Problème jsf + spring security
Bonjour, j'ai un petit soucis avec spring security 3.0.5 sous jsf 2 (et richfaces mais ça n'est pas encore implémenté).
L'authentification fonctionne, lorsque je lance l'application, je vais de index.xhtml vers login.xhtml, je me connecte, et j'ai bien accès aux pages sécurisées.
En revanche, si j'accède directement à une page sécurisée, /admin/index.xhtml, "presque" rien ne se passe, alors que je m'attendais à voir apparaitre la page login.xhtml, l'idée étant d'être ensuite redirigé vers la page demandée.
Voilà le bout de config sur la sécurité :
Code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
| <!-- Spring Security -->
<bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.ShaPasswordEncoder"/>
<bean id="saltSource" class="org.springframework.security.authentication.dao.ReflectionSaltSource">
<property name="userPropertyToUse" value="username"/>
</bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider user-service-ref="userDetailsService">
<security:password-encoder ref="passwordEncoder" hash="sha">
<security:salt-source ref="saltSource"/>
</security:password-encoder>
</security:authentication-provider>
</security:authentication-manager>
<!--
<http pattern="/css/**" security="none" />
<http pattern="/images/**" security="none" />
<http pattern="/js/**" security="none" />
Resource security -->
<security:http
auto-config="true"
use-expressions="true">
<!--access-denied-page="/accessDenied.xhtml"-->
<security:intercept-url pattern="/javax.faces.resource/**" filters="none"/>
<security:intercept-url pattern="/login.xhtml" access="permitAll"/>
<security:intercept-url pattern="/welcome.xhtml" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')"/>
<security:intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')"/>
<security:intercept-url pattern="/*" access="permitAll"/>
<security:form-login
login-page="/login.xhtml"
default-target-url="/welcome.xhtml"
authentication-failure-url="/login.xhtml"/>
<security:logout
invalidate-session="true"
logout-url="/logout.xhtml"
logout-success-url="/logoutSuccess.xhtml"/>
<security:session-management
invalid-session-url="/login.xhtml"/>
<security:access-denied-handler ref="AccessDeniedHandler"/>
</security:http>
<bean id="AccessDeniedHandler" class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
<property name="errorPage" value="/accessDenied.xhtml"/>
</bean>
<!-- business logic (method) security -->
<security:global-method-security secured-annotations="enabled" jsr250-annotations="enabled" >
</security:global-method-security> |
et mon web.xml
Code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
| <?xml version="1.0" encoding="UTF-8"?>
<web-app id="covoiturage_id" version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<display-name>Site web covoiturage-uhp.fr</display-name>
<!-- Add Support for Spring -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/applicationContext.xml</param-value>
</context-param>
<!-- <context-param>
<param-name>javax.faces.DEFAULT_SUFFIX</param-name>
<param-value>.xhtml</param-value>
</context-param>-->
<context-param>
<param-name>javax.faces.FACELETS_SKIP_COMMENTS</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<!-- Change to "Production" when you are ready to deploy -->
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value>Development</param-value>
</context-param>
<!-- <listener>
<listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
</listener>-->
<!-- Security -->
<listener>
<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- JSF mapping -->
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
</servlet>
<!-- Map these files with JSF -->
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.jsf</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
<!-- Welcome page -->
<welcome-file-list>
<welcome-file>/index.xhtml</welcome-file>
</welcome-file-list>
<!-- CHOSES EN + -->
<!-- "method expression parameters" support for Tomcat-->
<context-param>
<param-name>com.sun.faces.expressionFactory</param-name>
<param-value>com.sun.el.ExpressionFactoryImpl</param-value>
</context-param>
<!-- <filter>
<filter-name>hibernateFilter</filter-name>
<filter-class>org.springframework.orm.jpa.support.OpenEntityManagerInViewFilter</filter-class>
</filter>-->
<!-- Session Config -->
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
</web-app> |
Ce qui m'embête dans tout ça c'est que la console n'est pas très bavarde quand je provoque ce problème :
Code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
| 19:34:55.953 ["http-bio-8084"-exec-20] DEBUG o.s.security.web.FilterChainProxy - Converted URL to lowercase, from: '/admin/index.xhtml'; to: '/admin/index.xhtml'
19:34:55.953 ["http-bio-8084"-exec-20] DEBUG o.s.security.web.FilterChainProxy - Candidate is: '/admin/index.xhtml'; pattern is /javax.faces.resource/**; matched=false
19:34:55.954 ["http-bio-8084"-exec-20] DEBUG o.s.security.web.FilterChainProxy - Converted URL to lowercase, from: '/admin/index.xhtml'; to: '/admin/index.xhtml'
19:34:55.954 ["http-bio-8084"-exec-20] DEBUG o.s.security.web.FilterChainProxy - Candidate is: '/admin/index.xhtml'; pattern is /**; matched=true
19:34:56.043 ["http-bio-8084"-exec-20] DEBUG o.s.security.web.FilterChainProxy - /admin/index.xhtml at position 1 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
19:34:56.043 ["http-bio-8084"-exec-20] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
19:34:56.043 ["http-bio-8084"-exec-20] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@55fa12f6. A new one will be created.
