I have a webapp which I deploy on google appengine. I believe that the issue is not related to GAE, but there is something that I am missing...
Basically, I want to force the user to be authenticated in order to see/use anything that is under /secured dir. I have HTML page that is under this dir, but the user can easily navigate to it (without being authenticated). How do I secure it using SS?
I read this and that, tried it but it did not help :-(
My config - web.xml:
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>contextAttribute</param-name>
<param-value>org.springframework.web.servlet.FrameworkServlet.CONTEXT.spring</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- to integrate Spring with AppEngine project -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring-servlet.xml</param-value>
</context-param>
<!-- if we work with Spring-security, we already have a listener -->
<!-- listener>
<listener-class>
org.springframework.web.context.ContextLoaderListener
</listener-class>
</listener-->
<servlet>
<servlet-name>spring</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>spring</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
spring-servlet.xml:
<context:annotation-config />
<context:property-placeholder location="classpath:client.properties" />
<context:component-scan base-package="com.nice.coffee" />
<context:component-scan base-package="com.ohadr.auth_flows" />
<context:component-scan base-package="com.ohadr.crypto" />
<mvc:annotation-driven />
<mvc:default-servlet-handler />
<!-- dont use debug! https://jira.spring.io/browse/SEC-1885 >
<sec:debug />
-->
<mvc:resources mapping="/secured/**" location="/secured/" />
<sec:http pattern="/login/**" security="none" />
<sec:http pattern="/forgotPasswordPage" security="none" />
<sec:http pattern="/forgotPassword" security="none" />
<sec:http pattern="/createAccountPage" security="none" />
<sec:http pattern="/createAccount" security="none" />
<sec:http authentication-manager-ref="authenticationManager">
<sec:intercept-url pattern="/**/ohad.html" access="ROLE_ADMIN" />
<sec:intercept-url pattern="/secured/**" access="ROLE_USER" />
<sec:anonymous />
<sec:form-login login-page="/login/login.htm"
authentication-success-handler-ref="authenticationSuccessHandler"
authentication-failure-handler-ref="authenticationFailureHandler" />
</sec:http>
<sec:authentication-manager alias="authenticationManager">
<sec:authentication-provider
user-service-ref="userDetailsService">
<sec:password-encoder hash="sha-256">
<sec:salt-source user-property="username" />
</sec:password-encoder>
</sec:authentication-provider>
</sec:authentication-manager>...
my proj hierarchy:
...thanks in advance!
Rather than putting the secured pags under src/main/webapp/secured, which get served up directly, put them in src/main/resources/secured, and change your resources statement to
<mvc:resources mapping="/secured/**" location="classpath:/secured/" />
It appears that my problem was in this line:
<mvc:resources mapping="/secured/**" location="/secured/" />
spring-mvc is "confused" where both location and mapping are with the same name. So when a request to a resource enters the application, e.g. .../secured/my.html, spring-mvc does not use the mapping at all.
The solution was to change the location name (or the mapping, but I changed the location-name) so i ended up with:
<mvc:resources mapping="/secured/**" location="/secured_resources/" />
and all my resources (html, JS, etc) were under a dir called 'secured_resources'. Then, when a request arrived to the application, e.g .../secured/my.html, it was mapped successfully using MVC, hence the browser is redirected to login page, etc.
Related
I'm developing an application that uses JSF (Mojarra) to control de MVC flow, but I also want to integrate Spring Security for its Autehntication and Authorization processes.
However, I'm having a problem where Spring Bean Factory cannot instantiate the classes that I build to do custom login and so on. From there, the system doesn't even go online.
The stacktrace starts with:
java.lang.ClassNotFoundException: com.tfduque.fieldAssist.manager.LoginBean
And then
org.springframework.beans.factory.CannotLoadBeanClassException: Cannot find class [com.tfduque.fieldAssist.manager.LoginBean] for bean with name 'authenticationEntryPoint' defined in ServletContext resource [/WEB-INF/applicationContext.xml]; nested exception is java.lang.ClassNotFoundException: com.tfduque.fieldAssist.manager.LoginBean
And so on...
