[solved] Problem Spring Security + PrettyFaces

Splash Forums PrettyFaces Users [solved] Problem Spring Security + PrettyFaces

This topic contains 11 replies, has 2 voices, and was last updated by  Lincoln Baxter III 7 years, 1 month ago.

Viewing 12 posts - 1 through 12 (of 12 total)
  • Author
    Posts
  • #17767

    denebj
    Participant

    Hello guys

    I am trying to clean my URLs, so I decided to use the framework PrettyFaces

    Everything is working well, except the login page !!

    If I do not put rules I can log in without any issues, but as soon as I am adding rules to clean the login page, I have the error : Bad Credential exception.

    So it is working with this configuration :

    In the web-security.xml

    Code:

    <http auto-config="true"  >

    <!-- Login page -->
    <form-login
    login-page='/pages/login.jsf'
    default-target-url="/pages/redirect.jsp" />

    <logout logout-success-url="/pages/login.jsf"/>

    <!-- ANY AUTHENTIFIED USER -->
    <intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />

    </http>

    ……

    And as soon as I do that :

    Code:

    <http auto-config="true"  >

    <!-- Login page -->
    <form-login
    login-page='/Login'
    default-target-url="/pages/redirect.jsp" />

    <logout logout-success-url="/Login"/>

    <!-- ANY AUTHENTIFIED USER -->
    <intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
    </http>

    Pretty-Faces.xml

    Code:

    <url-mapping id="Login">
    <pattern value="/Login" />
    <view-id>/pages/login.jsf</view-id>
    </url-mapping>

    I have the error !

    First thing, if I try to go to http://mywebapp:0000/Login with this configuration the browser is flashing (like there is a redirection problem), so in order to have access to the page I have to add in the web-security.xml :

    Code:

    <intercept-url pattern="/Login" filters="none" />

    After that I can try to log in and I have the error of the Bad Credentials :/

    My bean :

    Code:

    public void doLogin() throws IOException, ServletException {

    String rep = new StringBuilder("/j_spring_security_check?j_username=")
    .append(this.getEmail()).append("&j_password=").append(
    this.getPassword()).append(
    "&_spring_security_remember_me=off").toString();

    try {

    ExternalContext context = FacesContext.getCurrentInstance()
    .getExternalContext();

    RequestDispatcher dispatcher = ((ServletRequest) context
    .getRequest()).getRequestDispatcher(rep);

    dispatcher.forward((ServletRequest) context.getRequest(),
    (ServletResponse) context.getResponse());

    FacesContext.getCurrentInstance().responseComplete();

    }

    My listener :

    public void beforePhase(PhaseEvent arg0) {

    /*
    * Before render response phase, grab any authentication errors
    * generated by the Spring Security filters and create a faces message
    * for the GUI.
    */
    Exception e = (Exception) FacesContext.getCurrentInstance()
    .getExternalContext().getSessionMap().get(
    WebAttributes.AUTHENTICATION_EXCEPTION);

    if (e != null) {
    /*
    * Add the error message to the FacesContext for display in the
    * rich:messages component.
    */

    if (e instanceof BadCredentialsException) {

    FacesContext.getCurrentInstance().getExternalContext()
    .getSessionMap().put(
    WebAttributes.AUTHENTICATION_EXCEPTION, null);
    Utils.addErrorMessage(Utils.getProp().getProperty(
    "SpringSecurity.badCredentials"));

    } else {
    Utils.addErrorMessage(Utils.getProp().getProperty(
    "Login.unexpectedError"));
    }
    }

    }

    Any clue ? I have been on this issue for 2 days and I do not know what to do !!!

    Thank you !

    #20076

    Did you make sure PrettyFilter is after your Spring Security filter?

