Hy .What i am trying to do is to integrate Spring security with a Jsf+spring IOC +hibernate application.I have managed to set the login page and filter some other pages.So far so good, but when i tried to put @Secured or @PreAuthorize annotation on methods inside managedBeans (inside Dao's the annotation do work), i realized they do absolutely nothing. I have read that i need FORCE class proxies. Spring uses proxy based aop,the managed bean implements an interface hence jdk dynamic proxy instead of class proxy is used. So i did this in my config file:
<
beans
xmlns
="http://www.springframework.org/schema/beans"
xmlns:xsi
="http://www.w3.org/2001/XMLSchema-instance"
xmlns:aop
="http://www.springframework.org/schema/aop"
**
xsi:schemaLocation
="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop-3.0.xsd"
>
<
aop:aspectj-autoproxy
proxy-target-class
="true"
/>
//the rest of the beans
</
beans
>
The applicationContext-security Xml looks like this:
<?
xml version="1.0" encoding="UTF-8"
?>
<!--
- Sample namespace-based configuration - - $Id: applicationContext-security.xml
3019 2008-05-01 17:51:48Z luke_t $
-->
<
beans:beans
xmlns
="http://www.springframework.org/schema/security"
xmlns:beans
="http://www.springframework.org/schema/beans"
xmlns:xsi
="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation
="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd"
>
<
global-method-security
secured-annotations
="enabled"
jsr250-annotations
="enabled"
/>
<
http
pattern
="/css/**"
security
="none"
/>
<
http
pattern
="/pages/login.xhtml"
security
="none"
/>
<
http
auto-config
='false'
>
<
intercept-url
pattern
="/pages/customer/**"
access
='ROLE_SITE_ADMIN'
/>
<
intercept-url
pattern
="/pages/department/overhead*"
access
='ROLE_SITE_ADMIN'
/>
<
intercept-url
pattern
="/**"
access
='ROLE_SITE_ADMIN,ROLE_PROJECT_MANAGER,ROLE_DEPARTMENT_MANAGER,ROLE_ACCOUNTING'
/>
<
form-login
login-page
="/pages/login.xhtml"
default-target-url
='/pages/reports.xhtml'
always-use-default-target
='true'
authentication-failure-handler-ref
="userLoginService"
/>
<
logout
invalidate-session
="true"
logout-success-url
="/pages/login.xhtml"
/>
</
http
>
<
authentication-manager
>
<
authentication-provider
user-service-ref
='userLoginService'
>
<
password-encoder
hash
="md5"
/>
</
authentication-provider
>
</
authentication-manager
>
<
beans:bean
id
="userLoginService"
class
="com.evozon.demo.bean.SecureLoginService"
>
<
beans:property
name
="defaultFailureUrl"
value
="/pages/login.xhtml"
/>
<
beans:property
name
="userDao"
ref
="userDao"
/>
<
beans:property
name
="loginReportDao"
ref
="loginReportDao"
/>
</
beans:bean
>
</
beans:beans
>
Can someone tell my why the annotations do not work inside a managed bean,and how to resolve the problem ? ex:
@PreAuthorize("ROLE_PROJECT_MANAGER")
public void aproveVacation(Vacation vacation) {...}
Answer:
The problem has been solved.The solution is to transform the Managed beans to Spring beans. Here is how :
web.xml does not need the jsf listener only the sprin ones :
<
listener
>
<
listener-class
>
org.springframework.web.context.ContextLoaderListener
</
listener-class
>
</
listener
>
<
listener
>
<
listener-class
>
org.springframework.web.context.request.RequestContextListener
</
listener-class
>
</
listener
>
The application context need this config to work at first :
<
beans
xmlns
="http://www.springframework.org/schema/beans"
xmlns:xsi
="http://www.w3.org/2001/XMLSchema-instance"
xmlns:aop
="http://www.springframework.org/schema/aop"
xmlns:tx
="http://www.springframework.org/schema/tx"
xmlns:context
="http://www.springframework.org/schema/context"
xsi:schemaLocation
="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop-3.0.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx-3.0.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd"
>
<
context:component-scan
base-package
="com.company.demo.bean"
/>
<
context:annotation-config
/>
<
aop:config
proxy-target-class
="true"
/>
//other configs
</
beans
>
Note that the first two need to define the base package for the spring beans (for the Components) and that the beans are annotated.The third config is needed to force the class proxy,
here is why you need that
.
Ok.once we know that we change the annotations from jsf managedBeans to Spring components :
@ManagedBean
@SessionScoped
public
class
UserLoginBean {
@ManagedProperty(name
= "userDao", value = "#{userDao}"
)
private
UserDao userDao;
}
to:
@Component
@Scope(
"session"
)
@Qualifier(
"userLoginBean"
)
public
class
UserLoginBean {
@Autowired
private
UserDao userDao;
}
That's all.If you have already this config and doesn't work you should set
<aop:config proxy-target-class="true" />
into your applicationContext.xml.
PS:if nothing happened, you can change the
<
sec:global-method-security
secured-annotations
="enabled"
jsr250-annotations
="enabled"
>
</
sec:global-method-security
>
to
<
sec:global-method-security
pre-post-annotations
="enabled"
>
</
sec:global-method-security
>
Spring security 3.1 +JSF 2.0 . problem with annotating methods in ManagedBeans?
