[jira] Commented: (MYFACES-2009) Spring Security integration inside JSF Components
[ https://issues.apache.org/jira/browse/MYFACES-2009?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=12640487#action_12640487 ] Juan Pablo Santos Rodríguez commented on MYFACES-2009: -- Hi, I've been playing with the above functionality. As mentioned, Spring Security support is given by MyFaces out of the box. But, I've haven't found the way of having Spring Security AND also being able of beans injection. Spring reference guide states that, in order to enable Spring injection, the VariableResolver must be one of org.springframework.web.jsf.DelegatingVariableResolver (JSF 1.1 1.2), org.springframework.web.jsf.SpringBeanVariableResolver (JSF 1.1 1.2) or org.springframework.web.jsf.el.SpringBeanFacesELResolver (1.2+) The only workaround of having both functionalilies I've found goes through the custom resolver, which was extending org.springframework.web.jsf.DelegatingVariableResolver I can provide a little testing application and reopen the issue/open a new issue, if you think this should be MyFaces related (right now I'm not very sure if it should be Spring / Spring Security responsability or a MyFaces issue). regards, juan pablo Spring Security integration inside JSF Components - Key: MYFACES-2009 URL: https://issues.apache.org/jira/browse/MYFACES-2009 Project: MyFaces Core Issue Type: New Feature Components: General Affects Versions: 1.1.6 Reporter: Juan Pablo Santos Rodríguez As noted many times, there is no native integration of Spring Security tags inside a JSF webapp. I've seen a few approaches, but they're mostly custom JSF-Spring-Security components. In our current project we needed to use Spring Security tags functionality inside any JSF component (custom or not). We ended reaching MyFaces' own Security Context (http://wiki.apache.org/myfaces/SecurityContext), which default implementation is J2EE based. We've extended it with a custom Spring Security implementation, hence this development, which is now publicly available, as we think it may be useful for the community. The basic idea is that Spring's Security Context is going to be available via EL, i.e. you can: h:outputText rendered=#{securityContext.ifAllGranted['ROLE_ADMIN,ROLE_USER']}how how how/h:outputText Some notes: - The zip is bundled as a maven 2 project, so 'mvn clean install' and add the jar as a dependency - It is a Java 5, Spring 2.5.5, Spring Security 2.0.3, MyFaces 1.1.6 project, this were customer requirements. Although, all of these should be easily changed, only messing with dependencies is required O:-) (it should *should* not affect the build, but we've not checked). - As it is MyFaces 1.1.x based, it extends Spring's DelegatingVariableResolver. Same as former statement, it *could* be easily changed, only changing the extended class and the usual dependency changes. Again, we've not checked (but hey, should be an *easy* change O:-)). - Default behaviour of the new Resolver is to check if the requested operation corresponds to a security operation, if not, runs parent behaviour. - IMPORTANT: the security operations available via EL are noted in here: http://wiki.apache.org/myfaces/SecurityContext . Anyone willing to make available any other operation via EL should extend his own http://svn.apache.org/viewvc/myfaces/tomahawk/trunk/sandbox/core/src/main/java/org/apache/myfaces/custom/security/SecurityContextPropertyResolver.java?view=markup implementation and change his faces-config accordingly. - There are several classes which have been taken from tomahawk's 1.1.6 sandbox, in order to make dependencies management a bit easier. This is noted at class-javadoc level. - In jsf-example-webapp module just 'mvn jetty:run' to run the example webapp. There is a dummy security applicationContext, with users and passwords hardcoded in it (this is only a dumb demo) inside resources folder. Serious applications will likely have a more complex configuration. Configuration: 1st.- Make your JSF application Spring Security Aware (http://static.springframework.org/spring-security/site/reference/html/ns-config.html#ns-getting-started) 2nd.- Make your JSF application Spring aware (http://static.springframework.org/spring/docs/2.5.x/reference/web-integration.html#jsf). This implementation assumes JSF 1.1 integration (http://static.springframework.org/spring/docs/2.5.x/reference/web-integration.html#jsf-delegatingvariableresolver). JSF 1.2 will require code modification, as noted above. 3nd.- In your faces-config.xml set: faces-config application variable-resolverorg.apache.myfaces.custom.security.MyFacesSecurityContextSpringDelegatingVariableResolver/variable-resolver
