Hi, I made a post a few days ago about making a login form in a webapp combining the technologies mentioned in the subject, but i realize that i am more lost that i thought! hehehe
My idea is to have a base web application project (made by me, i dont want a maven archetype) with jsf2.0, richfaces4, hibernate3 and spring security, properly configured for:
- User authentication (usernames, passwords and roles in a database)
- User permisions for differents resources in my webapp.
- JSF2.0 as my MVC and page flow framework, using facelets as the preferred page language and using templates.
- Hibernate as the orm.
Now, I have jsf 2.0 and richfaces 4 properly configured. But I cant found a propper way to manage the login. I tried with a login bean, but it did not work. Actually, what i dont realize is what happens with the jsf navigations rules (from faces-config.xml) in the login process of spring security. What is the correct way of do that? Maybe using an AuthenticationManager? How can I use it?
I think you are trying to over complicate things. The main thing is that each technology you list has their own responsibilities and don't overlap. What that means is that Spring Security is just securing a URL, it doesn't care if you are using JSF, JSP or straight Servlets. And this includes the login page (which you posted saying that it is now working, is that wrong?)
So in JSF, you don't put any security stuff. It is all in your Spring Security configuration.
Mark, you are right, I made it work using a form like:
The above code is just a dummy code, but is the base that I used to made it works. But the problem with that form was that use <form> tag instead <h:form> tag from jsf core libraries results in a warning in the final html page, the warning said that I am using a tag (<form>) not described in my taglibs. So I try the loginBean way, using some pasted code from a forum. The LoginBean approach worked but had two problems, the first one is when that the spring authentication process is not doing well, I can realise about that because I could access to resources authorised for admin role users only with a user which has only user role.
Last night I was reading some documentation, and I understood that I don't understand what I am doing!! hehehehe So I propose to put some things clear:
- JSF/Richfaces are my MVC framework
- Spring security is my framework for authentication and authorisation.
So if I take the approach of think on they individually, why my navigation rules established on my faces-config.xml doesn't works properly? Why when I put an <h:commandLink> with an action pointed to a from-outcome tag in my navigation rule and I clicked on it the rendered page looks ugly and the url showed in my browser looks like: http://localhost:8080/barmanagement//faces/home.xhtml when it must be pointing to /faces/admin/admin_home.xhtm.
I suppose that I am doing something wrong but I dont know what, so I need some kind of roadmap to properly configure my webapp and have a few example links some secured and some other not to see how spring works in that cases.
You could see my current web.xml, faces-config.xml, applicationSecurity-context.xml and login.xhmtl files in the bellow link to a spanish forum post.
What do you know have in this tag in your Spring security?
As long as your submit action is "j_spring_security_check" and the two input text fields are "j_username" and "j_password", it doesn't matter what tags you use. This is all about the JSP/Servlet spec here, which JSF conforms to.
you need to set the login page url in that tag, and also there is an attribute in order to send it to a page when they unsuccessfully login.
Mark, I did that!, I put my login.xhtml page inside the <form-login > tag but I can not find a propper way to authenticate the user... I try with a backing bean but does not work. What I need to know is what is the correct way of do that! For the moment, I live the <form-login /> tag empty and i am using the spring form login, wich is ugly but it works.
Another thing that I dont know how to manage it is the links inside the pages, because when I use a commandLink or a commandButton with an action defined in my faces-config.xml, the resultant url is not filtered by spring (i.e.: a common user have access to an admin page), the url is malformmed (http://localhost:8080/barmanagement//faces/home.xhtml) and style looks ugly.