Win a copy of Practical SVG this week in the HTML/CSS/JavaScript forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

How to protect URL web resources through declarative security in a JSF application?

 
Tomasz Romanowski
Ranch Hand
Posts: 38
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm trying to implement web resource security in a JSF application but the behavior is strange. It seems like it's protecting not the resource that should be protected but the next resource that is requested afterwards. Maybe it has something to do with the fact that in a JSF application the URL you see in the browser is always one step "behind"?
Example:
<security-constraint>
<web-resource-collection>
<web-resource-name>Create Customer</web-resource-name>
<url-pattern>/faces/customer/New.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>poweruser</role-name>
</auth-constraint>
</security-constraint>

I would expect the be prompted for the password when I open up the new customer form. Instead, the customer form opens up without any protection, while I get prompted "After the fact", i.e. when I submit the form or click any button I made available on the form.
I'm using Netbeans and glassfish.
Tom
 
Tim Holloway
Bartender
Posts: 18419
60
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yup. Container (declarative) security is based on the incoming URL and not on what's actually being accessed. One of the more annoying things about JSF.

The way around this is to add the "<redirect/>" element to your navigation rule that's displaying the new page. That will cause JSF to internally redirect, setting the URL to indicate the actual new view and thereby applying the proper security filtering.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!