zoukankan      html  css  js  c++  java
  • Spring security 3.1 +JSF 2.0 . problem with annotating methods in ManagedBeans?

    Hy .What i am trying to do is to integrate Spring security with a Jsf+spring IOC +hibernate application.I have managed to set the login page and filter some other pages.So far so good, but when i tried to put @Secured or @PreAuthorize annotation on methods inside managedBeans (inside Dao's the annotation do work), i realized they do absolutely nothing. I have read that i need FORCE class proxies. Spring uses proxy based aop,the managed bean implements an interface hence jdk dynamic proxy instead of class proxy is used. So i did this in my config file:

     <beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:aop="http://www.springframework.org/schema/aop"**    
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
    http://www.springframework.org/schema/beans/spring-beans-2.5.xsd         
    http://www.springframework.org/schema/aop 
        http://www.springframework.org/schema/aop/spring-aop-3.0.xsd">
    
    <aop:aspectj-autoproxy proxy-target-class="true"/>
     //the rest of the beans
     </beans>

    The applicationContext-security Xml looks like this:

     <?xml version="1.0" encoding="UTF-8"?>
    
     <!-- - Sample namespace-based configuration - - $Id: applicationContext-security.xml 
    3019 2008-05-01 17:51:48Z luke_t $ -->
    
     <beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
           http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
           http://www.springframework.org/schema/security
           http://www.springframework.org/schema/security/spring-security-3.1.xsd">
    
    <global-method-security secured-annotations="enabled"  jsr250-annotations="enabled"/>
    
    <http pattern="/css/**" security="none" />
    <http pattern="/pages/login.xhtml" security="none" />
    
    <http auto-config='false'>
        <intercept-url pattern="/pages/customer/**" access='ROLE_SITE_ADMIN' />
        <intercept-url pattern="/pages/department/overhead*" access='ROLE_SITE_ADMIN' />
        <intercept-url pattern="/**"
            access='ROLE_SITE_ADMIN,ROLE_PROJECT_MANAGER,ROLE_DEPARTMENT_MANAGER,ROLE_ACCOUNTING' />
        <form-login login-page="/pages/login.xhtml"
            default-target-url='/pages/reports.xhtml' always-use-default-target='true'
            authentication-failure-handler-ref="userLoginService" />
        <logout invalidate-session="true" logout-success-url="/pages/login.xhtml"/>
    </http>
    
    <authentication-manager>
        <authentication-provider user-service-ref='userLoginService'>
            <password-encoder hash="md5" />
        </authentication-provider>
    </authentication-manager>
    
    <beans:bean id="userLoginService" class="com.evozon.demo.bean.SecureLoginService">
        <beans:property name="defaultFailureUrl" value="/pages/login.xhtml" />
        <beans:property name="userDao" ref="userDao" />
        <beans:property name="loginReportDao" ref="loginReportDao" />
    </beans:bean>
     </beans:beans>

    Can someone tell my why the annotations do not work inside a managed bean,and how to resolve the problem ? ex:

    @PreAuthorize("ROLE_PROJECT_MANAGER")
    public void aproveVacation(Vacation vacation) {...}

    Answer:

    The problem has been solved.The solution is to transform the Managed beans to Spring beans. Here is how :
    web.xml does not need the jsf listener only the sprin ones :

    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>
    <listener>
        <listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
    </listener>

    The application context need this config to work at first :

    <beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:aop="http://www.springframework.org/schema/aop"
    xmlns:tx="http://www.springframework.org/schema/tx" xmlns:context="http://www.springframework.org/schema/context"
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
    http://www.springframework.org/schema/beans/spring-beans-2.5.xsd         
    http://www.springframework.org/schema/aop 
    http://www.springframework.org/schema/aop/spring-aop-3.0.xsd
    http://www.springframework.org/schema/tx 
    http://www.springframework.org/schema/tx/spring-tx-3.0.xsd
     http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd">
    
    
    <context:component-scan base-package="com.company.demo.bean" />
    <context:annotation-config />
    <aop:config proxy-target-class="true" />
    //other configs
    </beans>     

    Note that the first two need to define the base package for the spring beans (for the Components) and that the beans are annotated.The third config is needed to force the class proxy,here is why you need that.
    Ok.once we know that we change the annotations from jsf managedBeans to Spring components :

    @ManagedBean
    @SessionScoped
    public class UserLoginBean {
    
    @ManagedProperty(name = "userDao", value = "#{userDao}")
    private UserDao userDao; 
    }   

    to:

    @Component
    @Scope("session")
    @Qualifier("userLoginBean")
    public class UserLoginBean  {
    
    @Autowired
    private UserDao userDao;
    }     

    That's all.If you have already this config and doesn't work you should set <aop:config proxy-target-class="true" /> into your applicationContext.xml.

    PS:if nothing happened, you can change the

    <sec:global-method-security secured-annotations="enabled" jsr250-annotations="enabled"> 
            </sec:global-method-security>

    to

    <sec:global-method-security pre-post-annotations="enabled" >
        </sec:global-method-security>
  • 相关阅读:
    Layout布局
    了解java虚拟机—串行回收器(6)
    了解java虚拟机—JVM相关参数设置(2)
    了解java虚拟机—堆相关参数设置(3)
    了解java虚拟机—垃圾回收算法(5)
    了解java虚拟机—并行回收器(7)
    了解java虚拟机JVM的基本结构(1)
    了解java虚拟机—非堆相关参数设置(4)
    了解java虚拟机—CMS回收器(8)
    求FTP协议规范中文版
  • 原文地址:https://www.cnblogs.com/sos-blue/p/3441956.html
Copyright © 2011-2022 走看看