4

I have following web.xml file I kept welcome page into security check so that it would redirect to login page but the welcome page is displayed without user loggin in. Is this the correct way? enter image description here

<welcome-file-list>
        <welcome-file>/GISPages/welcome.xhtml</welcome-file> 
    </welcome-file-list>

    <resource-ref>
        <res-ref-name>jdbc/Gis_WebApp</res-ref-name>
        <res-type>javax.sql.DataSource</res-type>
        <res-auth>Container</res-auth>
    </resource-ref>


    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Protected Pages</web-resource-name>
            <url-pattern>/GISPages/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>registereduser</role-name>
            <role-name>admin</role-name>
        </auth-constraint>
    </security-constraint>

    <login-config>
        <auth-method>FORM</auth-method>
        <realm-name>Live</realm-name>
        <form-login-config>
            <form-login-page>/login.xhtml</form-login-page>
            <form-error-page>/noauth.xhtml</form-error-page>
        </form-login-config>
    </login-config>

    <security-role>
        <role-name>registereduser</role-name>
    </security-role>

    <security-role>
        <role-name>admin</role-name>
    </security-role>
kinkajou
  • 3,664
  • 25
  • 75
  • 128
  • Under the `web-resource-collection` tag you have a duplicate entry for `url-pattern`. This may be the cause of the problem. Where is the rest of the file? – maple_shaft Feb 24 '12 at 12:14
  • @maple_shaft removed those but still same problem. well I have added the image file. – kinkajou Feb 24 '12 at 13:57
  • 2
    Just compared it to my configuration. Only difference is that login.xhtml and error.xhtml are also in the protected folder and not outside. Just a guess. – Matt Handy Feb 24 '12 at 14:29
  • @MattHandy No difference kept it inside protected folders too – kinkajou Feb 26 '12 at 02:11
  • Which server is it? A folder in the welcome file path is by the way somewhat strange. Although most servers will accept it, the welcome file is initially supposed to be the sole filename/extension of the file which the server should display when a folder is requested, regardless of the requested folder itself. You should actually have `welcome.xhtml` as welcome file and somehow perform a redirect from the one in the root folder to the other in the desired folder by a filter or a managed bean (post)constructor. – BalusC Feb 27 '12 at 14:19
  • (continued) Give changing the `` setting a try. If that fixes the problem, then it would be a security bug in the server make/version used. Try if necessary different makes/versions to exclude the one and other and finally report it to the server's development team. – BalusC Feb 27 '12 at 14:22
  • @BalusC I am using Tomcat 7. It displays login page if I put everything under security constrain i.e. "/*" – kinkajou Feb 28 '12 at 05:25
  • shows random URL like *localhost/j_securitycheck* or **http://localhost:7070/NCellLive/rfRes/skinning.ecss.xhtml;jsessionid=E3958E0C42DF25910F1E618D96348505?db=eAE78Y1hMgAGmQJS** – kinkajou Feb 28 '12 at 05:31
  • Your welcome page is /welcome.xhtml, add /welcome.xhtml – Ventsislav Marinov May 14 '12 at 09:31
  • In my web.xml I don't have a leading / for welcome-file, as BalusC said, but it is needed in the url-pattern. – Oversteer May 23 '12 at 10:34

1 Answers1

1

Security constraints protects a URL pattern, but in this case due to welcome-file setting your default URL will change to something like http://:port/webcontext/ and welcome.xhtml will be displayed. Whereas as per the URL pattern defined a protected URL should have URL like http://:port/webcontext/GISPages/welcome.xhtml Since the URL pattern did not match the application server render the page content.

Only solution which worked for me is to check UserPrincipal in prerender event

<f:event type="preRenderComponent"
listener="#{bean.forwardToLoginIfNotLoggedIn}" />

and redirect to login.xhtml if UserPrincipal returns null.

Apologies for opening an old thread. I recently faced similar issue hence thought that this might be useful to some.

ad-inf
  • 1,520
  • 4
  • 30
  • 53