Hi Martin, Could you please explain a bit more detailed how I can fit our needs with such a filter ?
We have a security server which knows the users and their roles Where <role-name>RDSstaticdatarulesrw</role-name> is a role which a user on this server could have. P.S. GREAT to hear that tomahawk 1.1.5 is released now !!! I will directly copy it to my lib folder. Hopefully I dont have to make any changes !!! Best regards -----Original Message----- From: Martin Marinschek [mailto:[EMAIL PROTECTED] Sent: 19 April 2007 10:41 To: MyFaces Discussion Subject: Re: Security - protect JSF pages (.xhtml) via security in web.xml -> DOES NOT WORK ? Hi Michael, your problem might stem from the fact that in the final phase in JSF (as with almost all other web-frameworks) a forward happens - this forward then defines the new page; and not the page address you see in the URL bar of the browser. Generally, we do security with a filter, and use: <filter-mapping> <filter-name>MyFilter</filter-name> <url-pattern>/foo/bar/*</url-pattern> <dispatcher>REQUEST</dispatcher> <dispatcher>FORWARD</dispatcher> </filter-mapping> to also include forwards in the security restriction. As I'm not using the <security-constraint> element personally, the whole thing not working might also be a misconfiguration on your side. Alternatively, a quick google search showed that you might want to use: <transport-guarantee>CONFIDENTIAL</transport-guarantee> in your <user-data-constraint> element to enforce a redirect to the final page (with a redirect, the URL-pattern changes accordingly and the security-oonstraint might be working again. regards, Martin On 4/19/07, Zohner, Michael <[EMAIL PROTECTED]> wrote: > Sorry, there was a small mistake: > > WRONG: > So, when I become an "RDSstaticdatarulesrw" user, I can see the page. > It has no effect. > > RIGHT: > So, when I become ANOTHER USER than "RDSstaticdatarulesrw" user, I can > see the page. > So, all that has no effect. > > > Regards > Michael > > > -----Original Message----- > From: Zohner, Michael > Sent: 19 April 2007 10:10 > To: MyFaces Discussion > Subject: Security - protect JSF pages (.xhtml) via security in web.xml > -> DOES NOT WORK ? > > Hi, > > I am trying to protect several pages in our jsf application (myFaces, > facelets, richfaces). > > We have a security server where our users have specific roles. > > Its an https application. > > This is in my web.xml: > > <security-constraint> > <web-resource-collection> > <web-resource-name>SSL Rule Pages</web-resource-name> > <description /> > <url-pattern>/rule/ruleList.xhtml</url-pattern> > <http-method>GET</http-method> > <http-method>PUT</http-method> > <http-method>POST</http-method> > </web-resource-collection> > <auth-constraint> > <description /> > <role-name>RDSstaticdatarulesrw</role-name> > </auth-constraint> > <user-data-constraint> > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > </user-data-constraint> > </security-constraint> > > So, when I become an "RDSstaticdatarulesrw" user, I can see the page. > It has no effect. > > When I write <url-pattern>/rule/*</url-pattern> instead of > <url-pattern>/rule/ruleList.xhtml</url-pattern>, I cannot see ANY pages. > Also not the pages which are NOT in directory "rule". > > So, HOW can I get this working ? > > The best would be to protect whole dirs and single pages. > > Best regards > Michael > > > ________________ > Dresdner Bank AG > Sitz/Registered Office: Frankfurt am Main, Handelsregister/Commercial > Register: Amtsgericht/Local Court, Frankfurt am Main, HRB 14000 > Vorsitzender des Aufsichtsrats/Chairman of the Supervisory Board: > Michael Diekmann Vorstand/Board of Managing Directors: Herbert Walter > (Vorsitzender/Chairman), Andreas Georgi, Stefan Jentzsch, Wulf Meier, > Andree Moschner, Klaus Rosenfeld, Otto Steinmetz, Friedrich Woebking > > This e-mail is confidential and the information contained in it may be > privileged. It should not be read, copied or used by anyone other > than the intended recipient. If you have received it in error, please > contact the sender immediately by telephoning +44 (0)20 7623 8000 or > by return email, and delete the e-mail and do not disclose its > contents to any person. We believe, but do not warrant, that this > e-mail and any attachments are virus free, but you must take full > responsibility for virus checking. Please refer to > http://www.dresdnerkleinwort.com/disc/email/ and read our e-mail > disclaimer statement and monitoring policy. > ________________ > > > ________________ > Dresdner Bank AG > Sitz/Registered Office: Frankfurt am Main, Handelsregister/Commercial > Register: Amtsgericht/Local Court, Frankfurt am Main, HRB 14000 > Vorsitzender des Aufsichtsrats/Chairman of the Supervisory Board: > Michael Diekmann Vorstand/Board of Managing Directors: Herbert Walter > (Vorsitzender/Chairman), Andreas Georgi, Stefan Jentzsch, Wulf Meier, > Andree Moschner, Klaus Rosenfeld, Otto Steinmetz, Friedrich Woebking > > This e-mail is confidential and the information contained in it may be privileged. It should not be read, copied or used by anyone other than the intended recipient. If you have received it in error, please contact the sender immediately by telephoning +44 (0)20 7623 8000 or by return email, and delete the e-mail and do not disclose its contents to any person. We believe, but do not warrant, that this e-mail and any attachments are virus free, but you must take full responsibility for virus checking. Please refer to http://www.dresdnerkleinwort.com/disc/email/ and read our e-mail disclaimer statement and monitoring policy. > ________________ > > -- http://www.irian.at Your JSF powerhouse - JSF Consulting, Development and Courses in English and German Professional Support for Apache MyFaces ________________ Dresdner Bank AG Sitz/Registered Office: Frankfurt am Main, Handelsregister/Commercial Register: Amtsgericht/Local Court, Frankfurt am Main, HRB 14000 Vorsitzender des Aufsichtsrats/Chairman of the Supervisory Board: Michael Diekmann Vorstand/Board of Managing Directors: Herbert Walter (Vorsitzender/Chairman), Andreas Georgi, Stefan Jentzsch, Wulf Meier, Andree Moschner, Klaus Rosenfeld, Otto Steinmetz, Friedrich Woebking This e-mail is confidential and the information contained in it may be privileged. It should not be read, copied or used by anyone other than the intended recipient. If you have received it in error, please contact the sender immediately by telephoning +44 (0)20 7623 8000 or by return email, and delete the e-mail and do not disclose its contents to any person. We believe, but do not warrant, that this e-mail and any attachments are virus free, but you must take full responsibility for virus checking. Please refer to http://www.dresdnerkleinwort.com/disc/email/ and read our e-mail disclaimer statement and monitoring policy. ________________
