4

I have the following configuration in Spring Security:

 http.requestMatchers().antMatchers("/admin/**", "/login", "/logout").and()
                    .authorizeRequests()
                    .antMatchers("/admin/**").hasRole("ADMIN")
                    .and().formLogin().loginPage("/main.xhtml")
                    .loginProcessingUrl("/login").defaultSuccessUrl("/admin.xhtml").and()
                    .exceptionHandling().accessDeniedPage("/denied.xhtml");

In a login controller (JSF backing bean) I have:

public void doLogin() throws ServletException, IOException {
        ExternalContext context = FacesContext.getCurrentInstance().getExternalContext();
        RequestDispatcher dispatcher = ((ServletRequest)context.getRequest()).getRequestDispatcher("/login");
        dispatcher.forward((ServletRequest)context.getRequest(), (ServletResponse)context.getResponse());
        FacesContext.getCurrentInstance().responseComplete();
    }

I am using Primefaces for frontend components.

This is the login form:

<h:form id="form" prependId="false">
   <p:messages id="errorMessages" showDetail="false" autoUpdate="true" />
   <p:outputLabel for="username" value="Username"  />
   <p:inputText id="username"  required="true" label="username" />
   <p:outputLabel for="password" value="Password" />
   <p:inputText id="password"  required="true" label="password" />
   <p:commandButton  id="login" value="Login" update="errorMessages"
      action="#{loginController.doLogin}" />
</h:form>

The problem is that the previous configuration forwards completely the response from Spring Security when trying to log in, so the login doesn't work. For it to work I would need to add ajax="false" in the p:commandButton but this would cause the whole page to reload in case of a login failure. Reloading the whole page breaks the user experience, for example, in my case users would need to scroll down to the login form if there's a login error.

How can I configure in either JSF or Spring Security so that I can do an AJAX login? Also, in this process, how could I show authentication failure messages from Spring Security?

Cenobyte321
  • 469
  • 1
  • 8
  • 26
  • 1
    Could you please explain me how the answer in the duplicate question applies here? I am trying to redirect the user after a successful login using AJAX not trying to validate if a session is alive. – Cenobyte321 Feb 29 '16 at 20:32
  • Does it work with plainjsf components? – Kukeltje Mar 01 '16 at 07:57
  • 1
    @Kukeltje with plain JSF components the page reloads when there's an authentication error. It's analogous to adding ajax="false" to the p:commandButton. What I would like is for the Spring Security login validation to be performed in an AJAX way with JSF so it can work just like any other AJAX validation with Primefaces. – Cenobyte321 Mar 01 '16 at 17:04
  • Have you checked http://stackoverflow.com/questions/12074756/integrating-spring-security-with-ajax-calls and http://stackoverflow.com/questions/4912485/spring-security-ajax-login? concerning the main problem? – serv-inc Mar 09 '16 at 17:19
  • Further reading: http://stackoverflow.com/questions/32708205/spring-security-authentication-failure-message-without-redirects – serv-inc Mar 09 '16 at 17:20

0 Answers0