(Full stacktrace)
This is how my folders are organized, if it matters:
My application context (for spring security configurations):
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http pattern="/login*" security="none" />
<http pattern="/css/**" security="none" />
<http pattern="/images/**" security="none" />
<http pattern="/javascript/**" security="none" />
<http pattern="/Secured/**" create-session="stateless"
use-expressions="true">
<intercept-url pattern="/**" access="isFullyAuthenticated()" />
<http-basic />
</http>
<http auto-config="true" use-expressions="true"
access-decision-manager-ref="accessDecisionManager">
<intercept-url pattern="/**" access="isFullyAuthenticated()" />
<form-login login-page="/login.xhtml" login-processing-url="/j_login"
authentication-failure-url="/login.xhtml" always-use-default-target="false"
default-target-url="/" />
<logout invalidate-session="true" logout-success-url="/login.xhtml"
logout-url="/j_logout" delete-cookies="JSESSIONID" />
</http>
<authentication-manager>
<authentication-provider user-service-ref="authenticationEntryPoint">
<password-encoder hash="md5" />
</authentication-provider>
</authentication-manager>
<beans:bean id="appUserDetailsService"
class="com.tfduque.fieldAssist.security.AppUserDetailsService" />
<beans:bean id="authenticationEntryPoint"
class=" com.tfduque.fieldAssist.manager.LoginBean">
<beans:property name="loginFormUrl" value="/Login.xhtml" />
<beans:property name="redirectStrategy" ref="jsfRedirectStrategy" />
</beans:bean>
</beans:beans>
Some of my web.xml configs (btw, I'm also using weld for injection):
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
<!-- Listeners -->
<listener>
<listener-class>org.jboss.weld.environment.servlet.Listener</listener-class>
</listener>
<resource-env-ref>
<resource-env-ref-name>BeanManager</resource-env-ref-name>
<resource-env-ref-type>javax.enterprise.inject.spi.BeanManager</resource-env-ref-type>
</resource-env-ref>
<!-- Security -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>
org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
Login Bean is annotated like this:
#Named("login")
#RequestScoped
public class LoginBean {
public String doLogin() throws IOException, ServletException {
[...]
}
I think that this is all needed to understand the problem.
I am new to Spring and am using Spring 3.2.5 RELEASE. I have a custom UserDetailsSevice called MongoUserDetailsService. This is my application-security.xml.
<http auto-config="true">
<intercept-url pattern="/secured/*" access="ROLE_USER" />
<form-login login-processing-url="/login" login-page="/loginPage"
username-parameter="username" password-parameter="password"
default-target-url="/secured/mypage" authentication-failure-url="/loginPage?auth=fail" />
<logout logout-url="/logout" logout-success-url="/logoutPage" />
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="mongoUserDetailsService">
<password-encoder hash="plaintext" />
</authentication-provider>
</authentication-manager>
and here is my dispatcher-servlet.xml
<context:component-scan base-package="com.srccodes.spring.controller" />
<mvc:annotation-driven />
<bean id="viewResolver" class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix" value="/WEB-INF/pages/" />
<property name="suffix" value=".jsp" />
</bean>
<bean id="mongoUserDetailsService" class="com.srccodes.spring.security.MongoUserDetailsService">
</bean>
I receive a bean not found error in application-security.xml where the authentication-provider is provided. I have checked the paths and they are correct.
I am adding my web.xml as well.
<servlet>
<servlet-name>dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>dispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<!-- Spring context files to be loaded -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/applicationContext.xml,
/WEB-INF/application-security.xml,
/WEB-INF/mongo-config.xml
</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- filter declaration for Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
in application-security.xml file must import the dispatcher-servlet.xml the following code is showing the import sysntax:
1- if dispatcher-servlet.xml is buildPath:
<import resource="classpath:DIR/dispatcher-servlet.xml" />
2- if it is WEB-INF DIR
<import resource="DIR/dispatcher-servlet.xml" />
i hope to help you
If you've defined your application-security.xml as a root context (i.e, it's loaded via ... ContextLoaderListener) and your dispatcher-servlet.xml via DispatcherServlet, you'll have visibility/scoping issues. The DispatcherServlet context are children to root context, therefore beans defined in DispatcherServlet context ARE NOT visible to root context, but root context beans ARE visible to all children servlet contexts.
So move your mongoUserDetailsService to your application-security.xml
UPDATE:
You are loading your dispatcher-servlet.xml configurations twice, once explicitly at
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/dispatcher-servlet.xml
/WEB-INF/application-security.xml
/WEB-INF/mongo-config.xml
</param-value>
</context-param>
and again implicitly (by Spring convention) with the DispatcherServlet. You should checkout the Spring reference for better understanding of ApplicationContext and DispatcherServlet
You need to remove dispatcher-servlet.xml from contextConfigLocations
Your dispatcher-servlet.xml should only include Spring MVC related config. Unless it's your intention, the following component-scan is too inclusive, you should limit it to spring mvc related (e.g. controllers), move things like security, repositories to a root context.
