JSF/ACEGI : weird behavior securing URLs

**ecamps** · May 12th, 2006, 09:09 AM

Hello,

I'd like to submit a painful problem I face for 2 days and that drives me crazy !
My webapp (running on tomcat 5.5) uses Spring/Hibernate/JSF (Sun RI) and now the powerful Acegi System for all of the security requirements.
Everything seems to work great, except the URL navigation protection!

As you probably know, JSF has, by design, a "navigation engine" that relies on forwards instead of redirect. The displayed URL in the browser rarely corresponds to the actual displayed page. (in fact, the URL address is the previous navigation).
As a consequence, the big problem is that any protected URI is nevertheless displayed!
And it's just when the subsequent navigation happens that my login page appears! Damned.

I thought I found "the" trivial solution according to some of my search & readings on servlet filters by adding in filter mapping :

Code:

    <filter-mapping>
        <filter-name>Acegi Filter Chain Proxy</filter-name>
        <url-pattern>/faces/*</url-pattern>
        <dispatcher>FORWARD</dispatcher>
        <dispatcher>REQUEST</dispatcher>
      </filter-mapping>

But nothing changed. It seems that the forward request is not intercepted by the filter chain ?
In debug-level mode, I can confirm that there is absolutly no trace of the forward request in the filters trace.

Any idea? please !

**ecamps** · May 18th, 2006, 09:44 AM

Well, the only workaround I've found was to systematically specify a <redirect/> to each jsf navigation rule.
Not really satisfying, but that works...

**paulohbmetal** · Oct 4th, 2007, 07:58 AM

Hi ecamps! I'm with the same problem, do you solved it?

Thanx!

A Paz!

**ecamps** · Oct 4th, 2007, 08:06 AM

Sorry...
No I never solved this issue.
Furthermore, I've shifted from JSF to the GWT framework :-)
Anyway, Good luck !

**sp00ky** · Oct 4th, 2007, 01:02 PM

Got the same problem, I can't intercept navigation.

In my JSF page, list.jsf, I have a backing bean, CompanyMBean, and some methods, like create(), that navigate to another page, new.jsf.

Calling #{companyMBean.create} calls CompanyMBean.create method, and render another page, new.jsf, but Acegi check for list.jsf.

I have a custom AccessDecisionVoter (SecurityRoleVoter) and a LoggerListener (SecurityLoggerListener).

The flow is above.

Access the page: /company/list.jsf. Since I'm not logged in, redirect to /login.jsf.

Code:

2007-10-04 14:50:50,296 WARN  event.authorization.LoggerListener  -> Security interception failed due to: org.acegisecurity.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext; secure object: FilterInvocation: URL: /company/list.jsf; configuration attributes: [IS_AUTHENTICATED_FULLY, ROLE_CONSYS]
2007-10-04 14:50:50,296 INFO  business.security.SecurityLoggerListener  -> event ---->>>>> 1191520250296
2007-10-04 14:50:50,296 INFO  business.security.SecurityLoggerListener  ->              ---->>>>> FilterInvocation: URL: /company/list.jsf
2007-10-04 14:50:50,437 INFO  event.authorization.LoggerListener  -> Security interception not required for public secure object: FilterInvocation: URL: /login.jsf
2007-10-04 14:50:50,437 INFO  business.security.SecurityLoggerListener  -> event ---->>>>> 1191520250437
2007-10-04 14:50:50,437 INFO  business.security.SecurityLoggerListener  ->              ---->>>>> FilterInvocation: URL: /login.jsf

After login, I can access /list.jsf

Code:

