0

I integrated an webapp that uses JSF 2 with Spring Security 3.2 and Spring 4.0 (compatible, see documentation, and this thread), using annotations, and I have this configuation:

@Override
protected void configure(HttpSecurity http) throws Exception {

    http.authorizeRequests()
            .antMatchers("/my-account", "**/myAccount.**").authenticated()
            .and()
            .formLogin().loginPage("/login").permitAll();

The login page is being showed correctly, but when I submit the username and password, JSF BakcingBean method is never called. I want to process some validations (required fileds, etc) on this method and throw exceptions (required field messages).

If I comment the line that setup my custom login page, the desired method is called.

This article, and this other, are examples of what I'm trying to do. Notice that the methods declared on the managed beans, apparently, are being called.

The question are: am I forgetting some configuration? How to do to Spring let JSF perform my validations, display required fields messages, etc?

Community
  • 1
  • 1
John John Pichler
  • 4,427
  • 8
  • 43
  • 72

2 Answers2

0

People, after searching all this day on the internet I haven't found any example of this being doing using annotations.

I just migrated to XML files and now everything works.

I'm not an expert of Spring, but based in just what I tested, I think that using annotations Spring created that automatic filters that, for some reason, intercepted all the requests coming from the configured custom login form, blocking the JSF from handling the requests. This can be happening because some undocumented incompatibility between "Spring 4" and Spring "Security 3.2". This incompatibility doesn't occur when using XMLs.

If you create the security filters on the classic manual way on the web.xml, and configure your custom login form on Spring XML files, you can use the JSF features on the login form again.

Same security configuration of annotation migrated to XML and it worked.

PS: Sorry, I can't share the detailed files because this time it's not open source.

John John Pichler
  • 4,427
  • 8
  • 43
  • 72
0

I answered this in the Spring Security JIRA at SEC-2761, but I'm posting here to help anyone else that stumbles across this issue.

The problem is that Java Configuration defaults the login processing URL to be a POST to the value of the login form. This means since the login page is configured to be loginPage("/login") a POST to /login will be intercepted by Spring Security.

To avoid this problem, you can either

  • perform a POST to a different URL and have the LoginController process that URL.
  • configure Spring Security to intercept a different URL using .loginProcessingUrl("/j_spring_security_check")

An example configuration for option 2 can be seen below:

@Override
protected void configure(HttpSecurity http) throws Exception
{
    http
            .formLogin()
                .loginPage("/login")
                .loginProcessingUrl("/j_spring_security_check")
                ...
}

I attached a working sample application to the previously mentioned JIRA. You can download it here.

Rob Winch
  • 21,440
  • 2
  • 59
  • 76