Spring security 3.1 +JSF 2.0 . problem with annotating methods in ManagedBeans?
Hy .What i am trying to do is to integrate Spring security with a Jsf+spring IOC +hibernate application.I have managed to set the login page and filter some other pages.So far so good, but when i tried to put @Secured or @PreAuthorize annotation on methods inside managedBeans (inside Dao's the annotation do work), i realized they do absolutely nothing. I have read that i need FORCE class proxies. Spring uses proxy based aop,the managed bean implements an interface hence jdk dynamic proxy instead of class proxy is used. So i did this in my config file:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:aop="http://www.springframework.org/schema/aop"**
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop-3.0.xsd"> <aop:aspectj-autoproxy proxy-target-class="true"/>
//the rest of the beans
</beans>
The applicationContext-security Xml looks like this:
<?xml version="1.0" encoding="UTF-8"?> <!-- - Sample namespace-based configuration - - $Id: applicationContext-security.xml
3019 2008-05-01 17:51:48Z luke_t $ --> <beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd"> <global-method-security secured-annotations="enabled" jsr250-annotations="enabled"/> <http pattern="/css/**" security="none" />
<http pattern="/pages/login.xhtml" security="none" /> <http auto-config='false'>
<intercept-url pattern="/pages/customer/**" access='ROLE_SITE_ADMIN' />
<intercept-url pattern="/pages/department/overhead*" access='ROLE_SITE_ADMIN' />
<intercept-url pattern="/**"
access='ROLE_SITE_ADMIN,ROLE_PROJECT_MANAGER,ROLE_DEPARTMENT_MANAGER,ROLE_ACCOUNTING' />
<form-login login-page="/pages/login.xhtml"
default-target-url='/pages/reports.xhtml' always-use-default-target='true'
authentication-failure-handler-ref="userLoginService" />
<logout invalidate-session="true" logout-success-url="/pages/login.xhtml"/>
</http> <authentication-manager>
<authentication-provider user-service-ref='userLoginService'>
<password-encoder hash="md5" />
</authentication-provider>
</authentication-manager> <beans:bean id="userLoginService" class="com.evozon.demo.bean.SecureLoginService">
<beans:property name="defaultFailureUrl" value="/pages/login.xhtml" />
<beans:property name="userDao" ref="userDao" />
<beans:property name="loginReportDao" ref="loginReportDao" />
</beans:bean>
</beans:beans>
Can someone tell my why the annotations do not work inside a managed bean,and how to resolve the problem ? ex:
@PreAuthorize("ROLE_PROJECT_MANAGER")
public void aproveVacation(Vacation vacation) {...}
Answer:
The problem has been solved.The solution is to transform the Managed beans to Spring beans. Here is how :
web.xml does not need the jsf listener only the sprin ones :
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
</listener>
The application context need this config to work at first :
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:tx="http://www.springframework.org/schema/tx" xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop-3.0.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx-3.0.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd"> <context:component-scan base-package="com.company.demo.bean" />
<context:annotation-config />
<aop:config proxy-target-class="true" />
//other configs
</beans>
Note that the first two need to define the base package for the spring beans (for the Components) and that the beans are annotated.The third config is needed to force the class proxy,here is why you need that.
Ok.once we know that we change the annotations from jsf managedBeans to Spring components :
@ManagedBean
@SessionScoped
public class UserLoginBean { @ManagedProperty(name = "userDao", value = "#{userDao}")
private UserDao userDao;
}
to:
@Component
@Scope("session")
@Qualifier("userLoginBean")
public class UserLoginBean { @Autowired
private UserDao userDao;
}
That's all.If you have already this config and doesn't work you should set <aop:config proxy-target-class="true" /> into your applicationContext.xml.
PS:if nothing happened, you can change the
<sec:global-method-security secured-annotations="enabled" jsr250-annotations="enabled">
</sec:global-method-security>
to
<sec:global-method-security pre-post-annotations="enabled" >
</sec:global-method-security>
Spring security 3.1 +JSF 2.0 . problem with annotating methods in ManagedBeans?的更多相关文章
- Spring Boot 2.0 利用 Spring Security 实现简单的OAuth2.0认证方式1
0. 前言 之前帐号认证用过自己写的进行匹配,现在要学会使用标准了.准备了解和使用这个OAuth2.0协议. 1. 配置 1.1 配置pom.xml 有些可能会用不到,我把我项目中用到的所有包都贴出来 ...
