Spring Security on a JSF 2.1 web app

Question

I'm just getting started with Spring Security 3.1 and I haven't found a way to implment it on top of a JSF 2.1 web app. I currently have:

A web.xml with:

    <context-param>
    <param-name>contextConfigLocation</param-name>
        <param-value>classpath:applicationContext-business.xml
                     /WEB-INF/applicationContext-security.xml
       </param-value>

<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

   <listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

And my applicationContext-security.xml:

<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans 
                http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                http://www.springframework.org/schema/security 
                http://www.springframework.org/schema/security/spring-security-3.1.xsd">



<http pattern="/resources/**" security="none" />

<http use-expressions="true">
<intercept-url pattern="/administracion/departamentos/**" access="recursoshumanos" />
<intercept-url pattern="/administracion/derechos/**" access="recursoshumanos" />
<intercept-url pattern="/administracion/diasfestivos/**" access="recursoshumanos" />
<intercept-url pattern="/administracion/dias/**" access="recursoshumanos" />
<intercept-url pattern="/administracion/solicitudes/**" access="recursoshumanos" />
<intercept-url pattern="/administracion/empleados/**" access="recursoshumanos" />

</http>


<authentication-manager>
    <authentication-provider>
        <user-service>
            <user name="rod" password="koala" authorities="recursoshumanos" />
            <user name="dianne" password="emu" authorities="jefe" />
            <user name="scott" password="wombat" authorities="jefe" />
        </user-service>
    </authentication-provider>
</authentication-manager>

I'm guessing this example would work with a regular .jsp but I'm probably missing additional steps to make it work with JSF, unfortunately, I haven't been able to find a fully working example so far. What do i need to do? Thanks!

Edit: The problem is that i can still navigate freely to the secured areas of the application without needing to log in.

Edit: BTW, I just noticed that a filter to the root of the web app does indeed trigger the authentication mechanism. It still fails everywhere else though.

Answer 1

Authorities should start with

ROLE_

Have a look here Spring Security FAQ and SO

Answer 2

As noted by gbagga, the answer was pretty simple: Add the "faces" part of the path to the patterns. Thanks!

Answer 3

Configuration seems to be correct. Maybe you are missing the auto-config="true" option in your http definition. See more here

http://static.springsource.org/spring-security/site/docs/2.0.x/reference/ns-config.html#ns-auto-config

What is your problem exactly? You can not login with the specified username/password? Authorization is not applied to your application?