Win a copy of Modern JavaScript for the Impatient this week in the Server-Side JavaScript and NodeJS forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Bear Bibeault
  • Junilu Lacar
  • Jeanne Boyarsky
  • Tim Cooke
  • Henry Wong
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • salvin francis
  • Frits Walraven
  • Scott Selikoff
  • Piet Souris
  • Carey Brown

Spring Security does not recognice protected JSF page in some cases

Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I set up an JSF (SpringFaces) and Spring Security application where I protected the customer.jsf page in applicationContext-security.xml:

On the main.jsf page I have a link to the customer.jsf. When I click this link, the customer page opens without security check! This is some log output:

But when I am on customer page already, and then clicking the link to customer page itself, I get the login page and following log output:

Seems, the source page (from where i come) is security checked, but not the target page (where I want to go to). All other pages in the application are not protected and work fine. Any hint what's wrong? Do you suppose, this is an JSF issue oder Spring issue?

Thanks! Alex
Saloon Keeper
Posts: 22479
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Welcome to the JavaRanch, Alex!

I haven't studied up on Spring Security as much as I'd like, but as I understand it, in webapps, Spring Security is piggy-backed on top of the J2EE standard security and I do understand that fairly well.

J2EE container security is an externally-applied system, so its first line of defense knows nothing of the internals of the web application. It therefore applies itself to what it does know, which is incoming URLs.

The container determines role requirements by pattern-matching the incoming URL against lists patterns with associated role lists. JSF has a problem with this, since the incoming URL is more of a "session handle" than an absolute resource locator and therefore the URL may still be referring to an earlier page.

To prevent this from happening, use the JSF "redirect" option on your navigation requests. That will incur some overhead, but it will force the URL to match the actual resource being requested so that the proper security rules will then be applied.
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
    Bookmark Topic Watch Topic
  • New Topic