- Spring Boot 2.0 利用 Spring Security 实现简单的OAuth2.0认证方式2
0.前言 经过前面一小节已经基本配置好了基于SpringBoot+SpringSecurity+OAuth2.0的环境.这一小节主要对一些写固定InMemory的User和Client进行扩展.实现动 ...
- Spring Boot2.0使用Spring Security
一.Spring Secutity简介 Spring 是一个非常流行和成功的 Java 应用开发框架.Spring Security 基于 Spring 框架,提供了一套 Web 应用安全性 ...
- spring security 学习文档
web service Prepared by: Sea ...
- 朱晔和你聊Spring系列S1E10:强大且复杂的Spring Security(含OAuth2三角色+三模式完整例子)
Spring Security功能多,组件抽象程度高,配置方式多样,导致了Spring Security强大且复杂的特性.Spring Security的学习成本几乎是Spring家族中最高的,Spr ...
- spring security 5 There is no PasswordEncoder mapped for the id "null" 错误
转载请注明出处 http://www.cnblogs.com/majianming/p/7923604.html 最近在学习spring security,但是在设置客户端密码时,一直出现了一下错误提 ...
- Spring Security Java Config Preview--官方
原文地址:[1]https://spring.io/blog/2013/07/02/spring-security-java-config-preview-introduction/ [2]https ...
- web应用安全框架选型:Spring Security与Apache Shiro
一. SpringSecurity 框架简介 官网:https://projects.spring.io/spring-security/ 源代码: https://github.com/spring ...
- Spring Security 实战干货:OAuth2第三方授权初体验
1. 前言 Spring Security实战干货系列 现在很多项目都有第三方登录或者第三方授权的需求,而最成熟的方案就是OAuth2.0授权协议.Spring Security也整合了OAuth2. ...
随机推荐
- bzoj-3195-状压dp
3195: [Jxoi2012]奇怪的道路 Time Limit: 10 Sec Memory Limit: 128 MBSubmit: 600 Solved: 395[Submit][Statu ...
- 传智:自己简单实现一个struts2框架的demo
struts2的结构图: 代码实现: 组织结构: 主要代码: package cn.itcast.config; import org.apache.log4j.Logger; import org. ...
- JSP Unable to compile class for JSP
今天刚弄好MyEclipse环境,试了一下jsp的创建,然后就出现了一个很令人纠结的问题. 文档目录如下: Jsp代码如下: <%@page import="com.pd.Person ...
- tornado框架的get方法传递参数
tornado框架的get方法传递参数,代码: # encoding: utf-8 """ @version: ?? @author: andu99 @contact: ...
- Nodejs中npm install 命令的问题
在使用nodejs的npm包管理工具中碰到过许多个坑,在网上查了很久才解决,现在加以总结. 两种安装方式(本地安装,全局安装) 1.全局安装(npm install -g moduleName/npm ...
- hasura graphql 引擎基本试用
hasura 使用一个基于pg数据库的graphql引擎,他的设计比postgrpahql 有好多方便的地方,同时使用也比较简单 安装 docker && docker-compose ...
- Http消息头中常用的请求头和响应头
作为Web开发对常用http的请求头和响应头熟悉了解一下还是很有必要的.比如请求头中Content-type指定了请求的内容,若类型是application/x-www-form-urlencoded ...
- hadoop YARN配置参数剖析—MapReduce相关参数
MapReduce相关配置参数分为两部分,分别是JobHistory Server和应用程序参数,Job History可运行在一个独立节点上,而应用程序参数则可存放在mapred-site.xml中 ...
- unity代码添加动画,并传参数
测试界面 button一个 sprite一个 测试代码 public class BgObject : MonoBehaviour { void Start() { List<string> ...
- 智能家居入门DIY——【四、组合】
前面几篇介绍了一些传感器和代码,这篇介绍一下把它们组合起来.之所以单独列出这部分,原因在于组合更多功能的时候发现使用软串口库驱动ESP8266时由于内存过小导致发送失败甚至整个系统无法工作的情况.所以 ...