Spring security 3.1 +JSF 2.0 . problem with annotating methods in ManagedBeans?

Hy .What i am trying to do is to integrate Spring security with a Jsf+spring IOC +hibernate application.I have managed to set the login page and filter some other pages.So far so good, but when i tried to put @Secured or @PreAuthorize annotation on methods inside managedBeans (inside Dao's the annotation do work), i realized they do absolutely nothing. I have read that i need FORCE class proxies. Spring uses proxy based aop,the managed bean implements an interface hence jdk dynamic proxy instead of class proxy is used. So i did this in my config file:

 <beans xmlns="http://www.springframework.org/schema/beans"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

    xmlns:aop="http://www.springframework.org/schema/aop"**    

xsi:schemaLocation="http://www.springframework.org/schema/beans 

http://www.springframework.org/schema/beans/spring-beans-2.5.xsd         

http://www.springframework.org/schema/aop 

    http://www.springframework.org/schema/aop/spring-aop-3.0.xsd">



<aop:aspectj-autoproxy proxy-target-class="true"/>

 //the rest of the beans

 </beans>

The applicationContext-security Xml looks like this:

 <?xml version="1.0" encoding="UTF-8"?>



 <!-- - Sample namespace-based configuration - - $Id: applicationContext-security.xml 

3019 2008-05-01 17:51:48Z luke_t $ -->



 <beans:beans xmlns="http://www.springframework.org/schema/security"

xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xsi:schemaLocation="http://www.springframework.org/schema/beans

       http://www.springframework.org/schema/beans/spring-beans-3.0.xsd

       http://www.springframework.org/schema/security

       http://www.springframework.org/schema/security/spring-security-3.1.xsd">



<global-method-security secured-annotations="enabled"  jsr250-annotations="enabled"/>



<http pattern="/css/**" security="none" />

<http pattern="/pages/login.xhtml" security="none" />



<http auto-config='false'>

    <intercept-url pattern="/pages/customer/**" access='ROLE_SITE_ADMIN' />

    <intercept-url pattern="/pages/department/overhead*" access='ROLE_SITE_ADMIN' />

    <intercept-url pattern="/**"

        access='ROLE_SITE_ADMIN,ROLE_PROJECT_MANAGER,ROLE_DEPARTMENT_MANAGER,ROLE_ACCOUNTING' />

    <form-login login-page="/pages/login.xhtml"

        default-target-url='/pages/reports.xhtml' always-use-default-target='true'

        authentication-failure-handler-ref="userLoginService" />

    <logout invalidate-session="true" logout-success-url="/pages/login.xhtml"/>

</http>



<authentication-manager>

    <authentication-provider user-service-ref='userLoginService'>

        <password-encoder hash="md5" />

    </authentication-provider>

</authentication-manager>



<beans:bean id="userLoginService" class="com.evozon.demo.bean.SecureLoginService">

    <beans:property name="defaultFailureUrl" value="/pages/login.xhtml" />

    <beans:property name="userDao" ref="userDao" />

    <beans:property name="loginReportDao" ref="loginReportDao" />

</beans:bean>

 </beans:beans>

Can someone tell my why the annotations do not work inside a managed bean,and how to resolve the problem ? ex:

@PreAuthorize("ROLE_PROJECT_MANAGER")

public void aproveVacation(Vacation vacation) {...}

 

 

 

 

Answer:

The problem has been solved.The solution is to transform the Managed beans to Spring beans. Here is how :
web.xml does not need the jsf listener only the sprin ones :

<listener>

    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>

</listener>

<listener>

    <listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>

</listener>

The application context need this config to work at first :

<beans xmlns="http://www.springframework.org/schema/beans"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:aop="http://www.springframework.org/schema/aop"

xmlns:tx="http://www.springframework.org/schema/tx" xmlns:context="http://www.springframework.org/schema/context"

xsi:schemaLocation="http://www.springframework.org/schema/beans 

http://www.springframework.org/schema/beans/spring-beans-2.5.xsd         

http://www.springframework.org/schema/aop 

http://www.springframework.org/schema/aop/spring-aop-3.0.xsd

http://www.springframework.org/schema/tx 

http://www.springframework.org/schema/tx/spring-tx-3.0.xsd

 http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd">





<context:component-scan base-package="com.company.demo.bean" />

<context:annotation-config />

<aop:config proxy-target-class="true" />

//other configs

</beans>     

Note that the first two need to define the base package for the spring beans (for the Components) and that the beans are annotated.The third config is needed to force the class proxy,here is why you need that.
Ok.once we know that we change the annotations from jsf managedBeans to Spring components :

@ManagedBean

@SessionScoped

public class UserLoginBean {



@ManagedProperty(name = "userDao", value = "#{userDao}")

private UserDao userDao; 

}   

to:

@Component

@Scope("session")

@Qualifier("userLoginBean")

public class UserLoginBean  {



@Autowired

private UserDao userDao;

}     

That's all.If you have already this config and doesn't work you should set <aop:config proxy-target-class="true" /> into your applicationContext.xml.

 

PS:if nothing happened, you can change the

<sec:global-method-security secured-annotations="enabled" jsr250-annotations="enabled"> 

        </sec:global-method-security>

to

<sec:global-method-security pre-post-annotations="enabled" >

    </sec:global-method-security>

 

你可能感兴趣的:(Spring Security)