I'm trying to implement web resource security in a JSF application but the behavior is strange. It seems like it's protecting not the resource that should be protected but the next resource that is requested afterwards. Maybe it has something to do with the fact that in a JSF application the URL you see in the browser is always one step "behind"?
I would expect the be prompted for the password when I open up the new customer form. Instead, the customer form opens up without any protection, while I get prompted "After the fact", i.e. when I submit the form or click any button I made available on the form.
I'm using Netbeans and glassfish.
Yup. Container (declarative) security is based on the incoming URL and not on what's actually being accessed. One of the more annoying things about JSF.
The way around this is to add the "<redirect/>" element to your navigation rule that's displaying the new page. That will cause JSF to internally redirect, setting the URL to indicate the actual new view and thereby applying the proper security filtering.
Customer surveys are for companies who didn't pay proper attention to begin with.