Security - protect JSF pages (.xhtml) via security in web.xml -> DOES NOT WORK ?

Thu, 19 Apr 2007 01:10:48 -0700 

Hi,

I am trying to protect several pages in our jsf application (myFaces,
facelets, richfaces).

We have a security server where our users have specific roles.

Its an https application.

This is in my web.xml:

 <security-constraint>
  <web-resource-collection>
   <web-resource-name>SSL Rule Pages</web-resource-name>
   <description />
   <url-pattern>/rule/ruleList.xhtml</url-pattern>
   <http-method>GET</http-method>
   <http-method>PUT</http-method>
   <http-method>POST</http-method>
  </web-resource-collection>
    <auth-constraint>
     <description />
     <role-name>RDSstaticdatarulesrw</role-name>
    </auth-constraint>
        <user-data-constraint>
         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
 </security-constraint>

So, when I become an "RDSstaticdatarulesrw" user, I can see the page.
It has no effect.

When I write <url-pattern>/rule/*</url-pattern> instead of
<url-pattern>/rule/ruleList.xhtml</url-pattern>, I cannot see ANY pages.
Also not the pages which are NOT in directory "rule".

So, HOW can I get this working ?

The best would be to protect whole dirs and single pages.

Best regards
Michael


________________
Dresdner Bank AG
Sitz/Registered Office: Frankfurt am Main, Handelsregister/Commercial Register: 
Amtsgericht/Local Court, Frankfurt am Main, HRB 14000 
Vorsitzender des Aufsichtsrats/Chairman of the Supervisory Board: Michael 
Diekmann 
Vorstand/Board of Managing Directors: Herbert Walter (Vorsitzender/Chairman), 
Andreas Georgi, Stefan Jentzsch, Wulf Meier, Andree Moschner, Klaus Rosenfeld, 
Otto Steinmetz, Friedrich Woebking 

This e-mail is confidential and the information contained in it may be 
privileged.  It should not be read, copied or used by anyone other than the 
intended recipient.  If you have received it in error, please contact the 
sender immediately by telephoning +44 (0)20 7623 8000 or by return email, and 
delete the e-mail and do not disclose its contents to any person.  We believe, 
but do not warrant, that this e-mail and any attachments are virus free, but 
you must take full responsibility for virus checking.  Please refer to 
http://www.dresdnerkleinwort.com/disc/email/ and read our e-mail disclaimer 
statement and monitoring policy.
________________

Reply via email to