Spring Security is a framework that focuses on providing both authentication and authorization to Java applications.

The following example shows how to setup a PrimeFaces in combination with Spring Security, Spring Boot, and Maven.

General Project Setup

Tools used:

  • Spring Security 4.2
  • Spring Boot 1.5
  • PrimeFaces 6.1
  • JoinFaces 2.4
  • Maven 3.5

The example is based on a previous Hello World Primefaces Tutorial in which we created a greeting dialog based on a first and last name input form.

In order to use Spring Security we add spring-boot-starter-security to the existing Maven POM file. This will include the core security dependencies that are needed for securing our JSF application.

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">


  <description>JSF - PrimeFaces Spring Security Example</description>

    <relativePath /> <!-- lookup parent from repository -->


    <!-- spring-boot -->
    <!-- joinfaces -->

      <!-- spring-boot-maven-plugin -->

JSF Security Authorization and Authentication

Spring Security ships with a default login page generator however in this example we will configure a custom login page using PrimeFaces components.

The login.xhtml page is located under src/main/resources/META-INF/resources and consists out of an <p:inputText> for the user name and a <p:password> for the password. A <p:commandButton> is used to submit the form.

Note that the IDs of the input fields need to be 'username' and 'password' respectively as by default Spring Security will look for parameters with these names. We also specify prependId="false" on the form as otherwise the JSF framework will prefix the parameters with the ID of the form. Another option would be to override the default field names using the usernameParameter() and passwordParameter() methods on formLogin() which we use further below.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"

  <h:outputStylesheet name="/css/login.css" />

  <h:form prependId="false">

    <p:panelGrid columns="1" styleClass="ui-fluid center ui-noborder">
      <h2>Please login</h2>

      <p:outputLabel value="Login failed!" styleClass="red"
        rendered="${!empty param['error']}" />

      <p:inputText id="username" placeholder="User name" />
      <p:password id="password" placeholder="Password" />

      <p:commandButton value="Login" ajax="false" />


If Spring Security is on the classpath Spring Boot automatically configures a number of basic security features for a web application.

We will customize the web application security configuration by creating a SecurityConfig class that extends WebSecurityConfigurerAdapter which is a convenient base class that provides a default security configuration. The class is annotated with @EnableWebSecurity to enable Spring Security’s web security support.

In the below SecurityConfig configuration class we override the configure(HttpSecurity http) method in order to define when and how users need to be authenticated.

Specifying authorizeRequests().anyRequest().authenticated() ensures that any request to our application requires the user to be authenticated.

The static resources (CSS, JavaScript, …) need to be accessible to anyone otherwise the look and feel of the login page won’t be the same as the rest of the application. Adding antMatchers("/javax.faces.resource/**").permitAll() allows anyone to access a URL that begins with /javax.faces.resource/ (which is where the static resources in a JSF application are served).

As we have defined a custom PrimeFaces login page we need to specify its location using formLogin().loginPage("/login.xhtml") so that when authentication is required, the browser is redirected to /login.xhtml. We also need permitAll() on the login page so that anyone has access otherwise we end up in a redirect loop.

If the login fails we redirect to the same login page with a error=true HTTP parameter in the URL using failureUrl("/login.xhtml?error=true"). This allows us to display and error message to the user.

Using WebSecurityConfigurerAdapter, logout capabilities are automatically applied. The default is that accessing the URL /logout will log the user out. By specifying logout().logoutSuccessUrl("/login.xhtml") we redirect the user to the login page once he/she is successfully logged out.

Spring Security automatically applies measures to prevents CSRF attacks by requiring a randomly generated token as an HTTP parameter. However as JSF 2.2 already contains an explicit protection against CSRF attacks we disable the Spring Security protection by specifying http.csrf().disable().

