2 Replies Latest reply on Nov 25, 2008 11:36 AM by marcos_aps

    Big authentication problem: not being redirected to the logi

    marcos_aps

      - JBoss 4.2.3.GA

      Hello, everybody!

      I've just noticed a big problem in the web application I'm developing. In this application I'm using the FORM authentication method as you can see below in the web.xml file:

      <security-constraint>
       <web-resource-collection>
       <web-resource-name>permitido</web-resource-name>
       <url-pattern>/*</url-pattern>
       </web-resource-collection>
       <user-data-constraint>
       <transport-guarantee>NONE</transport-guarantee>
       </user-data-constraint>
       </security-constraint>
      
       <security-constraint>
       <web-resource-collection>
       <web-resource-name>restrito</web-resource-name>
       <url-pattern>/confirmacaoreserva.jsp</url-pattern>
       <url-pattern>/confirmacaoreserva.faces</url-pattern>
       <url-pattern>/reservaconfirmada.jsp</url-pattern>
       <url-pattern>/reservaconfirmada.faces</url-pattern>
       </web-resource-collection>
       <auth-constraint>
       <role-name>ADMINISTRADOR</role-name>
       <role-name>USUARIO</role-name>
       </auth-constraint>
       <user-data-constraint>
       <transport-guarantee>NONE</transport-guarantee>
       </user-data-constraint>
       </security-constraint>
      
       <login-config>
       <auth-method>FORM</auth-method>
       <form-login-config>
       <form-login-page>/login.jsp</form-login-page>
       <form-error-page>/errologin.jsp</form-error-page>
       </form-login-config>
       </login-config>
      
       <security-role>
       <role-name>ADMINISTRADOR</role-name>
       </security-role>
       <security-role>
       <role-name>USUARIO</role-name>
       </security-role>


      If I type in the browser's address field any of the protected pages,
      confirmacaoreserva.faces or reservaconfirmada.faces, the web container redirects me to the login page as expected, as I was'n authenticated yet. Until till this point everything is working without problem. But I noticed, to my surprise, that when I click on a link in a web page like this:

      <h:commandLink value="#{msg.reservar}" action="#{materiais.reservarMaterial}">
       <f:setPropertyActionListener target="#{materiais.codigoMaterial}" value="#{material.codigo}" />
      </h:commandLink>


      // in the backing bean
      public String reservarMaterial()
      {
       // some processing...
       return "confirmacaoReserva";
      }


      // in faces-config.xml
      <navigation-rule>
       <navigation-case>
       <from-outcome>confirmacaoReserva</from-outcome>
       <to-view-id>/confirmacaoreserva.jsp</to-view-id>
       </navigation-case>
      </navigation-rule>


      it completely by-passes the web container authentication and redirects me to the protected page (confirmacaoreserva) without asking me first to authenticate in the login page. Of course this is unacceptable. It seems like JSF is completely ignoring the security configuration defined in web.xml. As I said above, when I access the protected pages through the browser's address field, the authentication mechanism works well, redirecting me to the login page.

      So, how can I solve this? How do I fix this problem?

      Thank you.

      Marcos