Alo galera tudo bem? Sou iniciante a JSF e Spring Security. Estou tentando fazer um login baseado em Roles.
Por exemplo:
Consigo fazer login quando e apenas um usuario, a minha dificuldade e ele saber em que pasta deve entrar oszinho, ou seja, quero multiplos tragetos um para cada tipo de usuario.
Muito Obrigado desde ja.
security.xml
<?xml version="1.0" encoding="UTF-8"?>
<security:http>
<security:intercept-url pattern="/faces/gestor" access="ROLE_USER" />
<security:form-login login-page="/login.html" default-target-url="/faces/gestor/visualizaractualizarestabelecimento.xhtml" authentication-failure-url="/login.html?erro=true"/>
<security:logout logout-success-url="/login.html" />
</security:http>
<bean class="mz.co.mpteventos.springsecurity.controller.UserDetailServiceImpl" id="userDetailsService"></bean>
<security:authentication-manager>
<security:authentication-provider user-service-ref="userDetailsService"></security:authentication-provider>
</security:authentication-manager>
</beans>
Controlador
package mz.co.mpteventos.springsecurity.controller;
import java.util.List;
import javax.faces.bean.ManagedBean;
import javax.faces.bean.ViewScoped;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import mz.co.mpteventos.springsecurity.dao.DAO;
import mz.co.mpteventos.springsecurity.dto.UserDetailsImpl;
import mz.co.mpteventos.springsecurity.model.Conta;
@ManagedBean
@ViewScoped
public class UserDetailServiceImpl implements UserDetailsService {
private List<Conta> listaConta;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
// cria-se lista de contas e mete-se todas contas da base de dads nessa lista
listaConta = new DAO<Conta>(Conta.class).listaTodos();
for (int i = 0; i < this.listaConta.size(); i++) {
if (listaConta.get(i).getNome().equals(username)) {
UserDetailsImpl user = new UserDetailsImpl();
user.setUserName(listaConta.get(i).getNome().toString());
user.setPassword(listaConta.get(i).getPassword().toString());
user.addAuthority(listaConta.get(i).getAuthorities().toString());
return user;
}
}
throw new UsernameNotFoundException("Usuario não encontrado");
}
public String getUsuarioLogado(){
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
String currentPrincipalName = authentication.getName();
return currentPrincipalName.toString();
}
}
Formulario Login
<form class="login-container"
action="/springsecurity/j_spring_security_check" method="POST">
<p>
<input placeholder="Username" id="j_username" name="j_username"
type="text" class="validate" required="required"> <label
for="first_name">Introduza o nome de usuario</label>
</p>
<p>
<input id="j_password" name="j_password" class="validate"
type="password" placeholder="Password" required="required">
<label for="last_name">Introduza a senha</label>
</p>
<p>
<input name="action" type="submit" value="Entrar" >
</p>
</form>
</div>
Base de dados MYSQL
<img src="/uploads/default/original/3X/6/0/60df2c52374dc6ac77cb90cf52ecc8adf2613feb.PNG" width=“394” height=“108” align«“center”>
Narclk
Agosto 16, 2017, 12:52am
#2
Sobrescreva o método configure para adicionar suas permissões, veja https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#multiple-httpsecurity
Ex:
http
.antMatcher("/api/**")
.authorizeRequests()
.anyRequest().hasRole("ADMIN")
.and()
.httpBasic();
}```
Alo, Narclk obrigado desde ja… bem eu nao percebi muito bem a sua explicação nem como eu poderia aproveitar esse codigo com o meu codigo. Sera que voce podeia ser mais explicito por faovor?
No XML eu retiro todas ROLES?
Devo retirar o default-target tambem?
