Migration from 2.2.1 to 3.0.M1 problem with spring security

[domgom]

Hi, I have an application working fine with 2.2.1 and after reading the migration guide I can't find why is not working fine with 3.0.M1 version.
I have spring security integration doing this way:

Code: Select all

public String doLogin() throws IOException, ServletException {

		ExternalContext context = FacesContext.getCurrentInstance() 
				.getExternalContext();

		RequestDispatcher dispatcher = ((ServletRequest) context.getRequest())
				.getRequestDispatcher("/j_spring_security_check");

		dispatcher.forward((ServletRequest) context.getRequest(),
				(ServletResponse) context.getResponse());

		FacesContext.getCurrentInstance().responseComplete();
		return null;
	}

Always returns password error. I thought it could be a jar version overriding but I don't found that in primefaces dependencies.

My applicationContext-security.xml is:

Code: Select all

<?xml version="1.0" encoding="UTF-8"?>

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">

	<!-- HTTP security configurations -->
    <http auto-config="true" use-expressions="true">
    	<form-login login-processing-url="/j_spring_security_check" login-page="/login.jsf" authentication-failure-url="/login.jsf?error=true"/>
        <logout logout-url="/j_spring_security_logout"/>
        
        <!-- Configure these elements to secure URIs in your application -->
        <intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')"/>
        <intercept-url pattern="/user/**" access="hasRole('ROLE_USER')"/>
   		<intercept-url pattern="/welcome.jsf" access="isAuthenticated()" />
        <intercept-url pattern="/css/**" access="permitAll" />
        <intercept-url pattern="/images/**" access="permitAll" />
        <intercept-url pattern="/**" access="permitAll" />
    </http>

	<!-- Configure Authentication mechanism -->
    <authentication-manager alias="authenticationManager">
    	<!-- SHA-256 values can be produced using 'echo -n your_desired_password | sha256sum' (using normal *nix environments) -->
    	<authentication-provider>
	    	<password-encoder hash="sha-256"/>
	        <user-service>
	            <user name="admin" password="8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918" authorities="ROLE_ADMIN"/>
		        <user name="user" password="04f8996da763b7a969b1028ee3007569eaf3a635486ddab211d512c85b9df8fb" authorities="ROLE_USER"/>
		    </user-service>
    	</authentication-provider>
	</authentication-manager>


</beans:beans>

and my web.xml

Code: Select all

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
	xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
	version="2.5">
	<display-name>gescon</display-name>
	<description>Gestion de Congresos v2</description>
	<context-param>
		<param-name>defaultHtmlEscape</param-name>
		<param-value>true</param-value>
	</context-param>
	<context-param>
		<param-name>contextConfigLocation</param-name>
		<param-value>classpath*:META-INF/spring/applicationContext*.xml</param-value>
	</context-param>
	<context-param>
		<param-name>primefaces.THEME</param-name>
		<param-value>redmond</param-value>
	</context-param>
	<context-param>
		<param-name>javax.faces.DATETIMECONVERTER_DEFAULT_TIMEZONE_IS_SYSTEM_TIMEZONE</param-name>
		<param-value>true</param-value>
	</context-param>
	<listener>
		<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
	</listener>
	<listener>
		<listener-class>
			org.springframework.web.context.request.RequestContextListener</listener-class>
	</listener>
	<filter>
		<filter-name>CharacterEncodingFilter</filter-name>
		<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
		<init-param>
			<param-name>encoding</param-name>
			<param-value>UTF-8</param-value>
		</init-param>
		<init-param>
			<param-name>forceEncoding</param-name>
			<param-value>true</param-value>
		</init-param>
	</filter>
	<filter>
		<filter-name>springSecurityFilterChain</filter-name>
		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
	</filter>
	<filter>
		<filter-name>Spring OpenEntityManagerInViewFilter</filter-name>
		<filter-class>org.springframework.orm.jpa.support.OpenEntityManagerInViewFilter</filter-class>
	</filter>
	<filter-mapping>
		<filter-name>CharacterEncodingFilter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>springSecurityFilterChain</filter-name>
		<url-pattern>/*</url-pattern>
		<dispatcher>FORWARD</dispatcher>
		<dispatcher>REQUEST</dispatcher>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Spring OpenEntityManagerInViewFilter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>
	<servlet>
		<servlet-name>Faces Servlet</servlet-name>
		<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
		<load-on-startup>1</load-on-startup>
	</servlet>
	<servlet>
		<servlet-name>Resource Servlet</servlet-name>
		<servlet-class>org.primefaces.resource.ResourceServlet</servlet-class>
	</servlet>
	<servlet-mapping>
		<servlet-name>Resource Servlet</servlet-name>
		<url-pattern>/primefaces_resource/*</url-pattern>
	</servlet-mapping>
	<servlet-mapping>
		<servlet-name>Faces Servlet</servlet-name>
		<url-pattern>*.jsf</url-pattern>
		<url-pattern>/faces/*</url-pattern>
	</servlet-mapping>
	<session-config>
		<session-timeout>10</session-timeout>
	</session-config>
	<error-page>
		<exception-type>java.lang.Exception</exception-type>
		<location>/uncaughtException</location>
	</error-page>
	<error-page>
		<error-code>404</error-code>
		<location>/resourceNotFound</location>
	</error-page>
</web-app>

