtml" security="none" /> <http auto-config='false'> <intercept-url pattern="/pages/customer/**" access='ROLE_SITE_ADMIN' /> <intercept-url pattern="/pages/department/overhead*" access='ROLE_SITE_ADMIN' /> <intercept-url pattern="/**" access='ROLE_SITE_ADMIN,ROLE_PROJECT_MANAGER,ROLE_DEPARTMENT_MANAGER,ROLE_ACCOUNTING' /> <form-login login-page="/pages/login.xhtml" default-target-url='/pages/reports.xhtml' always-use-default-target='true' authentication-failure-handler-ref="userLoginService" /> <logout invalidate-session="true" logout-success-url="/pages/login.xhtml"/> </http> <authentication-manager> <authentication-provider user-service-ref='userLoginService'> <password-encoder hash="md5" /> </authentication-provider> </authentication-manager> <beans:bean id="userLoginService" class="com.evozon.demo.bean.SecureLoginService"> <beans:property name="defaultFailureUrl" value="/pages/login.xhtml" /> <beans:property name="userDao" ref="userDao" /> <beans:property name="loginReportDao" ref="loginReportDao" /> </beans:bean> </beans:beans>
Can someone tell my why the annotations do not work inside a managed bean,and how to resolve the problem ? ex:
@PreAuthorize("ROLE_PROJECT_MANAGER")
public void aproveVacation(Vacation vacation) {...}
Answer:
The problem has been solved.The solution is to transform the Managed beans to Spring beans. Here is how :
web.xml does not need the jsf listener only the sprin ones :
<listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <listener> <listener-class>org.springframework.web.context.request.RequestContextListener</listener-class> </listener>
The application context need this config to work at first :
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:aop="http://www.springframework.org/schema/aop" xmlns:tx="http://www.springframework.org/schema/tx" xmlns:context="http://www.springframework.org/schema/context" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.0.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd"> <context:component-scan base-package="com.company.demo.bean" /> <context:annotation-config /> <aop:config proxy-target-class="true" /> //other configs </beans>
Note that the first two need to define the base package for the spring beans (for the Components) and that the beans are annotated.The third config is needed to force the class proxy,here is why you need that.
Ok.once we know that we change the annotations from jsf managedBeans to Spring components :
@ManagedBean @SessionScoped public class UserLoginBean { @ManagedProperty(name = "userDao", value = "#{userDao}") private UserDao userDao; }
to:
@Component @Scope("session") @Qualifier("userLoginBean") public class UserLoginBean { @Autowired private UserDao userDao; }
That's all.If you have already this config and doesn't work you should set <aop:config proxy-target-class="true" /> into your applicationContext.xml.
PS:if nothing happened, you can change the
<sec:global-method-security secured-annotations="enabled" jsr250-annotations="enabled"> </sec:global-method-security>
to
<sec:global-method-security pre-post-annotations="enabled" > </sec:global-method-security>
