Hy .What i am trying to do is to integrate Spring security with a Jsf+spring IOC +hibernate application.I have managed to set the login page and filter some other pages.So far so good, but when i tried to put @Secured or @PreAuthorize annotation on methods inside managedBeans (inside Dao's the annotation do work), i realized they do absolutely nothing. I have read that i need FORCE class proxies. Spring uses proxy based aop,the managed bean implements an interface hence jdk dynamic proxy instead of class proxy is used. So i did this in my config file:
<
beans
xmlns
="http://www.springframework.org/schema/beans"
xmlns:xsi
="http://www.w3.org/2001/XMLSchema-instance"
xmlns:aop
="http://www.springframework.org/schema/aop"
**
xsi:schemaLocation
="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop-3.0.xsd"
>
<
aop:aspectj-autoproxy
proxy-target-class
="true"
/>
//the rest of the beans
</
beans
>
The applicationContext-security Xml looks like this:
<?
xml version="1.0" encoding="UTF-8"
?>
<!--
- Sample namespace-based configuration - - $Id: applicationContext-security.xml
3019 2008-05-01 17:51:48Z luke_t $
-->
<
beans:beans
xmlns
="http://www.springframework.org/schema/security"
xmlns:beans
="http://www.springframework.org/schema/beans"
xmlns:xsi
="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation
="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd"
>
<
global-method-security
secured-annotations
="enabled"
jsr250-annotations
="enabled"
/>
<
http
pattern
="/css/**"
security
="none"
/>
<
http
pattern
="/pages/login.xhtml"
security
="none"
/>
<
http
auto-config
='false'
>
<
intercept-url
pattern
="/pages/customer/**"
access
='ROLE_SITE_ADMIN'
/>
<
intercept-url
pattern
="/pages/department/overhead*"
access
='ROLE_SITE_ADMIN'
/>
<
intercept-url
pattern
="/**"
access
='ROLE_SITE_ADMIN,ROLE_PROJECT_MANAGER,ROLE_DEPARTMENT_MANAGER,ROLE_ACCOUNTING'
/>
<
form-login
login-page
="/pages/login.xhtml"
default-target-url
='/pages/reports.xhtml'
always-use-default-target
='true'
authentication-failure-handler-ref
="userLoginService"
/>
<
logout
invalidate-session
="true"
logout-success-url
="/pages/login.xhtml"
/>
</
http
>
<
authentication-manager
>
<
authentication-provider
user-service-ref
='userLoginService'
>
<
password-encoder
hash
="md5"
/>
</
authentication-provider
>
</
authentication-manager
>
<
beans:bean
id
="userLoginService"
class
="com.evozon.demo.bean.SecureLoginService"
>
<
beans:property
name
="defaultFailureUrl"
value
="/pages/login.xhtml"
/>
<
beans:property
name
="userDao"
ref
="userDao"
/>
<
beans:property
name
="loginReportDao"
ref
="loginReportDao"
/>
</
beans:bean
>
</
beans:beans
>
Can someone tell my why the annotations do not work inside a managed bean,and how to resolve the problem ? ex:
@PreAuthorize("ROLE_PROJECT_MANAGER")
public void aproveVacation(Vacation vacation) {...}
?
?
?
?
Answer:
The problem has been solved.The solution is to transform the Managed beans to Spring beans. Here is how :
web.xml does not need the jsf listener only the sprin ones :
<
listener
>
<
listener-class
>
org.springframework.web.context.ContextLoaderListener
</
listener-class
>
</
listener
>
<
listener
>
<
listener-class
>
org.springframework.web.context.request.RequestContextListener
</
listener-class
>
</
listener
>
The application context need this config to work at first :
<
beans
xmlns
="http://www.springframework.org/schema/beans"
xmlns:xsi
="http://www.w3.org/2001/XMLSchema-instance"
xmlns:aop
="http://www.springframework.org/schema/aop"
xmlns:tx
="http://www.springframework.org/schema/tx"
xmlns:context
="http://www.springframework.org/schema/context"
xsi:schemaLocation
="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop-3.0.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx-3.0.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd"
>
<
context:component-scan
base-package
="com.company.demo.bean"
/>
<
context:annotation-config
/>
<
aop:config
proxy-target-class
="true"
/>
//other configs
</
beans
>
Note that the first two need to define the base package for the spring beans (for the Components) and that the beans are annotated.The third config is needed to force the class proxy,
here is why you need that
.
Ok.once we know that we change the annotations from jsf managedBeans to Spring components :
@ManagedBean
@SessionScoped
public
class
UserLoginBean {
@ManagedProperty(name
= "userDao", value = "#{userDao}"
)
private
UserDao userDao;
}
to:
@Component
@Scope(
"session"
)
@Qualifier(
"userLoginBean"
)
public
class
UserLoginBean {
@Autowired
private
UserDao userDao;
}
That's all.If you have already this config and doesn't work you should set
<aop:config proxy-target-class="true" />
into your applicationContext.xml.
?
PS:if nothing happened, you can change the
<
sec:global-method-security
secured-annotations
="enabled"
jsr250-annotations
="enabled"
>
</
sec:global-method-security
>
to
<
sec:global-method-security
pre-post-annotations
="enabled"
>
</
sec:global-method-security
>
?
Spring security 3.1 +JSF 2.0 . problem with annotating methods in ManagedBeans?
更多文章、技術交流、商務合作、聯系博主
微信掃碼或搜索:z360901061
微信掃一掃加我為好友
QQ號聯系: 360901061
您的支持是博主寫作最大的動力,如果您喜歡我的文章,感覺我的文章對您有幫助,請用微信掃描下面二維碼支持博主2元、5元、10元、20元等您想捐的金額吧,狠狠點擊下面給點支持吧,站長非常感激您!手機微信長按不能支付解決辦法:請將微信支付二維碼保存到相冊,切換到微信,然后點擊微信右上角掃一掃功能,選擇支付二維碼完成支付。
【本文對您有幫助就好】元