    #20077

    denebj
    Participant

    Yes :)

    Here my web.xml :

    <listener>

    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>

    </listener>

    <filter>

    <filter-name>springSecurityFilterChain</filter-name>

    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>

    </filter>

    <filter-mapping>

    <filter-name>springSecurityFilterChain</filter-name>

    <url-pattern>/*</url-pattern>

    <dispatcher>FORWARD</dispatcher>

    <dispatcher>REQUEST</dispatcher>

    </filter-mapping>

    <filter>

    <filter-name>Pretty Filter</filter-name>

    <filter-class>com.ocpsoft.pretty.PrettyFilter</filter-class>

    </filter>

    <filter-mapping>

    <filter-name>Pretty Filter</filter-name>

    <url-pattern>/*</url-pattern>

    <dispatcher>FORWARD</dispatcher>

    <dispatcher>REQUEST</dispatcher>

    <dispatcher>ERROR</dispatcher>

    </filter-mapping>

    <filter>

    <display-name>Ajax4jsf Filter</display-name>

    <filter-name>ajax4jsf</filter-name>

    <filter-class>org.ajax4jsf.Filter</filter-class>

    <init-param>

    <param-name>createTempFiles</param-name>

    <param-value>true</param-value>

    </init-param>

    </filter>

    <filter-mapping>

    <filter-name>ajax4jsf</filter-name>

    <servlet-name>Faces Servlet</servlet-name>

    <dispatcher>REQUEST</dispatcher>

    <dispatcher>FORWARD</dispatcher>

    <dispatcher>INCLUDE</dispatcher>

    </filter-mapping>

    <listener>

    <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>

    </listener>

    Thanks for you help :)

    #20078

    The redirect is occurring because Spring Security is blocking: /pages/login.jsf

    If you grant access to that, it should work.

    #20079

    denebj
    Participant

    hum, I had that :

    <intercept-url pattern=”/Login” filters=”none” />

    <intercept-url pattern=”/pages/login.jsf” filters=”none” />

    But nothing changed !!! :-/

    #20080

    Hmm… that’s very strange. I would double check the patterns that Spring security is matching on, because I can almost 100% guarantee you that this would be the reason for it. There must be some bad pattern in the Spring config.

    #20081

    denebj
    Participant

    Well, I removed all the <intercept-url> and I had only one :

    <intercept-url pattern=”/**” filters=”none”/>

    And no improvement ! That’s annoying !!!

    Since I am posting here, how can I remove the context-path in the URL ? I cannot find examples on that :-/

    For example, let say that the name of my webapp is toto, in the browser I have https://blabla:8443/toto/Login/ and I only want https://blabla:8443/Login/ .

    Thanks !!

    #20082

    Ok, so it sounds like there’s another issue. I’m not sure what filters=”none” represents. Are you sure that it shouldn’t be roles="ANONYMOUS" ?

    If you go back to the state when you had the BadCredentialsException, it sounds like things with the filters were working correctly then, but there may have been an unrelated issue?

    Grasping at straws here. If I saw a full app I could probably help more easily. I did actually set this up at one point.

    http://ocpsoft.com/java/acegi-spring-security-jsf-login-page/

    #20083

    denebj
    Participant

    Hello Lincoln ^^

    For the filter here what I have in the Spring Documentation :

    Attribute : filters

    The filter list for the path. Currently can be set to “none” to remove a path from having any filters

    applied. The full filter stack (consisting of all filters created by the namespace configuration, and any

    added using ‘custom-filter’), will be applied to any other paths.

    So it is allowing me to access the Login page when I have the pretty faces activated for this page.

    So in order to clean a little bit and see where there is something wrong, I removed my custom user details and authentification info from the spring configuration and put a generic one such as :

    <authentication-manager alias=”authenticationManager”>

    <authentication-provider>

    <user-service>

    <user name=”jim” password=”jim” authorities=”ROLE_USER” />

    <user name=”bob” password=”bob” authorities=”ROLE_USER” />

    </user-service>

    </authentication-provider>

    </authentication-manager>

    But nothing changed, I still have the same issue (When I am mapping the pretty face URL to the login page => Bad Credentials), I print the stack of the error :

    org.springframework.security.authentication.BadCredentialsException: Bad credentials

    at org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:127)

    at org.springframework.security.authentication.ProviderManager.doAuthentication(ProviderManager.java:130)

    at org.springframework.security.authentication.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:48)

    at org.springframework.security.authentication.ProviderManager.doAuthentication(ProviderManager.java:148)

    at org.springframework.security.authentication.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:48)

    at org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:97)