[jira] Commented: (MYFACES-2009) Spring Security integration inside JSF Components
[ https://issues.apache.org/jira/browse/MYFACES-2009?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=12640497#action_12640497 ] Cagatay Civici commented on MYFACES-2009: - I am using Spring Security, Spring based JSF backing beans and MyFaces SecurityContext without a problem, I use DelegatingVariableResolver. This combination works, maybe there is an issue with your configuration. You may use this blog entry based on JSF-Spring-Spring Security-Orchestra-JPA integration: http://prime.com.tr/cagataycivici/?p=99 Spring Security integration inside JSF Components - Key: MYFACES-2009 URL: https://issues.apache.org/jira/browse/MYFACES-2009 Project: MyFaces Core Issue Type: New Feature Components: General Affects Versions: 1.1.6 Reporter: Juan Pablo Santos Rodríguez As noted many times, there is no native integration of Spring Security tags inside a JSF webapp. I've seen a few approaches, but they're mostly custom JSF-Spring-Security components. In our current project we needed to use Spring Security tags functionality inside any JSF component (custom or not). We ended reaching MyFaces' own Security Context (http://wiki.apache.org/myfaces/SecurityContext), which default implementation is J2EE based. We've extended it with a custom Spring Security implementation, hence this development, which is now publicly available, as we think it may be useful for the community. The basic idea is that Spring's Security Context is going to be available via EL, i.e. you can: h:outputText rendered=#{securityContext.ifAllGranted['ROLE_ADMIN,ROLE_USER']}how how how/h:outputText Some notes: - The zip is bundled as a maven 2 project, so 'mvn clean install' and add the jar as a dependency - It is a Java 5, Spring 2.5.5, Spring Security 2.0.3, MyFaces 1.1.6 project, this were customer requirements. Although, all of these should be easily changed, only messing with dependencies is required O:-) (it should *should* not affect the build, but we've not checked). - As it is MyFaces 1.1.x based, it extends Spring's DelegatingVariableResolver. Same as former statement, it *could* be easily changed, only changing the extended class and the usual dependency changes. Again, we've not checked (but hey, should be an *easy* change O:-)). - Default behaviour of the new Resolver is to check if the requested operation corresponds to a security operation, if not, runs parent behaviour. - IMPORTANT: the security operations available via EL are noted in here: http://wiki.apache.org/myfaces/SecurityContext . Anyone willing to make available any other operation via EL should extend his own http://svn.apache.org/viewvc/myfaces/tomahawk/trunk/sandbox/core/src/main/java/org/apache/myfaces/custom/security/SecurityContextPropertyResolver.java?view=markup implementation and change his faces-config accordingly. - There are several classes which have been taken from tomahawk's 1.1.6 sandbox, in order to make dependencies management a bit easier. This is noted at class-javadoc level. - In jsf-example-webapp module just 'mvn jetty:run' to run the example webapp. There is a dummy security applicationContext, with users and passwords hardcoded in it (this is only a dumb demo) inside resources folder. Serious applications will likely have a more complex configuration. Configuration: 1st.- Make your JSF application Spring Security Aware (http://static.springframework.org/spring-security/site/reference/html/ns-config.html#ns-getting-started) 2nd.- Make your JSF application Spring aware (http://static.springframework.org/spring/docs/2.5.x/reference/web-integration.html#jsf). This implementation assumes JSF 1.1 integration (http://static.springframework.org/spring/docs/2.5.x/reference/web-integration.html#jsf-delegatingvariableresolver). JSF 1.2 will require code modification, as noted above. 3nd.- In your faces-config.xml set: faces-config application variable-resolverorg.apache.myfaces.custom.security.MyFacesSecurityContextSpringDelegatingVariableResolver/variable-resolver property-resolverorg.apache.myfaces.custom.security.SecurityContextPropertyResolver/property-resolver !-- ... -- and that's all. cheers, juan pablo -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (MYFACES-2009) Spring Security integration inside JSF Components
