Spring Security 4和JSF 2集成 [英] Spring Security 4 and JSF 2 integration

问题描述

是否可以将Spring Security 4(主要用于管理用户访问级别以及他们可以访问的视图)与JSF 2集成在一起?

Is there a way to integrate Spring Security 4 (Mainly for managing user access levels and which views they can access) and JSF 2?

我发现了这整洁的东西将Spring Boot和JSF 2与PrimeFaces 5混合使用.我想看看您是否可以将它提高到另一个水平.

I found this neat thing which allows you to mix both Spring Boot, and JSF 2 with PrimeFaces 5. Great stuff. I want to see if you can kick it up another level.

通常，您将像这样为Spring MVC配置Spring Security:

Normally you would configure Spring Security for Spring MVC like so:

WebSecurityConfig.java

@Configuration
@EnableWebMvcSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .antMatchers("/", "/home").permitAll()
                .anyRequest().authenticated()

                .and()

                .formLogin()
                .loginPage("/login")
                .permitAll()

                .and()

                .logout()
                .permitAll();
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
                .inMemoryAuthentication()
                .withUser("Zyst").password("password").roles("USER");
    }
}

然后，据我所知，如果我误解了，请纠正我，查看您的MvcConfig，以了解"/home"之类的含义:

And then those would as far as I know, do correct me if I'm mistaken, look in your MvcConfig to see what it actually means by "/home" and the like:

MvcConfig.java

@Configuration
public class MvcConfig extends WebMvcConfigurerAdapter {

    @Override
    public void addViewControllers(ViewControllerRegistry registry) {
        registry.addViewController("/home").setViewName("home");
        registry.addViewController("/").setViewName("home");
        registry.addViewController("/hello").setViewName("hello");
        registry.addViewController("/login").setViewName("login");
    }
}

但是，我已经使用了几个小时，无法真正找到一个确定的答案，如何为JSF配置Spring Security.您是否可以使用JSF来实现您的前端，然后使其由Spring Security进行管理，例如，对链接(例如:localhost:8080/home而不是localhost:8080/home.xhtml)进行了适当的管理和服务?这样，在WebSecurityConfig.java中定义的用户级别只能访问与其自己相关的页面.

However, I've been googling for a few hours and cannot really find a conclusive answer how to configure Spring Security for JSF. Can you implement your front end using JSF and then make that managed by Spring Security, so, for example Links, ie: localhost:8080/home instead of localhost:8080/home.xhtml are properly managed and served? And so that user levels defined in WebSecurityConfig.java can only access pages relevant to themselves.

根据我(简短地)进行的调查，由于Faces和Mvc是不同的技术，尤其不能很好地配合使用，因此可能无法实现.但是，如果可能的话，我想确定是否可行.

From what I've (briefly) investigated it might not be possible due to Faces and Mvc being different technologies that don't particularly play well together. However, if possible I'd like to make sure of whether it's possible or not.

如果可能的话，您可以提供一个可行的示例，还是指向更深入的地方的链接?我做了很多次Google工作，但是有100％的机会我最终错过了一些东西.

And if it IS possible, can you provide either a working example, or a link to somewhere that goes more in depth? I did google quite a bit but it's 100% possible I ended up missing something.

任何人和所有答案都将不胜感激.

Any and all answers are greatly appreciated.

推荐答案

一起使用Spring Boot，Spring Security，JSF和Spring Core没问题，最后，解决了JSF视图作为URL，这就是您在Spring Security中使用的方式.这是我自己的应用程序中的配置示例，为节省代码量，我对其进行了一些修剪.该代码是不言自明的:

There's no problem in using Spring Boot, Spring Security, JSF and Spring Core all together, in the end, JSF views are resolved as urls and that's what you work in Spring Security with. That's an example for the configuration in my own application, which I've pruned a bit to minimize the code amount. The code is self-explanatory:

@Configuration
@EnableWebMvcSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        // Have to disable it for POST methods:
        // http://stackoverflow.com/a/20608149/1199132
        http.csrf().disable();

        // Logout and redirection:
        // http://stackoverflow.com/a/24987207/1199132
        http.logout()
                .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
                .invalidateHttpSession(true)
                .logoutSuccessUrl(
                        "/login.xhtml");

        http.authorizeRequests()
                // Some filters enabling url regex:
                // http://stackoverflow.com/a/8911284/1199132
                .regexMatchers(
                        "\\A/page1.xhtml\\?param1=true\\Z",
                        "\\A/page2.xhtml.*")
                .permitAll()
                //Permit access for all to error and denied views
                .antMatchers("/500.xhtml", "/denied.xhtml")
                .permitAll()
                // Only access with admin role
                .antMatchers("/config/**")
                .hasRole("ADMIN")
                //Permit access only for some roles
                .antMatchers("/page3.xhtml")
                .hasAnyRole("ADMIN", "MANAGEMENT")
                //If user doesn't have permission, forward him to login page
                .and()
                .formLogin()
                .loginPage("/login.xhtml")
                .loginProcessingUrl("/login")
                .defaultSuccessUrl("/main.xhtml")
                .and().exceptionHandling().accessDeniedPage("/denied.xhtml");
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth)
            throws Exception {
        //Configure roles and passwords as in-memory authentication
        auth.inMemoryAuthentication()
                .withUser("administrator")
                .password("pass")
                .roles("ADMIN");
        auth.inMemoryAuthentication()
                .withUser("manager")
                .password("pass")
                .roles("MANAGEMENT");
    }
}

当然，此代码可与后缀为*.xhtml的url一起使用，因为它们由JSF Servlet提供.如果要避免使用此后缀，则应使用url重写工具作为 Prettyfaces .但这是StackOverflow中已经广泛讨论的另一个故事.

Of course, this code works with *.xhtml suffixed urls, as they're served by the JSF Servlet. If you want to avoid this suffix, you should use a url rewriting tool as Prettyfaces. But that's another story that has already been widely discussed in StackOverflow.

此外，请记住将登录表单定位为已配置的登录处理URL ，以让Spring Security处理身份验证和重定向到您的主页.我通常要做的是使用非JSF表单，并在其上应用Primefaces样式:

Also, remember to target your login form to the configured login processing url to let Spring Security handle the authentication and redirection to your main page. What I usually do is to use a non-JSF form and apply the Primefaces styles on it:

<form id="login_form" action="#{request.contextPath}/login" method="post">
    <p>
        <label for="j_username" class="login-form-tag">User</label> <input
            type="text" id="username" name="username" class="ui-corner-all"
            required="required" />
    </p>
    <p>
        <label for="j_password" class="login-form-tag">Password</label>
        <input type="password" id="password" name="password"
            class="ui-corner-all" required="required" />
    </p>
    <p>
        <button type="submit"
            class="ui-button ui-widget ui-state-default ui-corner-all ui-button-text-only">
            <span class="ui-button-text">Login</span>
        </button>
    </p>
</form>

另请参见:

• Spring和JSF集成
• Spring Boot JSF集成

• Spring and JSF integration
• Spring Boot JSF Integration

这篇关于Spring Security 4和JSF 2集成的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！