[jboss-user] [Security & JAAS/JBoss] - Big authentication problem: not being redirected to the logi

Mon Nov 10 11:29:25 EST 2008

- JBoss 4.2.3.GA

Hello, everybody!

I've just noticed a big problem in the web application I'm developing. In this application I'm using the FORM authentication method as you can see below in the web.xml file:

  <security-constraint>
  | 	<web-resource-collection>
  |   		<web-resource-name>permitido</web-resource-name>
  |   		<url-pattern>/*</url-pattern>
  |   	</web-resource-collection>
  |   	<user-data-constraint>
  |   		<transport-guarantee>NONE</transport-guarantee>
  |   	</user-data-constraint>
  |   </security-constraint>
  |   
  |   <security-constraint>
  |   	<web-resource-collection>
  |   		<web-resource-name>restrito</web-resource-name>
  |   		<url-pattern>/confirmacaoreserva.jsp</url-pattern>
  |   		<url-pattern>/confirmacaoreserva.faces</url-pattern>
  |   		<url-pattern>/reservaconfirmada.jsp</url-pattern>
  |   		<url-pattern>/reservaconfirmada.faces</url-pattern>
  |   	</web-resource-collection>
  |   	<auth-constraint>
  |   		<role-name>ADMINISTRADOR</role-name>
  |   		<role-name>USUARIO</role-name>
  |   	</auth-constraint>
  |   	<user-data-constraint>
  |   		<transport-guarantee>NONE</transport-guarantee>
  |   	</user-data-constraint>
  |   </security-constraint>
  |   
  |   <login-config>
  |   	<auth-method>FORM</auth-method>
  |   	<form-login-config>
  | 		<form-login-page>/login.jsp</form-login-page>
  |   		<form-error-page>/errologin.jsp</form-error-page>
  |   	</form-login-config>
  |   </login-config>
  |   
  |   <security-role>
  |   	<role-name>ADMINISTRADOR</role-name>
  |   </security-role>
  |   <security-role>
  |   	<role-name>USUARIO</role-name>
  |   </security-role>

If I type in the browser's address field any of the protected pages,
confirmacaoreserva.faces or reservaconfirmada.faces, the web container redirects me to the login page as expected, as I was'n authenticated yet. Until till this point everything is working without problem. But I noticed, to my surprise, that when I click on a link in a web page like this:

<h:commandLink value="#{msg.reservar}" action="#{materiais.reservarMaterial}">
  |     <f:setPropertyActionListener target="#{materiais.codigoMaterial}" value="#{material.codigo}" />
  | </h:commandLink>

// in the backing bean
  | public String reservarMaterial()
  | {
  |     // some processing...
  |     return "confirmacaoReserva";
  | }

// in faces-config.xml
  | <navigation-rule>
  |     <navigation-case>
  |         <from-outcome>confirmacaoReserva</from-outcome>
  |         <to-view-id>/confirmacaoreserva.jsp</to-view-id>
  |     </navigation-case>
  | </navigation-rule>

it completely by-passes the web container authentication and redirects me to the protected page (confirmacaoreserva) without asking me first to authenticate in the login page. Of course this is unacceptable. It seems like JSF is completely ignoring the security configuration defined in web.xml. As I said above, when I access the protected pages through the browser's address field, the authentication mechanism works well, redirecting me to the login page.

So, how can I solve this? How do I fix this problem?

Thank you.

Marcos

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4188183#4188183

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4188183