Anyone has a similar problem? Any ideas? Thank you.

Regards.

[domgom]

Ok, I have found the error. The problem is in this snippet:

Code: Select all

public String doLogin() throws IOException, ServletException {

		ExternalContext context = FacesContext.getCurrentInstance()
				.getExternalContext();

		RequestDispatcher dispatcher = ((ServletRequest) context.getRequest())
				.getRequestDispatcher("/j_spring_security_check");

		dispatcher.forward((ServletRequest) context.getRequest(),
				(ServletResponse) context.getResponse());

		FacesContext.getCurrentInstance().responseComplete();
		return null;
	}

If I change for this other one all works as expected

Code: Select all

public String doLogin() throws IOException, ServletException {

		ExternalContext context = FacesContext.getCurrentInstance()
				.getExternalContext();

		RequestDispatcher dispatcher = ((ServletRequest) context.getRequest())
				.getRequestDispatcher("/j_spring_security_check?j_username="+user+"&j_password="+password);

		dispatcher.forward((ServletRequest) context.getRequest(),
				(ServletResponse) context.getResponse());

		FacesContext.getCurrentInstance().responseComplete();
		return null;
	}

For some reason in version 3.0.M1 the request parameters are not propagating in the redirect like it happens in 2.2.1. Forcing via get parameters solves my problem but maybe something is broken under the hood.

Best regards.

[primeuser2412]

As a rule of thumb, don't use your web application with a Milestone release, Release Candidate or Beta - only use Stable release - you will save yourself a lot of heartache, not to mention, wasting time.

[domgom]

I know but that rule does not apply in my scenario: my application is for academic purposes so I don't mind too much about finding and reporting bugs. And I have to add that skinned selectOneListBox tempted me for going to 3.0.M1.
Anyway my problem is solved, I just notify the bug it for product improving.

Thanks for your reply!.

[dasgin]

Hi domgom,

I have migrated from 2.2.1 to 3.0.M1. I am using Mojarra 2.0.3 and Tomcat 7.x and I haven't encountered any problem like yours.

My login bean:

Code: Select all

public void loginAction() throws IOException, ServletException{
		
		ExternalContext context = getExternalContext();

		RequestDispatcher dispatcher = ((ServletRequest) context.getRequest()).getRequestDispatcher("/j_spring_security_check");
        dispatcher.forward((ServletRequest) context.getRequest(), (ServletResponse) context.getResponse());
 
        FacesContext.getCurrentInstance().responseComplete();
	}

And my login.xhtml:

Code: Select all

...
<h:outputLabel value="Username" for="j_username"/>
					<h:inputText autocomplete="off" id="j_username" label="Username" />
					<h:outputLabel value="Password" for="j_password"/>
					<h:inputSecret  id="j_password" label="Password" />
...

happy java..

[domgom]

@dasgin
I noticed you are using h: tags, not p: for inputs and I investigated a bit more in my code.
My rendered input is:

<input id="j_idt13:login" name="j_idt13:login" type="text" value="" class="ui-inputfield ui-inputtext ui-widget ui-state-default ui-corner-all ui-state-hover">

The fact is that's a bad name despite of my code is:

Code: Select all

<h:form prependId="false"  > 

and the input has another id:

Code: Select all

<p:inputText name="j_username" id="j_username" value="#{loginBean.user}" />

Changing back to 2.2.1 I see the following render:

Code: Select all

<input id="j_username" name="j_username" type="text" value="" class="ui-inputfield ui-widget ui-state-default ui-corner-all ui-state-hover">

So, definitively h:form prependId="false" is not working in 3.0.M1.