[ https://issues.apache.org/jira/browse/MYFACES-2009?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=12640499#action_12640499 ] Juan Pablo Santos Rodríguez commented on MYFACES-2009: -- Hi Cagatay, thanks on your fast response. I'll take a look at that post. Right now, if I use DelegatingVariableResolver I don't get Spring Security integration. Never mind, surely it's me. If I found anything interesting I'll comment back cheers, juan pablo Spring Security integration inside JSF Components - Key: MYFACES-2009 URL: https://issues.apache.org/jira/browse/MYFACES-2009 Project: MyFaces Core Issue Type: New Feature Components: General Affects Versions: 1.1.6 Reporter: Juan Pablo Santos Rodríguez As noted many times, there is no native integration of Spring Security tags inside a JSF webapp. I've seen a few approaches, but they're mostly custom JSF-Spring-Security components. In our current project we needed to use Spring Security tags functionality inside any JSF component (custom or not). We ended reaching MyFaces' own Security Context (http://wiki.apache.org/myfaces/SecurityContext), which default implementation is J2EE based. We've extended it with a custom Spring Security implementation, hence this development, which is now publicly available, as we think it may be useful for the community. The basic idea is that Spring's Security Context is going to be available via EL, i.e. you can: h:outputText rendered=#{securityContext.ifAllGranted['ROLE_ADMIN,ROLE_USER']}how how how/h:outputText Some notes: - The zip is bundled as a maven 2 project, so 'mvn clean install' and add the jar as a dependency - It is a Java 5, Spring 2.5.5, Spring Security 2.0.3, MyFaces 1.1.6 project, this were customer requirements. Although, all of these should be easily changed, only messing with dependencies is required O:-) (it should *should* not affect the build, but we've not checked). - As it is MyFaces 1.1.x based, it extends Spring's DelegatingVariableResolver. Same as former statement, it *could* be easily changed, only changing the extended class and the usual dependency changes. Again, we've not checked (but hey, should be an *easy* change O:-)). - Default behaviour of the new Resolver is to check if the requested operation corresponds to a security operation, if not, runs parent behaviour. - IMPORTANT: the security operations available via EL are noted in here: http://wiki.apache.org/myfaces/SecurityContext . Anyone willing to make available any other operation via EL should extend his own http://svn.apache.org/viewvc/myfaces/tomahawk/trunk/sandbox/core/src/main/java/org/apache/myfaces/custom/security/SecurityContextPropertyResolver.java?view=markup implementation and change his faces-config accordingly. - There are several classes which have been taken from tomahawk's 1.1.6 sandbox, in order to make dependencies management a bit easier. This is noted at class-javadoc level. - In jsf-example-webapp module just 'mvn jetty:run' to run the example webapp. There is a dummy security applicationContext, with users and passwords hardcoded in it (this is only a dumb demo) inside resources folder. Serious applications will likely have a more complex configuration. Configuration: 1st.- Make your JSF application Spring Security Aware (http://static.springframework.org/spring-security/site/reference/html/ns-config.html#ns-getting-started) 2nd.- Make your JSF application Spring aware (http://static.springframework.org/spring/docs/2.5.x/reference/web-integration.html#jsf). This implementation assumes JSF 1.1 integration (http://static.springframework.org/spring/docs/2.5.x/reference/web-integration.html#jsf-delegatingvariableresolver). JSF 1.2 will require code modification, as noted above. 3nd.- In your faces-config.xml set: faces-config application variable-resolverorg.apache.myfaces.custom.security.MyFacesSecurityContextSpringDelegatingVariableResolver/variable-resolver property-resolverorg.apache.myfaces.custom.security.SecurityContextPropertyResolver/property-resolver !-- ... -- and that's all. cheers, juan pablo -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (MYFACES-2009) Spring Security integration inside JSF Components
