Hy .What i am trying to do is to integrate Spring security with a Jsf+spring IOC +hibernate application.I have managed to set the login page and filter some other pages.So far so good, but when i tried to put @Secured or @PreAuthorize annotation on methods inside managedBeans (inside Dao's the annotation do work), i realized they do absolutely nothing. I have read that i need FORCE class proxies. Spring uses proxy based aop,the managed bean implements an interface hence jdk dynamic proxy instead of class proxy is used. So i did this in my config file:

 <beans xmlns="http://www.springframework.org/schema/beans"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

    xmlns:aop="http://www.springframework.org/schema/aop"**

xsi:schemaLocation="http://www.springframework.org/schema/beans

http://www.springframework.org/schema/beans/spring-beans-2.5.xsd

http://www.springframework.org/schema/aop

    http://www.springframework.org/schema/aop/spring-aop-3.0.xsd">

<aop:aspectj-autoproxy proxy-target-class="true"/>

 //the rest of the beans

 </beans>

The applicationContext-security Xml looks like this:

 <?xml version="1.0" encoding="UTF-8"?>

 <!-- - Sample namespace-based configuration - - $Id: applicationContext-security.xml

3019 2008-05-01 17:51:48Z luke_t $ -->

 <beans:beans xmlns="http://www.springframework.org/schema/security"

xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xsi:schemaLocation="http://www.springframework.org/schema/beans

       http://www.springframework.org/schema/beans/spring-beans-3.0.xsd

       http://www.springframework.org/schema/security

       http://www.springframework.org/schema/security/spring-security-3.1.xsd">

<global-method-security secured-annotations="enabled"  jsr250-annotations="enabled"/>

<http pattern="/css/**" security="none" />

<http pattern="/pages/login.xhtml" security="none" />

<http auto-config='false'>

    <intercept-url pattern="/pages/customer/**" access='ROLE_SITE_ADMIN' />

    <intercept-url pattern="/pages/department/overhead*" access='ROLE_SITE_ADMIN' />

    <intercept-url pattern="/**"

        access='ROLE_SITE_ADMIN,ROLE_PROJECT_MANAGER,ROLE_DEPARTMENT_MANAGER,ROLE_ACCOUNTING' />

    <form-login login-page="/pages/login.xhtml"

        default-target-url='/pages/reports.xhtml' always-use-default-target='true'

        authentication-failure-handler-ref="userLoginService" />

    <logout invalidate-session="true" logout-success-url="/pages/login.xhtml"/>

</http>

<authentication-manager>

    <authentication-provider user-service-ref='userLoginService'>

        <password-encoder hash="md5" />

    </authentication-provider>

</authentication-manager>

<beans:bean id="userLoginService" class="com.evozon.demo.bean.SecureLoginService">

    <beans:property name="defaultFailureUrl" value="/pages/login.xhtml" />

    <beans:property name="userDao" ref="userDao" />

    <beans:property name="loginReportDao" ref="loginReportDao" />

</beans:bean>

 </beans:beans>

Can someone tell my why the annotations do not work inside a managed bean,and how to resolve the problem ? ex:

@PreAuthorize("ROLE_PROJECT_MANAGER")

public void aproveVacation(Vacation vacation) {...}

Answer:

The problem has been solved.The solution is to transform the Managed beans to Spring beans. Here is how :
web.xml does not need the jsf listener only the sprin ones :

<listener>

    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>

</listener>

<listener>

    <listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>

</listener>

The application context need this config to work at first :

<beans xmlns="http://www.springframework.org/schema/beans"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:aop="http://www.springframework.org/schema/aop"

xmlns:tx="http://www.springframework.org/schema/tx" xmlns:context="http://www.springframework.org/schema/context"

xsi:schemaLocation="http://www.springframework.org/schema/beans

http://www.springframework.org/schema/beans/spring-beans-2.5.xsd

http://www.springframework.org/schema/aop

http://www.springframework.org/schema/aop/spring-aop-3.0.xsd

http://www.springframework.org/schema/tx

http://www.springframework.org/schema/tx/spring-tx-3.0.xsd

 http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd">

<context:component-scan base-package="com.company.demo.bean" />

<context:annotation-config />

<aop:config proxy-target-class="true" />

//other configs

</beans>

Note that the first two need to define the base package for the spring beans (for the Components) and that the beans are annotated.The third config is needed to force the class proxy,here is why you need that.
Ok.once we know that we change the annotations from jsf managedBeans to Spring components :

@ManagedBean

@SessionScoped

public class UserLoginBean {

@ManagedProperty(name = "userDao", value = "#{userDao}")

private UserDao userDao;

}

to:

@Component

@Scope("session")

@Qualifier("userLoginBean")

public class UserLoginBean  {

@Autowired

private UserDao userDao;

}

That's all.If you have already this config and doesn't work you should set <aop:config proxy-target-class="true" /> into your applicationContext.xml.