We will override the default single user AuthenticationManager that Spring Boot sets by auto-wiring an AuthenticationManagerBuilder into the configureGlobal() of our SecurityConfig @Configuration class. For this example we use in-memory authentication in which two users ('john.doe' and 'jane.doe') with different roles ('USER' and 'ADMIN') are defined.

package com.codenotfound.primefaces;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

public class SecurityConfig extends WebSecurityConfigurerAdapter {

  protected void configure(HttpSecurity http) throws Exception {
    // require all requests to be authenticated except for the resources
    // login
    // logout
    // not needed as JSF 2.2 is implicitly protected against CSRF

  public void configureGlobal(AuthenticationManagerBuilder auth)
      throws Exception {

When debugging Spring Security it is sometimes useful to enable the DEBUG level on the org.springframework.security logger. We have added this logger to the logback.xml logging configuration file located under src/main/resources.

Role Based Access Control

Now that access to our application is secured we will adapt the Hello World example to illustrate role-based access control.

Spring Security has its own taglib which provides basic support for accessing security information and applying security constraints in JSPs.

On the helloworld.xhtml page we add a <div> element in which we use the authorize tag in order to display a message in case the user has the 'USER' or 'ADMIN' role.

We also add a logout <p:commandButton> at the bottom of the page. Note that we do not use <h:form> as JSF sets the form action automatically to the current page and what we want to do is to navigate to the default logout URL offered by Spring Security.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"

  <title>PrimeFaces Hello World Example</title>
  <h:outputStylesheet name="/css/main.css" />


  <div class="authorization-div">
    <sec:authorize access="hasRole('ROLE_USER')">
      <p:outputLabel value="You have the USER role" />
    <sec:authorize access="hasRole('ROLE_ADMIN')">
      <p:outputLabel value="You have the ADMIN role" />

    <p:panel header="PrimeFaces Hello World Example">
      <h:panelGrid columns="2" cellpadding="4">

        <h:outputText value="First Name: " />
        <p:inputText value="#{helloWorld.firstName}" />

        <h:outputText value="Last Name: " />
        <p:inputText value="#{helloWorld.lastName}" />

        <p:commandButton value="Submit" update="greeting"
          oncomplete="PF('greetingDialog').show()" />

    <p:dialog header="Greeting" widgetVar="greetingDialog"
      modal="true" resizable="false">
      <h:panelGrid id="greeting" columns="1" cellpadding="4">
        <h:outputText value="#{helloWorld.showGreeting()}" />

  <h:form onsubmit="this.action='#{request.contextPath}/logout';"
    <p:commandButton value="Logout" ajax="false" />


To wrap up we illustrate how you can access the current Authentication object stored in the security context.

We modify the showGreeting() method to display the name of the authenticated user by calling SecurityContextHolder.getContext().getAuthentication() as shown below.

package com.codenotfound.primefaces.model;

import javax.faces.bean.ManagedBean;

import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;

public class HelloWorld {

  private String firstName = "";
  private String lastName = "";

  public String getFirstName() {
    return firstName;

  public void setFirstName(String firstName) {
    this.firstName = firstName;

  public String getLastName() {
    return lastName;

  public void setLastName(String lastName) {
    this.lastName = lastName;

  public String showGreeting() {
    Authentication authentication =

    return "Hello " + authentication.getName() + "!";

Testing the JSF Security Roles

Let’s test our secured PrimeFace example by running following Maven command:

mvn spring-boot:run

Once Spring Boot has started, open a web browser and enter the following URL: http://localhost:9090/codenotfound/helloworld.xhtml.

As we are not authenticated, Spring Security will redirect us to the login page.

jsf primefaces login page

Go ahead and enter the following user name=john.doe and password=1234 and click the Login button. We now see the Hello World page and the role of the user is displayed up top as shown below.

jsf primefaces user role

If we click on Submit then the user name that was used to log in will be displayed.

jsf primefaces authentication user name

Press the Logout button in order to be redirected to the login page. If we now enter the same user but with an incorrect password an error message will be displayed.

jsf primefaces login error

github mark If you would like to run the above code sample you can get the full source code here.

The Spring Security framework is packed with out-of-the-box features that allow you to secure your JSF web application. All that is needed is a bit of configuration in order to setup authentication and authorization of users accessing our PrimeFaces example.

Let me know if you found the tutorial helpful or in case you have some questions or remarks. Thanks!

Leave a Comment