SpringSecurity + JSF - Login after secured page

[haf_blade]

Hi and hello

i've got a problem when I try to use SpringSecurity together with Java Server Faces.

I have configured a small testing environment to find the error but I've got the same problems like in my standard web application.

In my small web application I have 3 pages:
/faces/input.jspx (1)
/faces/result.jspx (2)
/faces/admin/result.jspx (3)

If I click on a button on page (1) to jump to page (3) (which is the page which should be secured), SpringSecurity should use the standard login form to verify the authentication.
Instead of this he forwards me to page (3) without asking for login. If I now use the back link on page (3) to jump to page (1) he asks me for login.

So instead of asking BEFORE I come to the page he asks me when I want to leave the secured page.

I suppose it has something to do with my "JSF-Navigation-Rule" usage. But I don't really know. The fact is that he asks me correctly for login if I manually go to the secured page (by typing the url directly into the browser). So SpringSecurity seems to work but seems to have problems with my navigation-rules or something like this.

I'm trying to solve this problem now for 3 days and I can not find a solution. I suppose it's only a configuration issue but I'm not sure.

Do you have a solution or some ideas?

Here comes my configuration:

web.xml

Code:

<?xml version="1.0" encoding="UTF-8"?>
<web-app
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xmlns="http://java.sun.com/xml/ns/javaee"
	xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
	xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
	id="springstandard"
	version="2.5">
	
	<display-name>SpringStandard</display-name>
	
	<welcome-file-list>
		<welcome-file>/index.jsp</welcome-file>
	</welcome-file-list>
	
	<!-- Facelet (Standard in jsf 2) -->
	<context-param>
		<param-name>javax.faces.DEFAULT_SUFFIX</param-name>
		<param-value>.jspx</param-value>
	</context-param>
	
	<context-param>
		<param-name>facelets.REFRESH_PERIOD</param-name>
		<param-value>2</param-value>
	</context-param>
	
	<context-param>
		<param-name>facelets.DEVELOPMENT</param-name>
		<param-value>true</param-value>
	</context-param>
	
	<!-- JSF -->
	<context-param>
		<param-name>javax.faces.STATE_SAVING_METHOD</param-name>
		<param-value>client</param-value>
	</context-param>
	<context-param>
		<param-name>javax.faces.CONFIG_FILES</param-name>
		<param-value>
			/WEB-INF/faces-config.xml,/WEB-INF/faces-managed-beans.xml,/WEB-INF/faces-navigation.xml
		</param-value>
	</context-param>
	
	<!-- Spring -->
	<context-param>
		<param-name>contextConfigLocation</param-name>
		<param-value>
			/WEB-INF/applicationContext.xml
			/WEB-INF/applicationContext-daos.xml
			/WEB-INF/applicationContext-security.xml
			/WEB-INF/applicationContext-services.xml
		</param-value>
	</context-param>

	<filter>
		<filter-name>springSecurityFilterChain</filter-name>
		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
	</filter>
	
	<filter-mapping>
		<filter-name>springSecurityFilterChain</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>

	<listener>
		<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
	</listener>

	<listener>
		<listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
	</listener>

	<!-- JSF -->
	<servlet>
		<servlet-name>Faces Servlet</servlet-name>
		<servlet-class>javax.faces.webapp.FacesServlet
		</servlet-class>
		<load-on-startup>1</load-on-startup>
	</servlet>
	
	<servlet-mapping>
		<servlet-name>Faces Servlet</servlet-name>
		<url-pattern>*.jsf</url-pattern>
	</servlet-mapping>
    
</web-app>

faces-config.xml

Code:

<faces-config
	xmlns="http://java.sun.com/xml/ns/javaee"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://java.sun.com/xml/ns/javaee 
		http://java.sun.com/xml/ns/javaee/web-facesconfig_1_2.xsd"
	version="1.2">

	<!-- Application Config -->
	<application>
		<variable-resolver>org.springframework.web.jsf.DelegatingVariableResolver</variable-resolver>
		<el-resolver>org.springframework.web.jsf.el.SpringBeanFacesELResolver</el-resolver>
	</application>
	

	
</faces-config>

faces-navigation.xml

Code:

<?xml version="1.0"?>

<faces-config
	xmlns="http://java.sun.com/xml/ns/javaee"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
  http://java.sun.com/xml/ns/javaee/web-facesconfig_1_2.xsd"
	version="1.2">

	<!-- Navigation Rules -->
	<navigation-rule>
		<navigation-case>
			<from-outcome>submit</from-outcome>
			<to-view-id>/faces/result.jsf</to-view-id>
		</navigation-case>
	</navigation-rule>
	<navigation-rule>
		<navigation-case>
			<from-outcome>submitAsAdmin</from-outcome>
			<to-view-id>/faces/admin/result.jsf</to-view-id>
		</navigation-case>
	</navigation-rule>
	<navigation-rule>
		<navigation-case>
			<from-outcome>back</from-outcome>
			<to-view-id>/faces/input.jsf</to-view-id>
		</navigation-case>
	</navigation-rule>
	
	
</faces-config>

applicationContext-security.xml

Code:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans 
		xmlns="http://www.springframework.org/schema/security" 
		xmlns:beans="http://www.springframework.org/schema/beans"
		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
		xsi:schemaLocation="http://www.springframework.org/schema/beans 
			http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
			http://www.springframework.org/schema/security
			http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">

	<http
		auto-config="true"
		access-denied-page="/faces/input.jsf">

		<intercept-url pattern="/faces/admin/**" access="ROLE_ADMIN" />
		<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />

