EAP 6.1 JSF2+Servlet+Form based login breaks security
mp911de Jul 30, 2013 6:50 AMHi there,
I noticed today, as soon as I use JSF2-Pages (xhtml) for Form-Based login and trying to access a servlet though JSF2, security is ignored for the servlet behind.
One of the servlets (every servlet is affected):
@WebServlet(urlPatterns = { "/init" }) public class ContextInitServlet extends HttpServlet {
web.xml
<servlet> <servlet-name>Faces Servlet</servlet-name> <servlet-class>javax.faces.webapp.FacesServlet</servlet-class> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>Faces Servlet</servlet-name> <url-pattern>/faces/*</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>Faces Servlet</servlet-name> <url-pattern>*.xhtml</url-pattern> </servlet-mapping> <security-constraint> <web-resource-collection> <web-resource-name>protected-resources</web-resource-name> <url-pattern>/ui/*</url-pattern> <url-pattern>/faces/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>SPNEGO</auth-method> <realm-name>SPNEGO</realm-name> <form-login-config> <form-login-page>/login/login.xhtml</form-login-page> <form-error-page>/login/error.xhtml</form-error-page> </form-login-config> </login-config>
GET http://localhost:8080/myapp/faces/init
leads to a successful request without any authentication. Any servlet within my app can be accessed that way.
Currently my workaround is
if (SecurityContextAssociation.getSubject() == null) { FacesContext.getCurrentInstance().getApplication().getNavigationHandler() .handleNavigation(FacesContext.getCurrentInstance(), "", "/login/login.xhtml"); return; }
within the Servlet.
Is this a JBoss Web issue or is this a Mojarra problem?
Used Software:
- JBoss AS 7.2 (EAP 6.1)
- Bundled Mojarra 2.1.19-redhat-1
- RichFaces 4.3.3.Final
- SPNEGO (Kerberos SSO) 2.2.5.Final-redhat-1
Thanks and best regards,
Mark