2007-10-04 14:53:13,453 INFO  business.security.SecurityRoleVoter  -> -------------------- checking permissions for -> /company/list.jsf
2007-10-04 14:53:13,453 INFO  business.security.SecurityRoleVoter  -> -------------------- returning -> 1
2007-10-04 14:53:13,453 INFO  business.security.SecurityRoleVoter  -> -------------------- checking permissions for -> /company/list.jsf
2007-10-04 14:53:13,453 INFO  business.security.SecurityRoleVoter  -> -------------------- returning -> 1
2007-10-04 14:53:13,453 INFO  event.authorization.LoggerListener  -> Security authorized for authenticated principal: org.acegisecurity.providers.UsernamePasswordAuthenticationToken@5a46fcdc: Username: luciano; Password: [PROTECTED]; Authenticated: true; Details: br.com.business.security.SecurityUserDetails@369fdc; Granted Authorities: ROLE_USER; secure object: FilterInvocation: URL: /company/list.jsf; configuration attributes: [IS_AUTHENTICATED_FULLY, ROLE_CONSYS]
2007-10-04 14:53:13,453 INFO  business.security.SecurityLoggerListener  -> event ---->>>>> 1191520393453
2007-10-04 14:53:13,453 INFO  business.security.SecurityLoggerListener  ->              ---->>>>> FilterInvocation: URL: /company/list.jsf

Click in the commandButton that calls #{companyMBean.create}, the method is called but does not have any effect.

Code:

2007-10-04 14:54:23,937 INFO  business.security.SecurityRoleVoter  -> -------------------- checking permissions for -> /company/list.jsf
2007-10-04 14:54:23,937 INFO  business.security.SecurityRoleVoter  -> -------------------- returning -> 1
2007-10-04 14:54:23,937 INFO  business.security.SecurityRoleVoter  -> -------------------- checking permissions for -> /company/list.jsf
2007-10-04 14:54:23,937 INFO  business.security.SecurityRoleVoter  -> -------------------- returning -> 1
2007-10-04 14:54:23,937 INFO  event.authorization.LoggerListener  -> Security authorized for authenticated principal: org.acegisecurity.providers.UsernamePasswordAuthenticationToken@5a46fcdc: Username: luciano; Password: [PROTECTED]; Authenticated: true; Details: br.com.business.security.SecurityUserDetails@369fdc; Granted Authorities: ROLE_USER; secure object: FilterInvocation: URL: /company/list.jsf; configuration attributes: [IS_AUTHENTICATED_FULLY, ROLE_CONSYS]
2007-10-04 14:54:23,937 INFO  business.security.SecurityLoggerListener  -> event ---->>>>> 1191520463937
2007-10-04 14:54:23,937 INFO  business.security.SecurityLoggerListener  ->              ---->>>>> FilterInvocation: URL: /company/list.jsf
2007-10-04 14:54:23,953 INFO  business.mbeans.CompanyMBean  -> create()

So, I have some questions:

1) why my SecurityRoleVoter is being called twice?

2) how can I intercept the navigation?

Thanks.

**paulohbmetal** · Oct 6th, 2007, 01:43 PM

Hi Guys! With little changes finally its running!!! I'll organize may source and configuration xml's e and post here ok?! But, afirm that a blog helped me. This: http://blogs.steeplesoft.com/2006/11...rity-with-jsf/

Very Good!

A Paz!

**paulohbmetal** · Oct 8th, 2007, 09:46 AM

Hi Guys! I placed the following listener in my web.xml.

Code:

</listener>
<listener-class>org.acegisecurity.ui.session.HttpSessionEventPublisher</listener-class>  
</listener>

Then, my application started to intercept navigation/request.

A Paz!

**sp00ky** · Oct 8th, 2007, 11:24 AM

SOLVED: the question #1 of the RoleVoter being called twice, see here for my implementation:

http://forum.springframework.org/showthread.php?t=44699

I still have issues with navigation, since the FilterInvocation is being called, but the URL is still list.jsf, and I want to intercept the <to-view-id> address.

I made a new post about this issue, since I think that it can be solved by using a MethodSecurityInterceptor, check the link above.

Thread: JSF/ACEGI : weird behavior securing URLs

Thread Tools

Display

JSF/ACEGI : weird behavior securing URLs

Êba!!!

Posting Permissions