Announcement Announcement Module
No announcement yet.
FilterSecurityInterceptor not being called for a JSF forward Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • FilterSecurityInterceptor not being called for a JSF forward

    Hi All,

    I am using:
    icefaces- 1.8.1
    myfaces 1.1
    spring 2.5.6
    spring security 2.0.5
    application server: WAS 6.0

    I have a problem where for JSF forwards the FilterSecurityInterceptor is not been called and therefore no authentication takes place.

    Following is my web.xml
    			Spring delegating filter which will initiate the spring
    			security filter chain
    Following is my spring security application context <http> element:

    		entry-point-ref="preAuthenticatedProcessingFilterEntryPoint" once-per-request="false">
    		<security:intercept-url pattern="/index.jsp" filters="none" />
    		<security:intercept-url pattern="/login.jsp" filters="none" />
    		<security:intercept-url pattern="/authenticationservlet" filters="none"/>
    		<security:intercept-url pattern="**/jsp/common/**" filters="none"/>
    		<security:intercept-url pattern="/**/css/**" filters="none"/>
    		<security:intercept-url pattern="/**/*.js" filters="none"/>
    		<security:intercept-url pattern="/images/**" filters="none"/>
    		<security:intercept-url pattern="/**/secure/**" access="ROLE_USER" />
    		<security:intercept-url pattern="/**/operations/**" access="ROLE_OPERATIONS"/>
    		<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    In faces-config.xml i have the following navigation case:

    If i add a <redirect/> to the above navigation case then it works and the interceptor is called, however for a forward as shown above the interceptor is not called.

    What can be the problem?


  • #2
    To add to the description, the flow is as follows:

    1. welcome page - index.jsp - redirects to login.jsp
    2. User enters credentials and POST request is sent to Siteminder for authentication
    3. SiteMinder upon successful authentication sends the control to a landingPage.jspx which is a secure page.
    4. Spring security is now called and filter chain is run. It finds the SM_USER in request and internally calls userDetailsService to fetch the user granted authorities and sets them into SecurityContextHolder.
    5. The control now comes to landingPage.jspx. There is a commanButton on that page which calls an action method in a backing bean.
    6. Once the user clicks on that button, control is transferred to the action method. The action method eventually returns an outcome.
    7. This outcome is now intercepted by the JSF navigationHandler and it picks up the next view ID to go to from face-config.xml and forwards the request to this new JSPX file.
    8. Spring security interceptor should now be invoked to intercept this forwarded URL but unfortunately it is not even getting invoked. I included the source code in my workspace and put a break point inside the class but the control never arrives there.

    If i put a <redirect/> inside the navigation case which forces the JSF navigation handler to instead issue a redirect, now the control comes inside the FilterSecurityInterceptor and does authorization.

    A solution was posted at

    but even after trying that nothing works. The interceptor is still not getting invoked.

    What can be the problem?