One of those <url-pattern>/rule/ruleList.faces</url-pattern> <url-pattern>/faces/rule/ruleList.xhtml</url-pattern> <url-pattern>/faces/rule/*</url-pattern> will most probably work better, depending on how you mapped your facelets context. If not, please provide full web.xml so we can see where problem is :)
PS: security contraints apply to url submitted by browser, not internal forwards that may appear as a result of JSF navigation rule. En l'instant précis du 19/04/07 10:14, Zohner, Michael s'exprimait en ces termes: > Sorry, there was a small mistake: > > WRONG: > So, when I become an "RDSstaticdatarulesrw" user, I can see the page. > It has no effect. > > RIGHT: > So, when I become ANOTHER USER than "RDSstaticdatarulesrw" user, I can > see the page. > So, all that has no effect. > > > Regards > Michael > > > -----Original Message----- > From: Zohner, Michael > Sent: 19 April 2007 10:10 > To: MyFaces Discussion > Subject: Security - protect JSF pages (.xhtml) via security in web.xml > -> DOES NOT WORK ? > > Hi, > > I am trying to protect several pages in our jsf application (myFaces, > facelets, richfaces). > > We have a security server where our users have specific roles. > > Its an https application. > > This is in my web.xml: > > <security-constraint> > <web-resource-collection> > <web-resource-name>SSL Rule Pages</web-resource-name> > <description /> > <url-pattern>/rule/ruleList.xhtml</url-pattern> > <http-method>GET</http-method> > <http-method>PUT</http-method> > <http-method>POST</http-method> > </web-resource-collection> > <auth-constraint> > <description /> > <role-name>RDSstaticdatarulesrw</role-name> > </auth-constraint> > <user-data-constraint> > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > </user-data-constraint> > </security-constraint> > > So, when I become an "RDSstaticdatarulesrw" user, I can see the page. > It has no effect. > > When I write <url-pattern>/rule/*</url-pattern> instead of > <url-pattern>/rule/ruleList.xhtml</url-pattern>, I cannot see ANY pages. > Also not the pages which are NOT in directory "rule". > > So, HOW can I get this working ? > > The best would be to protect whole dirs and single pages. > > Best regards > Michael > > > ________________ > Dresdner Bank AG > Sitz/Registered Office: Frankfurt am Main, Handelsregister/Commercial > Register: Amtsgericht/Local Court, Frankfurt am Main, HRB 14000 > Vorsitzender des Aufsichtsrats/Chairman of the Supervisory Board: > Michael Diekmann Vorstand/Board of Managing Directors: Herbert Walter > (Vorsitzender/Chairman), Andreas Georgi, Stefan Jentzsch, Wulf Meier, > Andree Moschner, Klaus Rosenfeld, Otto Steinmetz, Friedrich Woebking > > This e-mail is confidential and the information contained in it may be > privileged. It should not be read, copied or used by anyone other than > the intended recipient. If you have received it in error, please > contact the sender immediately by telephoning +44 (0)20 7623 8000 or by > return email, and delete the e-mail and do not disclose its contents to > any person. We believe, but do not warrant, that this e-mail and any > attachments are virus free, but you must take full responsibility for > virus checking. Please refer to > http://www.dresdnerkleinwort.com/disc/email/ and read our e-mail > disclaimer statement and monitoring policy. > ________________ > > > ________________ > Dresdner Bank AG > Sitz/Registered Office: Frankfurt am Main, Handelsregister/Commercial > Register: Amtsgericht/Local Court, Frankfurt am Main, HRB 14000 > Vorsitzender des Aufsichtsrats/Chairman of the Supervisory Board: Michael > Diekmann > Vorstand/Board of Managing Directors: Herbert Walter (Vorsitzender/Chairman), > Andreas Georgi, Stefan Jentzsch, Wulf Meier, Andree Moschner, Klaus > Rosenfeld, Otto Steinmetz, Friedrich Woebking > > This e-mail is confidential and the information contained in it may be > privileged. It should not be read, copied or used by anyone other than the > intended recipient. If you have received it in error, please contact the > sender immediately by telephoning +44 (0)20 7623 8000 or by return email, and > delete the e-mail and do not disclose its contents to any person. We > believe, but do not warrant, that this e-mail and any attachments are virus > free, but you must take full responsibility for virus checking. Please refer > to http://www.dresdnerkleinwort.com/disc/email/ and read our e-mail > disclaimer statement and monitoring policy. > ________________ > >