[ https://issues.apache.org/jira/browse/MYFACES-2009?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=12639035#action_12639035 ] Cagatay Civici commented on MYFACES-2009: - Have you tried Spring Security with Default security context implementation of MyFaces, HttpContextIntegrationFilter wraps the requests by default so I dont think there is a need to implement custom security context implementation, it should work out of the box if the HttpContextIntegrationFilter is configured and afaik it is configured by default using security namespace configuration of spring. Spring Security integration inside JSF Components - Key: MYFACES-2009 URL: https://issues.apache.org/jira/browse/MYFACES-2009 Project: MyFaces Core Issue Type: New Feature Components: General Affects Versions: 1.1.6 Reporter: Juan Pablo Santos Rodríguez Attachments: myfaces-securitycontext-spring-security-impl.zip As noted many times, there is no native integration of Spring Security tags inside a JSF webapp. I've seen a few approaches, but they're mostly custom JSF-Spring-Security components. In our current project we needed to use Spring Security tags functionality inside any JSF component (custom or not). We ended reaching MyFaces' own Security Context (http://wiki.apache.org/myfaces/SecurityContext), which default implementation is J2EE based. We've extended it with a custom Spring Security implementation, hence this development, which is now publicly available, as we think it may be useful for the community. The basic idea is that Spring's Security Context is going to be available via EL, i.e. you can: h:outputText rendered=#{securityContext.ifAllGranted['ROLE_ADMIN,ROLE_USER']}how how how/h:outputText Some notes: - The zip is bundled as a maven 2 project, so 'mvn clean install' and add the jar as a dependency - It is a Java 5, Spring 2.5.5, Spring Security 2.0.3, MyFaces 1.1.6 project, this were customer requirements. Although, all of these should be easily changed, only messing with dependencies is required O:-) (it should *should* not affect the build, but we've not checked). - As it is MyFaces 1.1.x based, it extends Spring's DelegatingVariableResolver. Same as former statement, it *could* be easily changed, only changing the extended class and the usual dependency changes. Again, we've not checked (but hey, should be an *easy* change O:-)). - Default behaviour of the new Resolver is to check if the requested operation corresponds to a security operation, if not, runs parent behaviour. - IMPORTANT: the security operations available via EL are noted in here: http://wiki.apache.org/myfaces/SecurityContext . Anyone willing to make available any other operation via EL should extend his own http://svn.apache.org/viewvc/myfaces/tomahawk/trunk/sandbox/core/src/main/java/org/apache/myfaces/custom/security/SecurityContextPropertyResolver.java?view=markup implementation and change his faces-config accordingly. - There are several classes which have been taken from tomahawk's 1.1.6 sandbox, in order to make dependencies management a bit easier. This is noted at class-javadoc level. - In jsf-example-webapp module just 'mvn jetty:run' to run the example webapp. There is a dummy security applicationContext, with users and passwords hardcoded in it (this is only a dumb demo) inside resources folder. Serious applications will likely have a more complex configuration. Configuration: 1st.- Make your JSF application Spring Security Aware (http://static.springframework.org/spring-security/site/reference/html/ns-config.html#ns-getting-started) 2nd.- Make your JSF application Spring aware (http://static.springframework.org/spring/docs/2.5.x/reference/web-integration.html#jsf). This implementation assumes JSF 1.1 integration (http://static.springframework.org/spring/docs/2.5.x/reference/web-integration.html#jsf-delegatingvariableresolver). JSF 1.2 will require code modification, as noted above. 3nd.- In your faces-config.xml set: faces-config application variable-resolverorg.apache.myfaces.custom.security.MyFacesSecurityContextSpringDelegatingVariableResolver/variable-resolver property-resolverorg.apache.myfaces.custom.security.SecurityContextPropertyResolver/property-resolver !-- ... -- and that's all. cheers, juan pablo -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (MYFACES-2009) Spring Security integration inside JSF Components
