| Author |
How to protect URL web resources through declarative security in a JSF application?
|
Tomasz Romanowski
Ranch Hand
Joined: May 06, 2009
Posts: 38
|
|
I'm trying to implement web resource security in a JSF application but the behavior is strange. It seems like it's protecting not the resource that should be protected but the next resource that is requested afterwards. Maybe it has something to do with the fact that in a JSF application the URL you see in the browser is always one step "behind"?
Example:
<security-constraint>
<web-resource-collection>
<web-resource-name>Create Customer</web-resource-name>
<url-pattern>/faces/customer/New.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>poweruser</role-name>
</auth-constraint>
</security-constraint>
I would expect the be prompted for the password when I open up the new customer form. Instead, the customer form opens up without any protection, while I get prompted "After the fact", i.e. when I submit the form or click any button I made available on the form.
I'm using Netbeans and glassfish.
Tom
|
 |
Tim Holloway
Saloon Keeper
Joined: Jun 25, 2001
Posts: 14491
|
|
Yup. Container (declarative) security is based on the incoming URL and not on what's actually being accessed. One of the more annoying things about JSF.
The way around this is to add the "<redirect/>" element to your navigation rule that's displaying the new page. That will cause JSF to internally redirect, setting the URL to indicate the actual new view and thereby applying the proper security filtering.
|
Customer surveys are for companies who didn't pay proper attention to begin with.
|
|
 |
|
|
subject: How to protect URL web resources through declarative security in a JSF application?
|
|
|
0
