• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Spring Security does not recognice protected JSF page in some cases

 
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I set up an JSF (SpringFaces) and Spring Security application where I protected the customer.jsf page in applicationContext-security.xml:

On the main.jsf page I have a link to the customer.jsf. When I click this link, the customer page opens without security check! This is some log output:

But when I am on customer page already, and then clicking the link to customer page itself, I get the login page and following log output:

Seems, the source page (from where i come) is security checked, but not the target page (where I want to go to). All other pages in the application are not protected and work fine. Any hint what's wrong? Do you suppose, this is an JSF issue oder Spring issue?

Thanks! Alex
 
Saloon Keeper
Posts: 27762
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Welcome to the JavaRanch, Alex!

I haven't studied up on Spring Security as much as I'd like, but as I understand it, in webapps, Spring Security is piggy-backed on top of the J2EE standard security and I do understand that fairly well.

J2EE container security is an externally-applied system, so its first line of defense knows nothing of the internals of the web application. It therefore applies itself to what it does know, which is incoming URLs.

The container determines role requirements by pattern-matching the incoming URL against lists patterns with associated role lists. JSF has a problem with this, since the incoming URL is more of a "session handle" than an absolute resource locator and therefore the URL may still be referring to an earlier page.

To prevent this from happening, use the JSF "redirect" option on your navigation requests. That will incur some overhead, but it will force the URL to match the actual resource being requested so that the proper security rules will then be applied.
 
It runs on an internal combustion engine. This ad does not:
a bit of art, as a gift, the permaculture playing cards
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic