• Post Reply Bookmark Topic Watch Topic
  • New Topic

Spring Security does not recognice protected JSF page in some cases  RSS feed

 
Alex De
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I set up an JSF (SpringFaces) and Spring Security application where I protected the customer.jsf page in applicationContext-security.xml:

On the main.jsf page I have a link to the customer.jsf. When I click this link, the customer page opens without security check! This is some log output:

But when I am on customer page already, and then clicking the link to customer page itself, I get the login page and following log output:

Seems, the source page (from where i come) is security checked, but not the target page (where I want to go to). All other pages in the application are not protected and work fine. Any hint what's wrong? Do you suppose, this is an JSF issue oder Spring issue?

Thanks! Alex
 
Tim Holloway
Bartender
Posts: 18531
61
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Welcome to the JavaRanch, Alex!

I haven't studied up on Spring Security as much as I'd like, but as I understand it, in webapps, Spring Security is piggy-backed on top of the J2EE standard security and I do understand that fairly well.

J2EE container security is an externally-applied system, so its first line of defense knows nothing of the internals of the web application. It therefore applies itself to what it does know, which is incoming URLs.

The container determines role requirements by pattern-matching the incoming URL against lists patterns with associated role lists. JSF has a problem with this, since the incoming URL is more of a "session handle" than an absolute resource locator and therefore the URL may still be referring to an earlier page.

To prevent this from happening, use the JSF "redirect" option on your navigation requests. That will incur some overhead, but it will force the URL to match the actual resource being requested so that the proper security rules will then be applied.
 
Don't get me started about those stupid light bulbs.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!