Spring Security without authentication

4

I have a system that already authenticates the user, and controls access to pages that require authentication, I need to use spring security to control access to pages by user rules and to control access to certain resources, such as a user only have permission to list records and not have to delete records.

I tried to deploy a login with spring securiy and pass the responsibility of the authentication to my class that takes care of login to the system, making an implementation of the UserDetailsService, but I did not succeed.

The tutorials I found on the web address authentication and give little attention to authorization, does anyone know of an interesting link to my need?

My code looks like this:

web.xml

<session-config>
    <session-timeout>30</session-timeout>
</session-config>
<context-param>
    <param-name>javax.faces.CONFIG_FILES</param-name>
    <param-value>/WEB-INF/faces-config.xml</param-value>
</context-param>
<display-name>Ultracar Web</display-name>
<context-param>
    <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
    <param-value>server</param-value>
</context-param>
<!--<context-param>
 <param-name>javax.faces.FACELETS_REFRESH_PERIOD</param-name>
 <param-value>-1</param-value>
</context-param>
-->
<welcome-file-list>
    <welcome-file>Principal/index.xhtml</welcome-file>
</welcome-file-list>

<servlet>
    <servlet-name>Faces Servlet</servlet-name>
    <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>*.jsf</url-pattern>
</servlet-mapping>
<servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>*.faces</url-pattern>
</servlet-mapping>
<servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>*.xhtml</url-pattern>
</servlet-mapping>

<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        /WEB-INF/spring-security.xml            
    </param-value>
</context-param>

<!-- Spring Security -->
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

spring-security:

<beans:beans xmlns="http://www.springframework.org/schema/security"
         xmlns:beans="http://www.springframework.org/schema/beans" 
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">

<http auto-config="true" use-expressions="true">
    <intercept-url pattern="Principal/index*" access="permitAll" />
    <intercept-url pattern="/Principal/*" access="permitAll"/>

    <form-login login-page="/Principal/index.xhtml"        
                         default-target-url="/"
                         authentication-failure-url="/"/>
    <logout logout-success-url="/" />
</http>

    

login page:

<?xml version='1.0' encoding='UTF-8' ?>

<h:head>
    <link rel="SHORTCUT ICON" href="../Imagens/logo.png"/>
</h:head>
<h:body>
    <ui:composition template="./../Principal/template_inicio.xhtml">            
        <ui:define name="content">
            <div class="slider">
                <div class="container" style="padding: 10px;">
                    <div class="col-lg-9 col-xs-9 col-sm-9">
                        <ui:include src="slider.xhtml"/>
                    </div>

                    <div class="col-lg-3 col-xs-3 col-sm-3" style="padding: 17px 0;background-color: #B3B3B3;">
                        <img class="img-responsive" style="margin: 0 auto" src="#{request.contextPath}/Imagens/logo.png" />

                        <h:form id="frmLogin" class="form-group" >

                                <div class="row">                                    
                                    <div class="col-lg-12 col-xs-12 col-sm-12 ">
                                        <h:outputLabel style="color: #303030;" value="#{Utils.getStrLanguage('Usuario')}:" />
                                    </div>
                                </div>

                                <div class="row">
                                    <div class="col-lg-12 col-xs-12 col-sm-12">
                                        <p:inputText value="#{MBControl.login}" required="true"
                                                     style="width: 100%;-moz-box-shadow: none !important; -webkit-box-shadow: none !important; 
                                                     box-shadow: none !important; -moz-border-radius: 0 !important; 
                                                     -webkit-border-radius: 0 !important; border-radius: 0 !important;"
                                                     requiredMessage="#{Utils.getStrLanguage('Usuario_requerido')}"/>
                                    </div>                                    
                                </div>

                                <div class="row">
                                    <div class="col-lg-12 col-xs-12 col-sm-12">
                                        <h:outputLabel style="color: #303030;" value="#{Utils.getStrLanguage('Senha')}:" />
                                    </div>                                    
                                </div>

                                <div class="row">
                                    <div class="col-lg-12 col-xs-12 col-sm-12">
                                        <p:password value="#{MBControl.senha}" required="true" id="txtSenha" styleClass="reset-style"
                                                    style="width: 100%;-moz-box-shadow: none !important; -webkit-box-shadow: none !important; 
                                                    box-shadow: none !important; -moz-border-radius: 0 !important; 
                                                    -webkit-border-radius: 0 !important; border-radius: 0 !important;"
                                                    requiredMessage="#{Utils.getStrLanguage('Senha_requerida')}"/>
                                    </div>                                   
                                </div>

                                <div class="row" style="margin-top: 15px;">
                                    <div class="col-lg-4 col-xs-6 col-sm-12">
                                        <p:commandLink id="btnLogin" styleClass="btn button-green" ajax="false" action="#{MBControl.logar()}" 
                                                       update="frmLogin" value="#{Utils.getStrLanguage('Login')}" style="border-radius: 0 !important;"/>
                                    </div>                                                     
                        </h:form>
                    </div>                        
                </div> 
            </div>
        </ui:define>
    </ui:composition>
</h:body>

I do not know how to make spring call my login class, and then how to handle permissions through spring.

Thanks in advance for all the help

    
asked by anonymous 17.06.2015 / 14:49

1 answer

1

Save!

I did not see in your setup where you are declaring the UserDetailsService that you implemented in your Spring context. I imagine you should have done this in another configuration file?

You must declare your implementation as a bean and then add it to the AuthenticationManager you are using, which in this case is the login form.

Add this snippet to your configuration and see if it works:

<authentication-manager>
  <authentication-provider user-service-ref="ID_DO_BEAN_DA_SUA_IMPLEMENTACAO">
  </authentication-provider>
</authentication-manager>

Sample removed this article .

On authorization, I suggest you approach with Spring Security ACL . See the official documentation how it works. There are a few examples on the web, but you can understand how they work using JavaDoc, the few articles, and official documentation.

Once the ACL is configured, you can exercise control of access to your domain data according to the user profile of the application. However, review the application design for you to handle this method as little as possible.

The "ideal" would be if you controlled access for users through the endpoints of your application. Ex: /admin only ROLE_ADMIN, /gerente only ROLE_GERENTE. Of course this is not always possible as a combo that will come with items that only the Level 1 Manager can see ... but try to focus on the interaction of users and the flow of your application pages. It is easier to maintain in the future.

If you still have questions, post in the comments I try to answer.

    
14.07.2015 / 17:32