<context:component-scan base-package="com.srccodes.spring" />
<context:component-scan base-package="com.srccodes.spring.security" />
<context:component-scan base-package="com.srccodes.spring.domain" />
<context:component-scan base-package="com.srccodes.spring.repositories" />
<context:component-scan base-package="com.srccodes.spring.controller" />
move your mongoUserDetailsService to the application-security.xml
This issue is related to spring security. Whenever I run my application on tomcat by default index.jsp opens but now i am getting access denied on this page.
From index.jsp i am redirecting the page to login.jsp, but since I am getting access denied on this page, redirection is not happening. What i meant to say is if hit: "localhost:8080/abc" I am getting access denied but if I hit "localhost:8080/abc/login" the page opens. (just to be clear, abc is the application context)
I am pretty much sure i have messed up somewhere in the spring security config, because it was working fine before.
Below are my files:
This is my spring-security.xml
<sec:global-method-security pre-post-annotations="enabled"/>
<!--
Add white listed urls here.
Please note that the filter chain will not be applied and the security context not populated.
Use for static resource mostly
-->
<http pattern="/resources/**" security="none" />
<http pattern="/login" security="none" />
<http pattern="/login1" security="none" />
<http pattern="/googleLogin" security="none" />
<!-- Add protected resource here -->
<http use-expressions="true" entry-point-ref="forbiddenEntryPoint">
<custom-filter position="PRE_AUTH_FILTER" ref="oauth2PreAuthFilter" />
<intercept-url pattern="/menu" access="hasAnyRole('ROLE_USER')" />
<intercept-url pattern="/request/**" access="hasAnyRole('ROLE_USER')" />
<intercept-url pattern="/device/**" access="hasAnyRole('ROLE_USER')" />
<intercept-url pattern="/**" access="hasRole('ROLE_ADMIN')" />
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="AuthenticationService" />
</authentication-manager>
<beans:bean id="forbiddenEntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"/>
<beans:bean id="AuthenticationService" class="com.hitesh.security.AuthenticateUserService"/>
<beans:bean id="oauth2PreAuthFilter" class="com.hitesh.security.OAuth2PreAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager"/>
</beans:bean>
<beans:bean id="preAuthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<beans:property name="preAuthenticatedUserDetailsService" ref="preAuthenticatedUserDetailsService"/>
</beans:bean>
<beans:bean id="preAuthenticatedUserDetailsService" class="com.hitesh.security.Oauth2PreAuthenticatedUserService"/>
This is my web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<display-name>Inventory Project</display-name>
<servlet>
<servlet-name>mvc-dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>mvc-dispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:/abc/application.xml,
classpath:/abc/spring-security.xml
</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
I am stuck on this for quite a time, any help will be really appreciated.
Update: On application startup, my code is going into the oauth2PreAuthFilter. For index.jsp, it shouldn't run this filter. Is there a way to avoid this, i have tried
<http pattern="/index" security="none" />
but this didn't helped.
Try this (use your values):
<http use-expressions="true" entry-point-ref="forbiddenEntryPoint">
<custom-filter position="PRE_AUTH_FILTER" ref="oauth2PreAuthFilter" />
<intercept-url pattern="/menu" access="hasAnyRole('ROLE_USER')" />
<intercept-url pattern="/request/**" access="hasAnyRole('ROLE_USER')" />
<intercept-url pattern="/device/**" access="hasAnyRole('ROLE_USER')" />
<intercept-url pattern="/**" access="hasRole('ROLE_ADMIN')" />
<form-login login-page='/login.htm' default-target-url="/home.htm"/>
</http>
Got the fix:
<http auto-config="true" pattern="/index.jsp" />
I am new to Spring Security and have run into a problem. When I attempt to access a page that is expected to be restricted it is displaying the requested page anyway, no 403 nor redirecting to login page, no errors in the logs, nothing, just as if Spring Security was not implemented at all.
When the application is deployed I see the following in the logs which tells me Spring Security is at least starting:
INFO: Checking whether login URL '/security/credentials' is accessible with your configuration
I have attempted to change the login page to a restricted page, just to test that is actually restricted and I get the following, which tells me that it is correctly being restricted, at least in the simulation.
