Re: Spring FilterSecurityInterceptor not been called for myfaces forwards

Mon, 11 Jan 2010 23:36:55 -0800 

Hi,
which mapping do you use for your faces servlet: postfix (like *.jsf) or prefix (like /faces/*)? Maybe the "real" JSF urls are not listed in your intercepter config. 

regards
Michael

Madhav Bhargava schrieb:

Hi All,

I am using myfaces 1.1, icefaces 1.8.1, spring 2.5.6, spring security -2.0.5, 
WAS 6.0 (app server)

I have configured spring security for my JSF application along with SiteMinder 
as an external authentication mechanism. It works fine till a forward happens 
from within myfaces.

Here is my spring servlet filter chain declaration:
<filter>
                <description>
                                Spring delegating filter which will initiate 
the spring
                                security filter chain
                </description>
                <display-name>springSecurityFilterChain</display-name>
                <filter-name>springSecurityFilterChain</filter-name>
                <filter-class>
                                
org.springframework.web.filter.DelegatingFilterProxy
                </filter-class>
</filter>

<filter-mapping>
                <filter-name>springSecurityFilterChain</filter-name>
                <url-pattern>/*</url-pattern>
                <dispatcher>FORWARD</dispatcher>
                <dispatcher>REQUEST</dispatcher>
</filter-mapping>

And in my spring application context I have followed the advice from spring 
forums and done necessary settings:
Excerpt is:

<security:http
                entry-point-ref="preAuthenticatedProcessingFilterEntryPoint" 
once-per-request="false">
                <security:intercept-url pattern="/index.jsp" filters="none" />
                <security:intercept-url pattern="/login.jsp" filters="none" />
                <security:intercept-url pattern="/authenticationservlet" 
filters="none"/>
                <security:intercept-url pattern="**/jsp/common/**" 
filters="none"/>
                <security:intercept-url pattern="/**/css/**" filters="none"/>
                <security:intercept-url pattern="/**/*.js" filters="none"/>
                <security:intercept-url pattern="/images/**" filters="none"/>
                <security:intercept-url pattern="/**/secure/**" access="ROLE_USER" 
/>
                <security:intercept-url pattern="/**/operations/**" 
access="ROLE_OPERATIONS"/>
                <security:intercept-url pattern="/**" 
access="IS_AUTHENTICATED_ANONYMOUSLY" />
</security:http>

Now when I forward a request from index.jsp to login.jsp then the spring 
filters are called with the login.jsp URL even though the browser shows the old 
URL.

However when from within an action method a navigation case is handled then it is not 
intercepted by the spring filters at all. However if I give a <redirect/> then 
it is properly intercepted with the correct URL as expected.

What can be the reason?

Regards,
Madhav

























					Reply via email to