- JBoss 4.2.3.GA

Hello, everybody!

I've just noticed a big problem in the web application I'm developing. In this 
application I'm using the FORM authentication method as you can see below in 
the web.xml file:

  |     <web-resource-collection>
  |             <web-resource-name>permitido</web-resource-name>
  |             <url-pattern>/*</url-pattern>
  |     </web-resource-collection>
  |     <user-data-constraint>
  |             <transport-guarantee>NONE</transport-guarantee>
  |     </user-data-constraint>
  |   </security-constraint>
  |   <security-constraint>
  |     <web-resource-collection>
  |             <web-resource-name>restrito</web-resource-name>
  |             <url-pattern>/confirmacaoreserva.jsp</url-pattern>
  |             <url-pattern>/confirmacaoreserva.faces</url-pattern>
  |             <url-pattern>/reservaconfirmada.jsp</url-pattern>
  |             <url-pattern>/reservaconfirmada.faces</url-pattern>
  |     </web-resource-collection>
  |     <auth-constraint>
  |             <role-name>ADMINISTRADOR</role-name>
  |             <role-name>USUARIO</role-name>
  |     </auth-constraint>
  |     <user-data-constraint>
  |             <transport-guarantee>NONE</transport-guarantee>
  |     </user-data-constraint>
  |   </security-constraint>
  |   <login-config>
  |     <auth-method>FORM</auth-method>
  |     <form-login-config>
  |             <form-login-page>/login.jsp</form-login-page>
  |             <form-error-page>/errologin.jsp</form-error-page>
  |     </form-login-config>
  |   </login-config>
  |   <security-role>
  |     <role-name>ADMINISTRADOR</role-name>
  |   </security-role>
  |   <security-role>
  |     <role-name>USUARIO</role-name>
  |   </security-role>

If I type in the browser's address field any of the protected pages,
confirmacaoreserva.faces or reservaconfirmada.faces, the web container 
redirects me to the login page as expected, as I was'n authenticated yet. Until 
till this point everything is working without problem. But I noticed, to my 
surprise, that when I click on a link in a web page like this:

<h:commandLink value="#{msg.reservar}" action="#{materiais.reservarMaterial}">
  |     <f:setPropertyActionListener target="#{materiais.codigoMaterial}" 
value="#{material.codigo}" />
  | </h:commandLink>

// in the backing bean
  | public String reservarMaterial()
  | {
  |     // some processing...
  |     return "confirmacaoReserva";
  | }

// in faces-config.xml
  | <navigation-rule>
  |     <navigation-case>
  |         <from-outcome>confirmacaoReserva</from-outcome>
  |         <to-view-id>/confirmacaoreserva.jsp</to-view-id>
  |     </navigation-case>
  | </navigation-rule>

it completely by-passes the web container authentication and redirects me to 
the protected page (confirmacaoreserva) without asking me first to authenticate 
in the login page. Of course this is unacceptable. It seems like JSF is 
completely ignoring the security configuration defined in web.xml. As I said 
above, when I access the protected pages through the browser's address field, 
the authentication mechanism works well, redirecting me to the login page.

So, how can I solve this? How do I fix this problem?

Thank you.


View the original post : 

Reply to the post : 
jboss-user mailing list

Reply via email to