INFO: Checking whether login URL '/dashboard' is accessible with your configuration
org.springframework.security.config.http.DefaultFilterChainValidator checkLoginPageIsntProtected
WARNING: Anonymous access to the login page doesn't appear to be enabled. This is almost certainly an error. Please check your configuration allows unauthenticated access to the configured login page. (Simulated access was rejected: org.springframework.security.access.AccessDeniedException: Access is denied)
I have the following setup:
web.xml
<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<welcome-file-list>
<welcome-file>
index.html
</welcome-file>
</welcome-file-list>
<context-param>
<param-name>javax.servlet.jsp.jstl.fmt.localizationContext</param-name>
<param-value>messages</param-value>
</context-param>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
WEB-INF/applicationContext.xml
</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<filter>
<filter-name>UrlRewriteFilter</filter-name>
<filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
<init-param>
<param-name>logLevel</param-name>
<param-value>TRACE</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>UrlRewriteFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>spring</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/applicationContext.xml
</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>spring</servlet-name>
<url-pattern>/app/*</url-pattern>
</servlet-mapping>
</web-app>
The Spring Security configuration file is imported from my applicationContext.xml.
spring-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http auto-config="true" use-expressions="true">
<form-login
login-page="/security/credentials"
login-processing-url="/security/signin"
default-target-url="/dashboard"
authentication-failure-url="/security/signin_failed" />
<intercept-url pattern="/resources/**" access="permitAll"/>
<intercept-url pattern="/security/**" access="permitAll" />
<intercept-url pattern="/favicon.ico" access="permitAll"/>
<intercept-url pattern="/**" access="denyAll"/>
<logout logout-success-url="/security/signout" />
<remember-me />
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider>
<user-service>
<user name="test" password="password" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
Spring is behaving correctly as you are actually telling Spring that /security/** requests requires no authentication (access="permitAll"):
...
<intercept-url pattern="/security/**" access="permitAll" />
...
If you wanted to restrict access to only authenticated users then you could specify:
...
<intercept-url pattern="/security/**" access="isAuthenticated()" />
...
Or if you wanted to restrict access to a specific role (replace ROLE_XXX with your specific role):
...
<intercept-url pattern="/security/**" access="hasRole('ROLE_XXX')" />
...
Please note that login related URLs can't be restricted (for obvious reasons):
login-page="/security/credentials"
login-processing-url="/security/signin"
default-target-url="/dashboard"
authentication-failure-url="/security/signin_failed" />
So either change them to rather start with something like /login/ instead of /security/ or add specific intercepts URLs for each of them (if you must use them):
...
<intercept-url pattern="/security/credentials" access="permitAll" />
<intercept-url pattern="/security/signin" access="permitAll" />
<intercept-url pattern="/security/signin_failed" access="permitAll" />
<intercept-url pattern="/security/**" access="isAuthenticated()" />
...
The more specific URLs should be declared first as Spring uses the first rule that it finds from the top.
I suggest try it after removing <remember-me /> tag, or deleting all the cookies first.
It appears because of existing cookie you are able to access /dashboard
Edit:
You have UrlRewriteFilter configured before spring security, check whats the final url thats given to spring security filter, or you can try after disabling UrlRewriteFilter ?
I'm just getting started with Spring Security 3.1 and I haven't found a way to implment it on top of a JSF 2.1 web app. I currently have:
A web.xml with:
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:applicationContext-business.xml
/WEB-INF/applicationContext-security.xml
</param-value>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
And my applicationContext-security.xml:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http pattern="/resources/**" security="none" />
<http use-expressions="true">
<intercept-url pattern="/administracion/departamentos/**" access="recursoshumanos" />
<intercept-url pattern="/administracion/derechos/**" access="recursoshumanos" />
<intercept-url pattern="/administracion/diasfestivos/**" access="recursoshumanos" />
<intercept-url pattern="/administracion/dias/**" access="recursoshumanos" />
<intercept-url pattern="/administracion/solicitudes/**" access="recursoshumanos" />
<intercept-url pattern="/administracion/empleados/**" access="recursoshumanos" />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="rod" password="koala" authorities="recursoshumanos" />
<user name="dianne" password="emu" authorities="jefe" />
<user name="scott" password="wombat" authorities="jefe" />
</user-service>
</authentication-provider>
</authentication-manager>
I'm guessing this example would work with a regular .jsp but I'm probably missing additional steps to make it work with JSF, unfortunately, I haven't been able to find a fully working example so far. What do i need to do? Thanks!
Edit: The problem is that i can still navigate freely to the secured areas of the application without needing to log in.
Edit: BTW, I just noticed that a filter to the root of the web app does indeed trigger the authentication mechanism. It still fails everywhere else though.
Authorities should start with
ROLE_
Have a look here Spring Security FAQ and SO
As noted by gbagga, the answer was pretty simple: Add the "faces" part of the path to the patterns. Thanks!
Configuration seems to be correct. Maybe you are missing the auto-config="true" option in your http definition. See more here
http://static.springsource.org/spring-security/site/docs/2.0.x/reference/ns-config.html#ns-auto-config
What is your problem exactly? You can not login with the specified username/password? Authorization is not applied to your application?