You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@myfaces.apache.org by Francesco Consumi <co...@istitutodeglinnocenti.it> on 2007/05/10 22:39:29 UTC

Login page

Hi all,

I'm corrently managing security in my webapps with an session Bean  
with user data, ad at top of every page something similar:
<c:if test="${ub.currentUser.isValid}">
    <c:redirect url="login.jsf"/>
</c:if>


now, I'd like to use something more modern, and I'm investigating  
securityContext and   <security-constraint>
  tags.

I created a web.xml section as is:

   <security-constraint>
     <web-resource-collection>
       <web-resource-name>JSF pages</web-resource-name>
       <url-pattern>*.jsf</url-pattern>
       <http-method>POST</http-method>
       <http-method>GET</http-method>
     </web-resource-collection>
     <auth-constraint>
       <description>desc</description>
       <role-name>admin</role-name>
     </auth-constraint>
   </security-constraint>
   <login-config>
     <auth-method>FORM</auth-method>
     <form-login-config>
       <form-login-page>/login.jsf</form-login-page>
       <form-error-page>/invlevelpage.jsf</form-error-page>
     </form-login-config>
   </login-config>

But it doesn't work. I obtain and ampty page and the following error:
javax.servlet.ServletException: ExtensionsFilter not correctly  
configured. JSF mapping missing. JSF pages not covered. Please see:  
http://myfaces.apache.org/tomahawk/extensionsFilter.html


Obviously, extensionFilter is already defined since the application  
exists. :-)

what's am I doing wrong ? and, more general question: is it the right  
way to apply security to webapp ?

thanks to all,

-- 
Francesco Consumi
Ufficio Sistemi informativi
Istituto degli Innocenti
Piazza SS.Annunziata, 12
50122 Firenze
consumi at istitutodeglinnocenti.it
Tel. +39 055 2037320
ICQ# 12516133

Re: Login page

Posted by Francesco Consumi <co...@istitutodeglinnocenti.it>.

>
> It might be possible to force the ExtensionsFilter to run by  
> defining an additional filter-mapping like:
>   <filter-mapping>
>     <filter-name>extensionsFilter</filter-name>
>     <url-pattern>/login.jsf</url-pattern>
>     <dispatcher>FORWARD</dispatcher>
>   </filter-mapping>
> which will run the filter on a forward.
>
> Does your login page really need to be a JSF page (ie contain JSF  
> tags)? It might be easier to just implement it as a normal JSP page.
>

it's a jsf page. anyway, it worked: now it forwards to login. thanks :-)

Re: Login page

Posted by Simon Kitching <si...@rhe.co.nz>.

When using Tomcat, the following is what happens:
* Tomcat checks url and detects that security constraint is violated. 
This check occurs *before* any filters are run
* Tomcat immediately performs an internal forward to the url specified 
in the form-login-page.
* Your version of that page apparently contains a JSF tag that needs 
help from the ExtensionsFilter. The tag therefore checks whether the 
ExtensionsFilter has run, and finds it has not so throws an exception.

I believe that at least some other servlet containers use HTTP REDIRECT 
to send the user to the login page rather than an internal forward. This 
seems more sensible to me for a number of reasons. However Tomcat has no 
option to do this.

It might be possible to force the ExtensionsFilter to run by defining an 
additional filter-mapping like:
   <filter-mapping>
     <filter-name>extensionsFilter</filter-name>
     <url-pattern>/login.jsf</url-pattern>
     <dispatcher>FORWARD</dispatcher>
   </filter-mapping>
which will run the filter on a forward.

Does your login page really need to be a JSF page (ie contain JSF tags)? 
It might be easier to just implement it as a normal JSP page.

Regards,

Simon

Francesco Consumi wrote:
> 
> Hi all,
> 
> I'm corrently managing security in my webapps with an session Bean with 
> user data, ad at top of every page something similar:
> <c:if test="${ub.currentUser.isValid}">
>    <c:redirect url="login.jsf"/>
> </c:if>
> 
> 
> now, I'd like to use something more modern, and I'm investigating 
> securityContext and   <security-constraint>
>  tags.
> 
> I created a web.xml section as is:
> 
>   <security-constraint>
>     <web-resource-collection>
>       <web-resource-name>JSF pages</web-resource-name>
>       <url-pattern>*.jsf</url-pattern>
>       <http-method>POST</http-method>
>       <http-method>GET</http-method>
>     </web-resource-collection>
>     <auth-constraint>
>       <description>desc</description>
>       <role-name>admin</role-name>
>     </auth-constraint>
>   </security-constraint>
>   <login-config>
>     <auth-method>FORM</auth-method>
>     <form-login-config>
>       <form-login-page>/login.jsf</form-login-page>
>       <form-error-page>/invlevelpage.jsf</form-error-page>
>     </form-login-config>
>   </login-config>
> 
> But it doesn't work. I obtain and ampty page and the following error:
> javax.servlet.ServletException: ExtensionsFilter not correctly 
> configured. JSF mapping missing. JSF pages not covered. Please see: 
> http://myfaces.apache.org/tomahawk/extensionsFilter.html
> 
> 
> Obviously, extensionFilter is already defined since the application 
> exists. :-)
> 
> what's am I doing wrong ? and, more general question: is it the right 
> way to apply security to webapp ?
> 
> thanks to all,
> 
> --Francesco Consumi
> Ufficio Sistemi informativi
> Istituto degli Innocenti
> Piazza SS.Annunziata, 12
> 50122 Firenze
> consumi at istitutodeglinnocenti.it
> Tel. +39 055 2037320
> ICQ# 12516133
>