Tentei da seguinte forma:
Security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:task="http://www.springframework.org/schema/task"
xsi:schemaLocation="
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/task http://www.springframework.org/schema/task/spring-task-3.2.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.2.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
<security:http>
<security:intercept-url pattern="/faces/gestor/" access="ROLE_USER" />
<security:intercept-url pattern="/faces/admin/" access="ROLE_ADMIN" />
<security:form-login login-page="/login.html" authentication-success-handler-ref="multiHttpSecurityConfig" authentication-failure-url="/login.html?erro=true"/>
<security:logout logout-success-url="/login.html" />
</security:http>
<bean class="mz.co.mpteventos.springsecurity.controller.MultiHttpSecurityConfig" id="multiHttpSecurityConfig"></bean>
<security:authentication-manager>
<security:authentication-provider user-service-ref="multiHttpSecurityConfig"></security:authentication-provider>
</security:authentication-manager>
</beans>
Controlador
package mz.co.mpteventos.springsecurity.controller;
import java.util.List;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import mz.co.mpteventos.springsecurity.dao.DAO;
import mz.co.mpteventos.springsecurity.dto.UserDetailsImpl;
import mz.co.mpteventos.springsecurity.model.Conta;
@EnableWebSecurity
public class MultiHttpSecurityConfig {
public List<Conta> listaConta;
@Bean
public UserDetailsService userDetailsService(String username) throws Exception {
UserDetailsImpl user = new UserDetailsImpl();
listaConta = new DAO<Conta>(Conta.class).listaTodos();
for (int i = 0; i < this.listaConta.size(); i++) {
if (listaConta.get(i).getNome().equals(username)) {
user.setUserName(listaConta.get(i).getNome().toString());
user.setPassword(listaConta.get(i).getPassword().toString());
user.addAuthority(listaConta.get(i).getAuthorities().toString());
}
}
return (UserDetailsService) user;
}
@Configuration
@Order(1)
public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http
.antMatcher("/faces/admin/**")
.authorizeRequests()
.anyRequest().hasRole("ADMIN")
.and()
.httpBasic();
}
}
@Configuration
public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin();
}
}
}
E ele da o seguinte erro:
Caused by: java.lang.IllegalStateException: Cannot convert value of type [mz.co.mpteventos.springsecurity.controller.MultiHttpSecurityConfig] to required type [org.springframework.security.web.authentication.AuthenticationSuccessHandler] for property 'authenticationSuccessHandler': no matching editors or conversion strategy found
at org.springframework.beans.TypeConverterDelegate.convertIfNecessary(TypeConverterDelegate.java:267)
at org.springframework.beans.BeanWrapperImpl.convertIfNecessary(BeanWrapperImpl.java:458)
... 73 more
Narclk
Agosto 16, 2017, 10:43pm
#4
Comente as configurações do seu xml, delete as classes estáticas e use a classe abaixo como configuração. Boa sorte, espero ter ajudado.
Mais Informações e exemplos
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
@Configuration
@EnableWebSecurity
public class SecurityConfigAdapter extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsImpl userDetails;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/css/**", "/img/**", "/js/**").permitAll()
.antMatchers("/index.html", "/home.html").permitAll()
.antMatchers("/faces/gestor","/faces/gestor/**").hasRole("USER")
.antMatchers("/faces/admin","/faces/admin/**").hasRole("ADMIN")
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login.html")
.permitAll()
.and()
.logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout"));
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authenticationProvider());
}
@Bean
public DaoAuthenticationProvider authenticationProvider() {
DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
authProvider.setUserDetailsService(userDetails);
return authProvider;
}
}
Obrigado. Consegui resolver dessa forma que sugeriu muuito obrigado.
COnsegui uma segunda Solucao aqui que deu certo vou postar:
package mz.co.mpteventos.springsecurity.controller;
import java.io.IOException;
import java.util.List;
import java.util.Set;
import javax.faces.bean.ManagedBean;
import javax.faces.bean.ViewScoped;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.stereotype.Controller;
import mz.co.mpteventos.springsecurity.dao.DAO;
import mz.co.mpteventos.springsecurity.dto.UserDetailsImpl;
import mz.co.mpteventos.springsecurity.model.Conta;
@ManagedBean
@ViewScoped
@Controller
public class UserDetailServiceImpl implements UserDetailsService, AuthenticationSuccessHandler {
private List<Conta> listaConta;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
// cria-se lista de contas e mete-se todas contas da base de dads nessa lista
listaConta = new DAO<Conta>(Conta.class).listaTodos();
for (int i = 0; i < this.listaConta.size(); i++) {
if (listaConta.get(i).getNome().equals(username)) {
UserDetailsImpl user = new UserDetailsImpl();
user.setUserName(listaConta.get(i).getNome().toString());
user.setPassword(listaConta.get(i).getPassword().toString());
user.addAuthority(listaConta.get(i).getAuthorities().toString());
return user;
}
}
throw new UsernameNotFoundException("Usuario não encontrado");
}
@Override
public void onAuthenticationSuccess(HttpServletRequest request,
HttpServletResponse response, Authentication authentication)
throws IOException, ServletException {
Set<String> roles = AuthorityUtils.authorityListToSet(authentication.getAuthorities());
if (roles.contains("ROLE_ADMIN")){
response.sendRedirect(request.getContextPath() + "/faces/admin/visualizaractualizarestabelecimentoadmin.xhtml");
return;
}
response.sendRedirect(request.getContextPath() + "/faces/gestor/visualizaractualizarestabelecimento.xhtml");
}
public String getUsuarioLogado(){
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
String currentPrincipalName = authentication.getName();
return currentPrincipalName.toString();
}
}
## security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:task="http://www.springframework.org/schema/task"
xsi:schemaLocation="
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/task http://www.springframework.org/schema/task/spring-task-3.2.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.2.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
<security:http>
<security:intercept-url pattern="/faces/gestor/" access="ROLE_USER" />
<security:intercept-url pattern="/faces/admin/" access="ROLE_ADMIN" />
<security:form-login login-page="/login.html" authentication-success-handler-ref="userDetailServiceImpl" authentication-failure-url="/login.html?erro=true"/>
<security:logout logout-success-url="/login.html" />
</security:http>
<bean class="mz.co.mpteventos.springsecurity.controller.UserDetailServiceImpl" id="userDetailServiceImpl"></bean>
<security:authentication-manager>
<security:authentication-provider user-service-ref="userDetailServiceImpl"></security:authentication-provider>
</security:authentication-manager>
</beans>