Pretty Faces with Spring Security, using param on the login page

Splash Forums PrettyFaces Users Pretty Faces with Spring Security, using param on the login page

This topic contains 8 replies, has 2 voices, and was last updated by  thierryler 5 years ago.

Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts
  • #18391

    thierryler
    Participant

    Hello.

    I’m using Pretty Faces 3.3.2 and Spring Security 3.1.0 and Java 6.

    My config looks like that :

    <url-mapping id="home">
    <pattern value="/home/#{lang : myBean.lang}/#{site : myBean.site}" />
    <view-id value="/home.jsf" />
    <action>#{myBean.process}</action>
    </url-mapping>

    I use the “site” parameter to select the image (and other stuff) that has to be in my web page header.

    When I am not logged yet, I am redirected to the login page by Spring security :

    <http use-expressions="true">
    <intercept-url pattern="/home/**" access="hasRole('...')" />
    <intercept-url pattern="/login" access="permitAll" />
    <intercept-url pattern="/login/**" access="permitAll" />
    <intercept-url pattern="/accessdenied" access="permitAll" />
    <intercept-url pattern="/logout_success" access="permitAll" />

    <form-login login-processing-url="/login_check"
    login-page="/login"
    default-target-url="/home/"
    authentication-failure-url="/login?login_error=1"
    authentication-success-handler-ref="backConnectionHistoryHandler" />

    ...

    But now I need to use the image on the login page. It means I need to acces the “site” parameter to select the image.

    What is the best way to do that ?

    Thx.

    Thierry

    #22560

    thierryler
    Participant

    And of course, the login mapping :

    <!-- Login -->
    <url-mapping id="login">
    <pattern value="/login" />
    <view-id value="/login.jsf" />
    </url-mapping>

    <!-- Access denied -->
    <url-mapping id="accessdenied">
    <pattern value="/accessdenied" />
    <view-id value="/accessdenied.jsf" />
    </url-mapping>

    <!-- Logout -->
    <url-mapping id="logout">
    <pattern value="/logout" />
    <view-id value="/j_spring_security_logout" />
    </url-mapping>

    <!-- Logout successed -->
    <url-mapping id="logout_success">
    <pattern value="/logout_success" />
    <view-id value="/logout_success.jsf" />
    </url-mapping>

    #22561

    I think you will need to add the site path parameter to the login mapping somehow. This way you could access the parameter the same way as on the other pages. But in this case your Spring Security configuration has to be changed to support these new login URLs. I’m not an expert for Spring Security, so I don’t know if this is possible.

    #22562

    thierryler
    Participant

    You mean something like that ?

    <url-mapping id="login">
    <pattern value="/login/#{myBean.site}" />
    <view-id value="/login.jsf" />
    </url-mapping>

    But, in this case, how do I ask spring security to foward to “/login/aSiteId” ?

    #22563

    Yeah, I think an URL pattern like this would make sense if you want to display a site-dependent image on the login page. But as I said, I’m not an expert for Spring Security. So I don’t know how to perform such variable redirects.

    But I think you have to store the information regarding the “current site” somewhere. Imagine a user comes to your page for the first time. If he accesses /login you cannot know which site he want’s to login to, right? Or how do you want to handle such a situation?

    #22564

    thierryler
    Participant

    Actually, my users receive an email with the direct link : http://www…./myapp/home/fr/newyork for example…

    But of course they will be redirected to the login page first.

    I have absolutly no idea how to store the param newyork…

    #22565

    I really think it should be a path parameter. This way it would be very consistent. Where else could you store it? Perhaps the session? But I don’t like to store something like this in the session.

    My guess is that some part of Spring Security has to be customized to achieve this.

    A quick Google search lead me to LoginUrlAuthenticationEntryPoint.

    http://static.springsource.org/spring-security/site/docs/3.0.x/apidocs/org/springframework/security/web/authentication/LoginUrlAuthenticationEntryPoint.html

    Perhaps this could be something that you could extends/customize to dynamically generate the login URL Spring Security redirects to?

    Christian

    #22566

    From the documentation:

    The AuthenticationEntryPoint will be called if the user requests a secure HTTP resource but they are not authenticated. An appropriate AuthenticationException or AccessDeniedException will be thrown by a security interceptor further down the call stack, triggering the commence method on the entry point. This does the job of presenting the appropriate response to the user so that authentication can begin. The one we’ve used here is LoginUrlAuthenticationEntryPoint, which redirects the request to a different URL (typically a login page). The actual implementation used will depend on the authentication mechanism you want to be used in your application.

    See here:

    http://static.springsource.org/spring-security/site/docs/3.0.x/reference/core-web-filters.html#auth-entry-point

    #22567

    thierryler
    Participant

    Thx, I will have a look at those links.

    Just until now, the best “solution” I founded was to create an entry point to my web site:

    Code:
    <url-mapping id=”go”>
    <pattern value=”/go/#{lang :myBean.lang}/#{site : myBean.site}” />
    <view-id value=”/go.jsf” />
    <action>#{myBean.process}</action>
    </url-mapping>

    And the go.jsf only does a redirect :

    Code:
    <html>
    <head>
    <meta http-equiv=”Refresh” content=”0; URL=../../home/#{myBean.lang}/#{myBean.site}” />
    </head>
    </html>

    Yes… snif snif…

    It only gives access to the home page throw the entry point.

Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.

Comments are closed.