myfaces-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Madhav Bhargava <>
Subject RE: Spring FilterSecurityInterceptor not been called for myfaces forwards
Date Tue, 12 Jan 2010 07:47:32 GMT
To add if you see the spring security application config, I have the following set:

		<security:intercept-url pattern="/**/secure/**" access="ROLE_USER" />
		<security:intercept-url pattern="/**/operations/**" access="ROLE_OPERATIONS"/>

The URL for the outcome to be forwarded to matches the second interceptor pattern which is

However what the filter receives is "/jsp/secure/hprelanding.jspx" which is the old URL from
where the control is being forwarded. This is not how it happens when using jsp:forward.


-----Original Message-----
>From: Madhav Bhargava 
>Hi Michael,
>Following are the servlet mappings:
>		<servlet-name>Faces Servlet</servlet-name>
>		<url-pattern>*.faces</url-pattern>
>	</servlet-mapping>
>	<servlet-mapping>
>		<servlet-name>Faces Servlet</servlet-name>
>		<url-pattern>*.jspx</url-pattern>
>	</servlet-mapping>
>	<!-- Persistent Faces Servlet Mapping -->
>	<servlet-mapping>
>		<servlet-name>Persistent Faces Servlet</servlet-name>
>		<url-pattern>*.iface</url-pattern>
>	</servlet-mapping>
>The navigation case in faces-config.xml is:
>		<navigation-case>
>			<from-outcome>OPERATION_LANDING</from-outcome>
>			<to-view-id>/jsp/operations/user/operationsLanding.iface</to-view-id>
>		</navigation-case>
>This has been configured as per the icefaces documentation. If we disregard spring security
filter issue the >forward happens properly. Spring security filter gets invoked once after
the return "OPERATION_LANDING" from >within the action method has been executed. The strange
part is that the URL is still the previous one.
>It is strange because when using jsp:forward from index.jsp to login.jsp spring security
filter gets both the >URL's.
>What could be the issue?
>From: Michael Kurz [] 
>which mapping do you use for your faces servlet: postfix (like *.jsf) or 
>prefix (like /faces/*)? Maybe the "real" JSF urls are not listed in your 
>intercepter config.
>Madhav Bhargava schrieb:
> Hi All,
> I am using myfaces 1.1, icefaces 1.8.1, spring 2.5.6, spring security -2.0.5, WAS 6.0
(app server)
> I have configured spring security for my JSF application along with SiteMinder as an
external authentication mechanism. It works fine till a forward happens from within myfaces.
> Here is my spring servlet filter chain declaration:
> <filter>
>                 <description>
>                                 Spring delegating filter which will initiate the spring
>                                 security filter chain
>                 </description>
>                 <display-name>springSecurityFilterChain</display-name>
>                 <filter-name>springSecurityFilterChain</filter-name>
>                 <filter-class>
>                                 org.springframework.web.filter.DelegatingFilterProxy
>                 </filter-class>
> </filter>
> <filter-mapping>
>                 <filter-name>springSecurityFilterChain</filter-name>
>                 <url-pattern>/*</url-pattern>
>                 <dispatcher>FORWARD</dispatcher>
>                 <dispatcher>REQUEST</dispatcher>
> </filter-mapping>
> And in my spring application context I have followed the advice from spring forums and
done necessary settings:
> Excerpt is:
> <security:http
>                 entry-point-ref="preAuthenticatedProcessingFilterEntryPoint" once-per-request="false">
>                 <security:intercept-url pattern="/index.jsp" filters="none" />
>                 <security:intercept-url pattern="/login.jsp" filters="none" />
>                 <security:intercept-url pattern="/authenticationservlet" filters="none"/>
>                 <security:intercept-url pattern="**/jsp/common/**" filters="none"/>
>                 <security:intercept-url pattern="/**/css/**" filters="none"/>
>                 <security:intercept-url pattern="/**/*.js" filters="none"/>
>                 <security:intercept-url pattern="/images/**" filters="none"/>
>                 <security:intercept-url pattern="/**/secure/**" access="ROLE_USER"
>                 <security:intercept-url pattern="/**/operations/**" access="ROLE_OPERATIONS"/>
>                 <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY"
> </security:http>
> Now when I forward a request from index.jsp to login.jsp then the spring filters are
called with the login.jsp URL even though the browser shows the old URL.
> However when from within an action method a navigation case is handled then it is not
intercepted by the spring filters at all. However if I give a <redirect/> then it is
properly intercepted with the correct URL as expected.
> What can be the reason?
> Regards,
> Madhav

View raw message