Spring Security 3 - cant't access secured page

hi!

I'm using springsecurity + jsf to do my login and it's working fine

But I got this message at the browser when I try to access a secured page

HTTP Status 404 - /SGP_3/modules/login/secure.jsf
--------------------------------------------------------------------------------
type Status report
message /SGP_3/modules/login/secure.jsf
description The requested resource (/SGP_3/modules/login/secure.jsf) is not available.




<http auto-config="true" access-denied-page="/accessDenied.jsp"> <intercept-url pattern="/modules/login/**" access="ROLE_ADMIN, ROLE_MANAGER" /> <form-login login-page="/login.jsf" login-processing-url="/j_spring_security_check" default-target-url="/test1.jsp" authentication-failure-url="/fail.jsp?auth_failure=true" /> <logout logout-success-url="/logout.jsf" /> </http>

And test1.jsp .
<html> <head></head> <body> <jsp:forward page="/modules/login/secure.jsf" /> </body> </html>

If I do <jsp:forward page="/secure.jsf" /> it works fine


secure.jsf

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:ui="http://java.sun.com/jsf/facelets" xmlns:h="http://java.sun.com/jsf/html" xmlns:f="http://java.sun.com/jsf/core" xmlns:rich="http://richfaces.org/rich" xmlns:a4j="http://richfaces.org/a4j" <rich:comboBox > <f:selectItem itemValue="test1"/> <f:selectItem itemValue="test2"/> <f:selectItem itemValue="test3"/> </rich:comboBox> </html>

OK, then just do what works fine. ;)

Mark

Just out of curiosity. Try the one that doesn't work and remove the first "/"

like

<jsp:forward page="modules/login/secure.jsf" />

It is all about relative versus exact paths sometimes. I always do the wrong thing myself, putting the "/" when I shouldn't or forgetting it when I should.

Mark

Mark Spritzler wrote:Just out of curiosity. Try the one that doesn't work and remove the first "/"

like

<jsp:forward page="modules/login/secure.jsf" />

It is all about relative versus exact paths sometimes. I always do the wrong thing myself, putting the "/" when I shouldn't or forgetting it when I should.

Mark

I changed the project to JSP pages instead JSF and it works.

my mistake is about jsf navigation I think...


thanks
...

So for the JSF stuff did you add Spring's ELVariableResolver in your faces-config.xml?

Mark

No, my faces-config is like this:


<?xml version="1.0" encoding="UTF-8"?> <faces-config version="1.2" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xi="http://www.w3.org/2001/XInclude" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-facesconfig_1_2.xsd"> <!-- spring managed--> <application> <view-handler>com.sun.facelets.FaceletViewHandler</view-handler> <variable-resolver>org.springframework.web.jsf.DelegatingVariableResolver</variable-resolver> </application> <navigation-rule> <from-view-id>/um.xhtml</from-view-id> <navigation-case > <from-outcome >success</from-outcome> <to-view-id>/modules/login/secure.xhtml</to-view-id> </navigation-case> </navigation-rule> <navigation-rule> <from-view-id>/logout.xhtml</from-view-id> <navigation-case > <from-outcome >login</from-outcome> <to-view-id>/login.xhtml</to-view-id> </navigation-case> </navigation-rule> </faces-config>



Well, now a I have another problem. I can access a secure page after login, but when an user has a diferent role(ROLE_MANAGER) this user can access a secure page only for ROLE_ADMIN. And when I do logout I can access the page secure yet. After logout the role is ROLE_ANONYMOUS


<http auto-config="true" access-denied-page="/accessDenied.xhtml"> <intercept-url pattern="/modules/login/**" access="ROLE_ADMIN" /> <form-login login-page="/login.xhtml" login-processing-url="/j_spring_security_check" default-target-url="/um.xhtml" authentication-failure-url="/fail.xhtml" /> <logout logout-success-url="/logout.xhtml" /> </http>

everson santos wrote:No, my faces-config is like this:


<?xml version="1.0" encoding="UTF-8"?> <faces-config version="1.2" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xi="http://www.w3.org/2001/XInclude" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-facesconfig_1_2.xsd"> <!-- spring managed--> <application> <view-handler>com.sun.facelets.FaceletViewHandler</view-handler> <variable-resolver>org.springframework.web.jsf.DelegatingVariableResolver</variable-resolver> </application> </faces-config>

You mean Yes, you do.

The DelegatingVariableResolver is the variable resolver that I spoke of.