	</http>
	
	<!--
    Usernames/Passwords are
        rod/koala
        dianne/emu
        scott/wombat
        peter/opal
    -->
    <!-- 
    Since Spring 3 the authentication-manager tag has to be used
    -->
    <authentication-manager>
	    <authentication-provider>
	        <password-encoder hash="md5"/>
	        <user-service>
	            <user name="rod" password="a564de63c2d0da68cf47586ee05984d7" authorities="ROLE_SUPERVISOR, ROLE_USER, ROLE_TELLER" />
	            <user name="dianne" password="65d15fe9156f9c4bbffd98085992a44e" authorities="ROLE_USER,ROLE_TELLER" />
	            <user name="scott" password="2b58af6dddbd072ed27ffc86725d7d3a" authorities="ROLE_USER" />
	            <user name="peter" password="22b5c9accc6e1ba628cedc63a72d57f8" authorities="ROLE_USER" />
		    </user-service>
		</authentication-provider>
	</authentication-manager>
</beans:beans>

And here the internet pages:

/faces/input.jspx

Code:

<html xmlns="http://www.w3.org/1999/xhtml"
	xmlns:h="http://java.sun.com/jsf/html"
	xmlns:ui="http://java.sun.com/jsf/facelets"
	xmlns:f="http://java.sun.com/jsf/core"
	xmlns:c="http://java.sun.com/jstl/core"
	xmlns:sf="http://www.springframework.org/tags/faces"
	xmlns:a4j="http://richfaces.org/a4j">

<head>
	<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
	<title>Test</title>
	
	<sf:includeStyles />
	<sf:includeScripts />
	
	<ui:insert name="headIncludes"/>
</head>

<body>

<f:view>
<a4j:form>
	<h:panelGrid columns="2">
		<h:outputText value="Wie war nochmal Ihr Name?"/><h:inputText value="#{testService.name}" />
	</h:panelGrid>
	<h:commandButton value="Submit" action="submit" />
	<h:commandButton value="Submit as admin" action="submitAsAdmin" />
</a4j:form>
</f:view>

</body>

</html>

/faces/admin/result.jspx

Code:

<html xmlns="http://www.w3.org/1999/xhtml"
	xmlns:h="http://java.sun.com/jsf/html"
	xmlns:ui="http://java.sun.com/jsf/facelets"
	xmlns:f="http://java.sun.com/jsf/core"
	xmlns:c="http://java.sun.com/jstl/core"
	xmlns:sf="http://www.springframework.org/tags/faces"
	xmlns:a4j="http://richfaces.org/a4j">

<head>
	<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
	<title>Test</title>
	
	<sf:includeStyles />
	<sf:includeScripts />
	
	<ui:insert name="headIncludes"/>
</head>

<body>

<f:view>
<a4j:form>
	<h:panelGrid columns="1">
		<h:outputText value="Welcome #{testService.name}! You're an admin."/>
		<h:commandButton value="back" action="back" />
	</h:panelGrid>
</a4j:form>
</f:view>

</body>

</html>

/faces/result.jspx

Code:

<html xmlns="http://www.w3.org/1999/xhtml"
	xmlns:h="http://java.sun.com/jsf/html"
	xmlns:ui="http://java.sun.com/jsf/facelets"
	xmlns:f="http://java.sun.com/jsf/core"
	xmlns:c="http://java.sun.com/jstl/core"
	xmlns:sf="http://www.springframework.org/tags/faces"
	xmlns:a4j="http://richfaces.org/a4j">

<head>
	<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
	<title>Test</title>
	
	<sf:includeStyles />
	<sf:includeScripts />
	
	<ui:insert name="headIncludes"/>
</head>

<body>

<f:view>
<a4j:form>
	<h:panelGrid columns="1">
		<h:outputText value="Welcome #{testService.name}! You're an admin."/>
		<h:commandButton value="back" action="back" />
	</h:panelGrid>
</a4j:form>
</f:view>

</body>

</html>

[haf_blade]

Hi again,

i've tried something new.

I created my own filter and added it to my web.xml.
The filter should only write something in a log file if he sees that a user wants to open some specific page in my web application.

Here I've got the same problem like with SpringSecurity.
It seems that the request holds the requested url when he leaves a page.
It looks like that it is the same problem like with the urls in jsf. JSF always only shows the old url of the last page in the url in your browser.

Does someone know how to solve this problem?

Here is the code for my filter:

Code:

	public void doFilter(ServletRequest request, ServletResponse response,
			FilterChain chain) throws IOException, ServletException {
		
		HttpServletRequest httpRequest = (HttpServletRequest)request;
		
		String pathToAnalyse = httpRequest.getServletPath() + httpRequest.getPathInfo();
		if(pathToAnalyse.contains("/jsp/admin/")) {
			log.info("ZU BLOCKENDE SEITE: " + pathToAnalyse);
		}
		
		chain.doFilter(request, response);
	}

Thanks for your future help.

[haf_blade]

Yeah!!! I found the solution!

You can set all navigation-rules in JSF as "redirect".
JSF will now call the request by a redirect. Now the browser shows the current URL instead of the old one and also the filters in the application can read the correct url.

You only have to add a <redirect /> in every NavigationCase of the JSF Application.

Code:

	<navigation-rule>
		<navigation-case>
			<from-outcome>administration</from-outcome>
		           <to-view-id>jsp/admin/main.jsp</to-view-id>
		           <redirect />
	           </navigation-case>
           </navigation-rule>

After that SpringSecurity also can work with the correct data.