[ https://issues.apache.org/jira/browse/MYFACES-2009?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=12639071#action_12639071 ] Juan Pablo Santos Rodríguez commented on MYFACES-2009: -- Hi, customer did have an special security context implementation, so HttpSessionContextIntegrationFilter wasn't an option.. However, performing suggested steps does the trick, no need of a custom implementation. The hurries of attaching, didn't find anything related at myfaces wiki :-x Mark this as WONTFIX, please. regards, jp Spring Security integration inside JSF Components - Key: MYFACES-2009 URL: https://issues.apache.org/jira/browse/MYFACES-2009 Project: MyFaces Core Issue Type: New Feature Components: General Affects Versions: 1.1.6 Reporter: Juan Pablo Santos Rodríguez Attachments: myfaces-securitycontext-spring-security-impl.zip As noted many times, there is no native integration of Spring Security tags inside a JSF webapp. I've seen a few approaches, but they're mostly custom JSF-Spring-Security components. In our current project we needed to use Spring Security tags functionality inside any JSF component (custom or not). We ended reaching MyFaces' own Security Context (http://wiki.apache.org/myfaces/SecurityContext), which default implementation is J2EE based. We've extended it with a custom Spring Security implementation, hence this development, which is now publicly available, as we think it may be useful for the community. The basic idea is that Spring's Security Context is going to be available via EL, i.e. you can: h:outputText rendered=#{securityContext.ifAllGranted['ROLE_ADMIN,ROLE_USER']}how how how/h:outputText Some notes: - The zip is bundled as a maven 2 project, so 'mvn clean install' and add the jar as a dependency - It is a Java 5, Spring 2.5.5, Spring Security 2.0.3, MyFaces 1.1.6 project, this were customer requirements. Although, all of these should be easily changed, only messing with dependencies is required O:-) (it should *should* not affect the build, but we've not checked). - As it is MyFaces 1.1.x based, it extends Spring's DelegatingVariableResolver. Same as former statement, it *could* be easily changed, only changing the extended class and the usual dependency changes. Again, we've not checked (but hey, should be an *easy* change O:-)). - Default behaviour of the new Resolver is to check if the requested operation corresponds to a security operation, if not, runs parent behaviour. - IMPORTANT: the security operations available via EL are noted in here: http://wiki.apache.org/myfaces/SecurityContext . Anyone willing to make available any other operation via EL should extend his own http://svn.apache.org/viewvc/myfaces/tomahawk/trunk/sandbox/core/src/main/java/org/apache/myfaces/custom/security/SecurityContextPropertyResolver.java?view=markup implementation and change his faces-config accordingly. - There are several classes which have been taken from tomahawk's 1.1.6 sandbox, in order to make dependencies management a bit easier. This is noted at class-javadoc level. - In jsf-example-webapp module just 'mvn jetty:run' to run the example webapp. There is a dummy security applicationContext, with users and passwords hardcoded in it (this is only a dumb demo) inside resources folder. Serious applications will likely have a more complex configuration. Configuration: 1st.- Make your JSF application Spring Security Aware (http://static.springframework.org/spring-security/site/reference/html/ns-config.html#ns-getting-started) 2nd.- Make your JSF application Spring aware (http://static.springframework.org/spring/docs/2.5.x/reference/web-integration.html#jsf). This implementation assumes JSF 1.1 integration (http://static.springframework.org/spring/docs/2.5.x/reference/web-integration.html#jsf-delegatingvariableresolver). JSF 1.2 will require code modification, as noted above. 3nd.- In your faces-config.xml set: faces-config application variable-resolverorg.apache.myfaces.custom.security.MyFacesSecurityContextSpringDelegatingVariableResolver/variable-resolver property-resolverorg.apache.myfaces.custom.security.SecurityContextPropertyResolver/property-resolver !-- ... -- and that's all. cheers, juan pablo -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.