PS:if nothing happened, you can change the

<sec:global-method-security secured-annotations="enabled" jsr250-annotations="enabled">

        </sec:global-method-security>

to

<sec:global-method-security pre-post-annotations="enabled" >

    </sec:global-method-security>

Spring security 3.1 +JSF 2.0 . problem with annotating methods in ManagedBeans?的更多相关文章

  1. Spring Boot 2.0 利用 Spring Security 实现简单的OAuth2.0认证方式1

    0. 前言 之前帐号认证用过自己写的进行匹配,现在要学会使用标准了.准备了解和使用这个OAuth2.0协议. 1. 配置 1.1 配置pom.xml 有些可能会用不到,我把我项目中用到的所有包都贴出来 ...

  2. Spring Boot 2.0 利用 Spring Security 实现简单的OAuth2.0认证方式2

    0.前言 经过前面一小节已经基本配置好了基于SpringBoot+SpringSecurity+OAuth2.0的环境.这一小节主要对一些写固定InMemory的User和Client进行扩展.实现动 ...

  3. Spring Boot2.0使用Spring Security

     一.Spring Secutity简介     Spring 是一个非常流行和成功的 Java 应用开发框架.Spring Security 基于 Spring 框架,提供了一套 Web 应用安全性 ...

  4. spring security 学习文档

    web service Prepared by:   Sea                                                                       ...

  5. 朱晔和你聊Spring系列S1E10:强大且复杂的Spring Security(含OAuth2三角色+三模式完整例子)

    Spring Security功能多,组件抽象程度高,配置方式多样,导致了Spring Security强大且复杂的特性.Spring Security的学习成本几乎是Spring家族中最高的,Spr ...

  6. spring security 5 There is no PasswordEncoder mapped for the id "null" 错误

    转载请注明出处 http://www.cnblogs.com/majianming/p/7923604.html 最近在学习spring security,但是在设置客户端密码时,一直出现了一下错误提 ...

  7. Spring Security Java Config Preview--官方

    原文地址:[1]https://spring.io/blog/2013/07/02/spring-security-java-config-preview-introduction/ [2]https ...

  8. web应用安全框架选型:Spring Security与Apache Shiro

    一. SpringSecurity 框架简介 官网:https://projects.spring.io/spring-security/ 源代码: https://github.com/spring ...

  9. Spring Security 实战干货:OAuth2第三方授权初体验

    1. 前言 Spring Security实战干货系列 现在很多项目都有第三方登录或者第三方授权的需求,而最成熟的方案就是OAuth2.0授权协议.Spring Security也整合了OAuth2. ...

随机推荐

  1. AppCrawler自动化遍历使用详解(版本2.1.0 )

    AppCrawle是自动遍历的app爬虫工具,最大的特点是灵活性,实现:对整个APP的所有可点击元素进行遍历点击.   优点: 1.支持android和iOS, 支持真机和模拟器 2.可通过配置来设定 ...

  2. [转载]ORACLE EXP/IMP

    转载自:https://www.cnblogs.com/mengfanrong/p/3792955.html 本文对Oracle数据的导入导出 imp ,exp 两个命令进行了介绍, 并对其对应的參数 ...

  3. Eclipse中配置Solr源码

    转自 http://hongweiyi.com/2013/03/configurate-solr-src-in-eclipse/ 1. 下载solr的src包,并解压 2. 解压后,在解压后的根目录执 ...

  4. linux 命令 --if

    if else-if else 语法格式: if condition1 then command1 elif condition2 then command2 else commandN fi 例如: ...

  5. Jenkins插件开发(四)-- 插件发布

    上一篇blog介绍了插件开发中要注意的一些问题, 我们再来介绍插件开发完成后,如何上传到jenkins的插件中心(这里假设你的代码是放在github上的,使用svn或其他版本管理工具的请参考其他文章) ...

  6. [转]设置银行卡密码的个人bug

    国庆前去某银行新办了张银行卡,办卡的时候修改了默认的密码.国庆期间要网上购物,结果密码输入3次都错误,所以银行卡被锁定了,只能等国庆后银行上班再去解锁. 国庆结束后跑去银行重置了密码,流程是这样的:1 ...

  7. 提高ASP.NET页面载入速度的方法

    前言 本文是我对ASP.NET页面载入速度提高的一些做法,这些做法分为以下部分: 目录 1.采用 HTTP Module 控制页面的生命周期. 2.自定义Response.Filter得到输出流str ...

  8. Jmeter二次开发之代码环境搭建(QQ交流群:577439379)

    一.创建项目 1. 分别下载apache3.1 binaries和source两个压缩包,前者为release版本,后者为jmeter最新的源码,下载地址:http://jmeter.apache.o ...

  9. Linux共享对象之编译参数fPIC(转)

    最近在看Linux编程的基础知识,打算对一些比较有趣的知识做一些汇总备忘,本文围绕fPIC展开,学习参考见文末. 在Linux系统中,动态链接文件称为动态共享对象(DSO,Dynamic Shared ...

  10. FFMPEG结构体分析:AVCodecContext(转)

    注:写了一系列的结构体的分析的文章,在这里列一个列表: FFMPEG结构体分析:AVFrameFFMPEG结构体分析:AVFormatContextFFMPEG结构体分析:AVCodecContext ...