I set up an JSF (SpringFaces) and Spring Security application where I protected the customer.jsf page in applicationContext-security.xml:
On the main.jsf page I have a link to the customer.jsf. When I click this link, the customer page opens without security check! This is some log output:
But when I am on customer page already, and then clicking the link to customer page itself, I get the login page and following log output:
Seems, the source page (from where i come) is security checked, but not the target page (where I want to go to). All other pages in the application are not protected and work fine. Any hint what's wrong? Do you suppose, this is an JSF issue oder Spring issue?
I haven't studied up on Spring Security as much as I'd like, but as I understand it, in webapps, Spring Security is piggy-backed on top of the J2EE standard security and I do understand that fairly well.
J2EE container security is an externally-applied system, so its first line of defense knows nothing of the internals of the web application. It therefore applies itself to what it does know, which is incoming URLs.
The container determines role requirements by pattern-matching the incoming URL against lists patterns with associated role lists. JSF has a problem with this, since the incoming URL is more of a "session handle" than an absolute resource locator and therefore the URL may still be referring to an earlier page.
To prevent this from happening, use the JSF "redirect" option on your navigation requests. That will incur some overhead, but it will force the URL to match the actual resource being requested so that the proper security rules will then be applied.
"privilege" comes from the Latin words for "private" and "law" (legal) and dates to feudal times. To "claim privilege" meant that you were above the laws that applied to the common people.