19:34:56.044 ["http-bio-8084"-exec-20] DEBUG o.s.security.web.FilterChainProxy - /admin/index.xhtml at position 2 of 10 in additional filter chain; firing Filter: 'LogoutFilter'
19:34:56.044 ["http-bio-8084"-exec-20] DEBUG o.s.security.web.FilterChainProxy - /admin/index.xhtml at position 3 of 10 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
19:34:56.044 ["http-bio-8084"-exec-20] DEBUG o.s.security.web.FilterChainProxy - /admin/index.xhtml at position 4 of 10 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
19:34:56.044 ["http-bio-8084"-exec-20] DEBUG o.s.security.web.FilterChainProxy - /admin/index.xhtml at position 5 of 10 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
19:34:56.044 ["http-bio-8084"-exec-20] DEBUG o.s.security.web.FilterChainProxy - /admin/index.xhtml at position 6 of 10 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
19:34:56.044 ["http-bio-8084"-exec-20] DEBUG o.s.security.web.FilterChainProxy - /admin/index.xhtml at position 7 of 10 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
19:34:56.047 ["http-bio-8084"-exec-20] DEBUG o.s.s.w.a.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@90514580: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@43458: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: AEEFCBBB6602C3ED114809A9883E77E7; Granted Authorities: ROLE_ANONYMOUS'
19:34:56.048 ["http-bio-8084"-exec-20] DEBUG o.s.security.web.FilterChainProxy - /admin/index.xhtml at position 8 of 10 in additional filter chain; firing Filter: 'SessionManagementFilter'
19:34:56.149 ["http-bio-8084"-exec-20] DEBUG o.s.security.web.FilterChainProxy - /admin/index.xhtml at position 9 of 10 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
19:34:56.149 ["http-bio-8084"-exec-20] DEBUG o.s.security.web.FilterChainProxy - /admin/index.xhtml at position 10 of 10 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
19:34:56.149 ["http-bio-8084"-exec-20] DEBUG o.s.s.w.a.e.ExpressionBasedFilterInvocationSecurityMetadataSource - Converted URL to lowercase, from: '/admin/index.xhtml'; to: '/admin/index.xhtml'
19:34:56.248 ["http-bio-8084"-exec-20] DEBUG o.s.s.w.a.e.ExpressionBasedFilterInvocationSecurityMetadataSource - Candidate is: '/admin/index.xhtml'; pattern is /login.xhtml; matched=false
19:34:56.248 ["http-bio-8084"-exec-20] DEBUG o.s.s.w.a.e.ExpressionBasedFilterInvocationSecurityMetadataSource - Candidate is: '/admin/index.xhtml'; pattern is /welcome.xhtml; matched=false
19:34:56.249 ["http-bio-8084"-exec-20] DEBUG o.s.s.w.a.e.ExpressionBasedFilterInvocationSecurityMetadataSource - Candidate is: '/admin/index.xhtml'; pattern is /admin/**; matched=true
19:34:56.366 ["http-bio-8084"-exec-20] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /admin/index.xhtml; Attributes: [hasRole('ROLE_ADMIN')]
19:34:56.367 ["http-bio-8084"-exec-20] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@90514580: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@43458: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: AEEFCBBB6602C3ED114809A9883E77E7; Granted Authorities: ROLE_ANONYMOUS
19:34:56.558 ["http-bio-8084"-exec-20] DEBUG o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@5f3d285f, returned: -1
19:34:56.580 ["http-bio-8084"-exec-20] DEBUG o.s.s.w.a.ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied |
et tout plante subitement, je ne vois même pas la requete arriver dans le http server monitor et plus aucune requete ne passe, je dois couper tomcat 7 avec le gestionnaire des tâches pour continuer...