Mark

For the last part. Check your UserDetails object for that user and make sure they only have that one ROLE.

Also, are all the URLs mapping as you expect, or is it a different URL that is actually being requested. I guess from the faces-config.xml it is. But it just seems too odd.

Mark

Hi mark

I think my spring security configuration is ok and the problem is jsf/facelets. Because I have the same configuration to jsp project and all is working fine.


In .xhtml file I have <h:outputText value="#{sessionScope.SPRING_SECURITY_CONTEXT}" />
and it show me the role in session

org.springframework.security.context.SecurityContextImpl@c1780c08: Authentication: org.springframework.security.providers.UsernamePasswordAuthenticationToken@c1780c08: Principal: com.springtest.User@185babe; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails@2cd90: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 4677E11BE9EC9A8DEEBF0A0F3AA9025D; Granted Authorities: ROLE_MANAGER

I have the code below in secure.xhtml and it show me /SGP_3/um.xhtml (um.xhtml is the page I click on button go to secure.xhtml how is in faces-config.xml navigation).
login.xhtml ==> um.xhtml ==> secure.xhtml


<h:outputText value="#{facesContext.externalContext.requestContextPath}" /> <h:outputText value="#{facesContext.externalContext.requestServletPath}" />

In jsp project when I try access the secure page it's redirect to accessdenied.jsp and the url/context is /SpringTeste2/protected/secure.jsp,
it looks like the spring security is validation the by url/context ... /modules/login/secure.xhtm. But when I click the button go to secure page the url is /SGP_3/um.xhtml instead /SGP_3/modules/login/secure.xhtml

@Service(value="userDetailsServiceImpl") public class UserDetailsServiceImpl implements UserDetailsService { UserDao userDao; @Autowired public UserDetailsServiceImpl(UserDao userDao) { this.userDao = userDao; } @Override @SuppressWarnings("unchecked") public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException { try { //org.springframework.security.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext Query query = userDao.createNamedQuery("User.findUser"); query.setParameter("name", username); List<User> p = query.getResultList(); return p.get(0); } catch (Exception e) { e.printStackTrace(); throw new UsernameNotFoundException("User not found: " + username); } } } public class User implements UserDetails, Serializable { @Column @Id private Integer id; @Column private String login; @Column private String password; @Column private boolean activated = true; @OneToMany(mappedBy="user", fetch=FetchType.EAGER) private List<Role> roles = new ArrayList<Role>(); @Override @Transient //public GrantedAuthority[] getAuthorities() { public Collection<GrantedAuthority > getAuthorities() { Collection<GrantedAuthority > list = new ArrayList<GrantedAuthority>(); if(!getRoles().isEmpty()){ int x = 0; for (Role role : getRoles()) { list.add(new GrantedAuthorityImpl(role.getName())); } return list; } return null; }

So the Navigation rule then isn't being triggered. so maybe the change needs to happen in

<http auto-config="true" access-denied-page="/accessDenied.xhtml"> <intercept-url pattern="/modules/login/**" access="ROLE_ADMIN" /> <form-login login-page="/login.xhtml" login-processing-url="/j_spring_security_check" default-target-url="/um.xhtml" authentication-failure-url="/fail.xhtml" /> <logout logout-success-url="/logout.xhtml" /> </http>

what happens if you change default-target-url to "/modules/login/um.xhtml" or what happens if you remove the leading "/" so it is "um.xhtml"

I'd actually try the last way I just said first. Sometimes I put a "/" in front when it isn't supposed to be there, and sometimes I don't have the "/" in front when needed. It is all about relative versus exact paths, and I think with the "/" in front is an exact path in context of your web application context.

Mark

I fixed! But wasn't a way beautiful... I need figure out another way to fix that...

In jsf there's no get navigation...

next step, jsf forum

public String buttontest() throws java.io.IOException,ServletException{ FacesContext facesContext = FacesContext.getCurrentInstance(); facesContext.getExternalContext().redirect("/SGP_3/modules/login/secure.xhtml"); return null; //return "success"; }


Thanks!

everson santos wrote:
I fixed! But wasn't a way beautiful... I need figure out another way to fix that...

In jsf there's no get navigation...

next step, jsf forum

public String buttontest() throws java.io.IOException,ServletException{ FacesContext facesContext = FacesContext.getCurrentInstance(); facesContext.getExternalContext().redirect("/SGP_3/modules/login/secure.xhtml"); return null; //return "success"; }


Thanks!

Yeah, I don't think that is pretty either.

Good Luck

Mark