JSF Spring security

Splash Forums PrettyFaces Users JSF Spring security

This topic contains 6 replies, has 3 voices, and was last updated by  Lincoln Baxter III 4 years, 8 months ago.

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • #18651

    Hi Lincoln

    I really love your post earlier to this link regarding JSF + Spring Security.

    http://ocpsoft.org/java/acegi-spring-security-jsf-login-page/

    However, I found the following issue which breaks the integration.

    If I put the form in a composite component, prependId always happens even if setting to false. This actually prepend JSF generated id in front of the name attribute of the form element. When the request is forwarded to Spring Security Filter, the j_username and j_password always got empty values.

    Is there any suggested way of resolving this issue?

    Thank you very much.

    #22855

    Hi,

    I never used Spring Security so I’m only guessing here. But perhaps you could simply replace the <h:inputText> with corresponding plain HTML <input type="text"> elements. This way you can choose any ID you want and because the values aren’t processed by the JSF backing bean, you won’t run into any problems. The only thing you loose is validation. But this may be OK.

    Just my 2 cents. :)

    Christian

    #22856

    This sounds like a bug in JSF or some other framework you are using. What are the versions of things you are using?

    #22857

    Hi Lincoln,

    I am using MyFaces 2.1. I think I need to be more specific here.

    In my xhtml, I put

    <h:inputText id=”j_username” value=”#{userLoginFormBean.username}” required=”true” requiredMessage=”#{msg}” styleClass=”mrk-block” />

    In the rendered html,

    <input id=”j_id226006277_3a835164:j_id2014540464_3a8351c1:j_id2019806575_72a3b75_1:j_username” name=”j_id226006277_3a835164:j_id2014540464_3a8351c1:j_id2019806575_72a3b75_1:j_username” type=”text” value=”” />

    I noticed that the name attribute is prepended with some generated values. Spring Security is not able to get any value by doing request.getParameter(“j_username”) because the name of the parameter is “j_id226006277_3a835164:j_id2014540464_3a8351c1:j_id2019806575_72a3b75_1:j_username” .

    After debugging into the code and testing with different senarios, I found out that the if the input field is placed inside a NamingContainer, it will always prepend the values to the id. The value of the prepended id is actually the id of the parental namingContainers.

    This actually bothers me a lot.

    #22859

    Sorry for the slow response.

    Yeah, that’s basically the purpose of a NamingContainer, but I’m surprised that it’s not working when you use prependId="false" – that should work to disable it. Is it in another naming container besides the form? If so, you might want to move it outside of that as a workaround, otherwise, your alternative is to set the names of the naming containers to something standard, and set up your j_security_check (or whatever the config is) to look for corresponding parameter names.

    #22860

    Hi Lincoln,

    You are right, I do have different namingcontainer around each other. I will try with the name of the container later on.

    I have actually one more issue if I follow your thread. This is regarding the usage of Spring Security + PrettyFaces.

    Basically, if I use the two framework together, a forward request from the PrettyFaces is processed twice by Spring Security. I did follow the thread by Christian to remove the dispatcher-forward from the spring security forward. However, the Spring security ignored my login request forwarded by loginbean on purpose. I am not sure if you have a better way of handling the issue?

    http://ocpsoft.org/support/topic/spring-security-problem-when-using-pretty-faces

    #22861

    I’m not exactly sure what you’d need to do for your application. Basically you need to ensure that the request gets to spring security when you want it to. Figure out “what” you need it to do, then you should be able to figure out “how.”

    You could try reversing the order of Spring Security filter and PrettyFaces Filter in your web.xml, so that Spring comes first. You might need to chance your URL security rules, but this might do what you want.

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.

Comments are closed.