0

When I am using jsf with spring boot there is no problem to access the jsf bean, but when I add spring security I get access denied 403 when trying to access pages using jsf bean function, I can only access the pages with the url. I've been searching a lot to solve this issue but nothing did work, please if someone can help me solve this issue.

here is my code:

jsf BeanProduit.java

@ManagedBean
@Component
@SessionScoped
public class BeanProduit {

    @Autowired
    @Qualifier("produitsPrixServiceImpl")
    private CrudService<ProduitsPrix> produitsPrixService;

    @Autowired
    @Qualifier("produitsStockServiceImpl")
    private CrudService<ProduitsStock> produitsStockService;

    private List<ProduitsStock> produits;
    private Logger logger = Logger.getLogger(getClass().getName());

    public BeanProduit() {
        produits = new ArrayList<ProduitsStock>();
    }

    @PostConstruct
    public void init() {
        produits = getListProductsFinal();
    }

    public String loadProduct(int codePdt) {
        logger.info("loading product: " + codePdt);
        try {
            // get product from database
            ProduitsPrix product = produitsPrixService.findById(codePdt);
            // put in the request attribute ... so we can use it on the form page
            ExternalContext externalContext = FacesContext.getCurrentInstance().getExternalContext();
            Map<String, Object> requestMap = externalContext.getRequestMap();
            requestMap.put("product", product);
        } catch (Exception exc) {
            // send this to server logs
            logger.log(Level.SEVERE, "Error loading product id:" + codePdt, exc);
            // add error message for JSF page
            addErrorMessage(exc);
            return null;
        }
        return "/pages/form-validation";
    }

}

config file of spring security DemoSecurityConfig.java

@EnableWebSecurity
public class DemoSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private DataSource securityDataSource;

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.jdbcAuthentication().dataSource(securityDataSource);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
            .antMatchers("/assets/**")
            .permitAll()
            .antMatchers("/authentication/login.xhtml?logout").hasAnyRole("EMPLOYEE")
            .antMatchers("/**").hasRole("ADMIN")
            .and().formLogin().loginPage("/authentication/login.xhtml")
            .loginProcessingUrl("/authenticateTheUser").permitAll()
            .defaultSuccessUrl("/", true)
            .and().logout().permitAll()
            .and().exceptionHandling().accessDeniedPage("/error/error-403.xhtml");
    }

}

snippet code from the view 

<h:form>
<ui:repeat value="#{beanProduit.produits}" var="produit">
    <tr>
        <td>#{produit.codePdt}</td>
        <td>#{produit.nomPdt}</td>
        <td>#{produit.prixPdt}</td>
        <td>#{produit.qtePdt}</td>
        <td class="text-center">
            <h:commandButton class="btn btn-primary" value="Acheter" action="#{beanProduit.loadProduct(produit.codePdt)}" />
        </td>
    </tr>
</ui:repeat>
</h:form>
Kukeltje
  • 12,223
  • 4
  • 24
  • 47
Soufiane Odf
  • 1,054
  • 2
  • 9
  • 23
  • 1
    Where did you learn to put both a `@ManagedBean` and `@Component` on a class? Pick one and the right corresponding scope. ;ooking atbthev`@Autowired` you should usev`@Component` – Kukeltje Jun 05 '20 at 07:12
  • And how and where do you access a jsf bean in spring security – Kukeltje Jun 05 '20 at 07:44
  • Or can't you access the page itself? Any errors? – Kukeltje Jun 05 '20 at 08:29
  • @Kukeltje if i take off "@ManagedBean" it won't be a bean and it cannot return a view. and if i take of "@Autowired" i cannot use injection right. I want to add access to jsf bean if spring security config but i don't know how ? – Soufiane Odf Jun 05 '20 at 13:41
  • 1
    Off-topic. Regardless of the things in my 'non-answer', your architecture is actually nice. Lots of 'beginners' do this waaaaaay more wrong. Compliments. You do it like https://stackoverflow.com/questions/30639785/jsf-controller-service-and-dao – Kukeltje Jun 05 '20 at 15:54

2 Answers2

3

Let me start by addressing all of your comment from 2020-06-05 13:41:36Z above:

... if i take off "@ManagedBean" it won't be a bean

Wrong, something 'being' a (java)bean or not has nothing to do with annotations. What it takes for a plain java class to become a javabean can be read here:

When a java bean becomes a real managed bean, managed by A container (Spring, JSF, CDI, EJB, ...) is a different ballgame

and it cannot return a view.

Wrong again, something, in the jsf sense, being able to 'return a view' or not is dependent on the managed bean (Spring, JSF, CDI, ...) being accessed from a JSF 'page'returning a String or not AND as long as the managed bean is available in the EL resolvers used by facelets/jsf

Actually a JSF component on a facelets page is the better description

and if i take of "@Autowired" i cannot use injection right.

Wrong again... @Autowired is the old spring annotation for 'injecting' other managed beans. Other bean managers/containers have the same features.

JSF has (or rather had) @ManagedProperty (long deprecated in comination with its @ManageBean in favour of CDI managed beans), CDI has @Inject with @Named which spring now also supports as an alias to @Autowired and @Component/@Controller

Effectively your misunderstandings from the comment are all addressed in

The last part of your comment

I want to add access to jsf bean if spring security config but i don't know how ?

Wrong again, you access a facelets/jsf page and you (may) control access to it via spring security (or other more independent ways like JBoss/RedHat KeyCloak or Apache Shiro or the standardized javaee-8 security api

So why is this not an answer to your question (but I'll leave it here anyway). In your question you state

I cannot access pages using bean, I can only access the pages with the url.

Then debug this... Set breakpoints, are there redirects, any errors, how does the url look like when you type it in, how does it look like when returned from method call to a bean, with and without spring security. Those are relevant details. Make a real 'https://stackoverflow.com/help/minimal-reproducible-example'

And lastly

I've been searching a lot to solve this issue but nothing did work,

How to ask states to search and keep track and unfortunately it only implies to mention in the question what you found (if you don't mention it, it cannot help the ones who try to help you in narrowing things down). and 'nothing did work' is not the best description. Did you get 404's? 500's?

Kukeltje
  • 12,223
  • 4
  • 24
  • 47
  • thank you so much for explaining this to me, I still a beginner in java and spring this is why I'm having a hard time. Actually I'm getting access denied 403 when trying access pages. – Soufiane Odf Jun 05 '20 at 15:36
  • Then why did you not mention this very, very relevant 403? Compare the urls of the normal request and the failed one. Debug, set breakpoints... And please do modern JSF (JSF 2.3, no `@ManagedBean`, with either Spring or CDI but always ues `@Named` and `@Inject` to make it portable. Take a good tutorial. – Kukeltje Jun 05 '20 at 15:49
0

I was missing this line in the form:

<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
Soufiane Odf
  • 1,054
  • 2
  • 9
  • 23