Hi,
which mapping do you use for your faces servlet: postfix (like *.jsf) or
prefix (like /faces/*)? Maybe the "real" JSF urls are not listed in your
intercepter config.
regards
Michael
Madhav Bhargava schrieb:
Hi All,
I am using myfaces 1.1, icefaces 1.8.1, spring 2.5.6, spring security -2.0.5,
WAS 6.0 (app server)
I have configured spring security for my JSF application along with SiteMinder
as an external authentication mechanism. It works fine till a forward happens
from within myfaces.
Here is my spring servlet filter chain declaration:
<filter>
<description>
Spring delegating filter which will initiate
the spring
security filter chain
</description>
<display-name>springSecurityFilterChain</display-name>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
And in my spring application context I have followed the advice from spring
forums and done necessary settings:
Excerpt is:
<security:http
entry-point-ref="preAuthenticatedProcessingFilterEntryPoint"
once-per-request="false">
<security:intercept-url pattern="/index.jsp" filters="none" />
<security:intercept-url pattern="/login.jsp" filters="none" />
<security:intercept-url pattern="/authenticationservlet"
filters="none"/>
<security:intercept-url pattern="**/jsp/common/**"
filters="none"/>
<security:intercept-url pattern="/**/css/**" filters="none"/>
<security:intercept-url pattern="/**/*.js" filters="none"/>
<security:intercept-url pattern="/images/**" filters="none"/>
<security:intercept-url pattern="/**/secure/**" access="ROLE_USER"
/>
<security:intercept-url pattern="/**/operations/**"
access="ROLE_OPERATIONS"/>
<security:intercept-url pattern="/**"
access="IS_AUTHENTICATED_ANONYMOUSLY" />
</security:http>
Now when I forward a request from index.jsp to login.jsp then the spring
filters are called with the login.jsp URL even though the browser shows the old
URL.
However when from within an action method a navigation case is handled then it is not
intercepted by the spring filters at all. However if I give a <redirect/> then
it is properly intercepted with the correct URL as expected.
What can be the reason?
Regards,
Madhav