    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:199)

    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)

    at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)

    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)

    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)

    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)

    at org.springframework.security.web.session.ConcurrentSessionFilter.doFilter(ConcurrentSessionFilter.java:109)

    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)

    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:149)

    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)

    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)

    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

    at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:646)

    at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:436)

    at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:374)

    at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:302)

    at com.beans.login.Login.doLogin(Login.java:106)

    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

    at java.lang.reflect.Method.invoke(Method.java:597)

    at org.apache.el.parser.AstValue.invoke(AstValue.java:172)

    at org.apache.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:276)

    at com.sun.facelets.el.TagMethodExpression.invoke(TagMethodExpression.java:68)

    at javax.faces.component.MethodBindingMethodExpressionAdapter.invoke(MethodBindingMethodExpressionAdapter.java:88)

    at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:102)

    at javax.faces.component.UICommand.broadcast(UICommand.java:394)

    at org.ajax4jsf.component.AjaxViewRoot.processEvents(AjaxViewRoot.java:329)

    at org.ajax4jsf.component.AjaxViewRoot.broadcastEventsForPhase(AjaxViewRoot.java:304)

    at org.ajax4jsf.component.AjaxViewRoot.processPhase(AjaxViewRoot.java:261)

    at org.ajax4jsf.component.AjaxViewRoot.processApplication(AjaxViewRoot.java:474)

    at com.sun.faces.lifecycle.InvokeApplicationPhase.execute(InvokeApplicationPhase.java:82)

    at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:100)

    at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:118)

    at javax.faces.webapp.FacesServlet.service(FacesServlet.java:265)

    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)

    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

    at org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:206)

    at org.ajax4jsf.webapp.BaseFilter.handleRequest(BaseFilter.java:290)

    at org.ajax4jsf.webapp.BaseFilter.processUploadsAndHandleRequest(BaseFilter.java:388)

    at org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:515)

    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

    at com.ocpsoft.pretty.PrettyFilter.doFilter(PrettyFilter.java:112)

    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:143)

    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)

    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)

    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

    at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:646)

    at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:436)

    at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:374)

    at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:302)

    at com.ocpsoft.pretty.PrettyFilter.doFilter(PrettyFilter.java:103)

    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:143)

    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)

    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)

    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)

    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)

    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:558)

    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)

    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)

    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)

    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)

    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:852)

    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)

    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)

    at java.lang.Thread.run(Thread.java:619)

    Unfortunatly I cannot provide code or sample :/

    I actually saw tyour article on spring security, this is the first link I went through when this error occured ^^

    I posted this issue on the Spring forum too, the lead I am following now :

    ” You have a stacktrace, so take a look at the the code. (https://fisheye.springsource.org/browse/spring-security/core/src/main/java/org/springframework/security/authentication/dao/AbstractUserDetailsAuthenticationProvider.java?r=85c4c91e0eec566acd97a337f2d9240b484031ee#l127)

    The user isn’t being found – the UsernameNotFoundException is hidden by default to avoid leaking information to the client.

    Break the problem down – the faces stuff is just adding extra complexity. Write a test case which loads the part of your application context that contains the AuthenticationManager, and call the bean directly (passing a UsernamePasswordAuthenticationToken instance to it). Make sure you can get that working before you add the web stuff.”

    Again thanks for you help :)

    PS: Should I make an other thread for the context path removal ? Maybe it is better for this other people to see if they are looking for a solution too.

    #20084

    Yeah, that definitely sounds like you’re on the right track now.

    Go ahead and make another thread for the context path issue :) I think you’ll get some answers very quickly.

    #20085

    denebj
    Participant

    Ok thanks :) :)

    I finally made it work !!! I used your project (the example of spring security), and I added pretty faces to see if it was working.

    So I added some filters and changed the order and it is working :):)

    #20086

    Awesome! Glad you got it working :)

Viewing 12 posts - 1 through 12 (of 12 total)

You must be logged in to reply to this topic.

Comments are closed.