Thanks for your help dasgin.

[alance]

Hello all,

I used the following method for authentication in LoginBean.I m using Spring 3.0 ,JSF 2.0 running in JBOSS 5.1.0 GA.But am getting error as follows:-

Servlet.service() for servlet default threw exception
javax.context.ContextNotActiveException: No active contexts for scope type javax.context.RequestScoped
at org.jboss.webbeans.ManagerImpl.getContext(ManagerImpl.java:739)
at org.jboss.webbeans.bean.proxy.ClientProxyMethodHandler.getProxiedInstance(ClientProxyMethodHandler.java:116)
at org.jboss.webbeans.bean.proxy.ClientProxyMethodHandler.invoke(ClientProxyMethodHandler.java:96)
at org.jboss.webbeans.conversation.ConversationImpl_$$_javassist_2.isLongRunning(ConversationImpl_$$_javassist_2.java)
at org.jboss.webbeans.servlet.ConversationPropagationFilter$1.sendRedirect(ConversationPropagationFilter.java:124)
at javax.servlet.http.HttpServletResponseWrapper.sendRedirect(HttpServletResponseWrapper.java:126)
at org.springframework.security.web.firewall.FirewalledResponse.sendRedirect(FirewalledResponse.java:25)
at com.coco.dwhsportal.web.security.LoginSuccessHandler.onAuthenticationSuccess(LoginSuccessHandler.java:36)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.successfulAuthentication(AbstractAuthenticationProcessingFilter.java:301)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:218)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:57)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:168)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:638)
at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:444)
at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:382)


WARNING [lifecycle] #{loginBean.doLogin}: javax.context.ContextNotActiveException: No active contexts for scope type javax.context.RequestScoped
javax.faces.FacesException: #{loginBean.doLogin}: javax.context.ContextNotActiveException: No active contexts for scope type javax.context.RequestScoped
at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:118)
at org.springframework.faces.webflow.FlowActionListener.processAction(FlowActionListener.java:71)
at org.springframework.faces.model.SelectionTrackingActionListener.processAction(SelectionTrackingActionListener.java:55)
at javax.faces.component.UICommand.broadcast(UICommand.java:315)
at javax.faces.component.UIViewRoot.broadcastEvents(UIViewRoot.java:787)
at javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:1252)
at com.sun.faces.lifecycle.InvokeApplicationPhase.execute(InvokeApplicationPhase.java:81)
at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:101)
at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:118)
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:312)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.jboss.webbeans.servlet.ConversationPropagationFilter.doFilter(ConversationPropagationFilter.java:113)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:369)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:109)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:97)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:100)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:78)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:35)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:177)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:187)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:168)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)


public String doLogin() throws IOException, ServletException {

if(username == null ||username.equals("") ||
password==null || password.equals("") ){
CommonUtils.showMessage(FacesMessage.SEVERITY_INFO, "Required :", "Both fields are required");
}else{

ExternalContext context = FacesContext.getCurrentInstance().getExternalContext();

RequestDispatcher dispatcher = ((ServletRequest) context.getRequest()).getRequestDispatcher("/j_spring_security_check?j_username="+username+"&j_password="+password);

dispatcher.forward((ServletRequest) context.getRequest(),
(ServletResponse) context.getResponse());

FacesContext.getCurrentInstance().responseComplete();


}
return null;
}

public void init() {


ExternalContext context = FacesContext.getCurrentInstance().getExternalContext();
HttpServletResponse response = (HttpServletResponse) context.getResponse();
HttpSession session = (HttpSession) context.getSession(false);
HttpServletRequest request = (HttpServletRequest) context.getRequest();

try {
if (session.getAttribute(HTTPSessionVariables.USERNAME) != null) {
response.sendRedirect(request.getContextPath() + "/pages/index.jsf");
}
} catch (Exception e) {
log.error("Error in LogoutBean " + e);
}

}
}

Is it because of using Spring security?
Can anybody point out where I went wrong?

[tandraschko]

AFAICS you use CDI and Spring the same time?