Re: Login page

Thu, 10 May 2007 13:53:14 -0700 


When using Tomcat, the following is what happens:
* Tomcat checks url and detects that security constraint is violated. This check occurs *before* any filters are run * Tomcat immediately performs an internal forward to the url specified in the form-login-page. * Your version of that page apparently contains a JSF tag that needs help from the ExtensionsFilter. The tag therefore checks whether the ExtensionsFilter has run, and finds it has not so throws an exception. 


I believe that at least some other servlet containers use HTTP REDIRECT 
to send the user to the login page rather than an internal forward. This 
seems more sensible to me for a number of reasons. However Tomcat has no 
option to do this.



It might be possible to force the ExtensionsFilter to run by defining an 
additional filter-mapping like:

  <filter-mapping>
    <filter-name>extensionsFilter</filter-name>
    <url-pattern>/login.jsf</url-pattern>
    <dispatcher>FORWARD</dispatcher>
  </filter-mapping>
which will run the filter on a forward.


Does your login page really need to be a JSF page (ie contain JSF tags)? 
It might be easier to just implement it as a normal JSP page.


Regards,

Simon

Francesco Consumi wrote:


Hi all,


I'm corrently managing security in my webapps with an session Bean with 
user data, ad at top of every page something similar:

<c:if test="${ub.currentUser.isValid}">
   <c:redirect url="login.jsf"/>
</c:if>



now, I'd like to use something more modern, and I'm investigating 
securityContext and   <security-constraint>

 tags.

I created a web.xml section as is:

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>JSF pages</web-resource-name>
      <url-pattern>*.jsf</url-pattern>
      <http-method>POST</http-method>
      <http-method>GET</http-method>
    </web-resource-collection>
    <auth-constraint>
      <description>desc</description>
      <role-name>admin</role-name>
    </auth-constraint>
  </security-constraint>
  <login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
      <form-login-page>/login.jsf</form-login-page>
      <form-error-page>/invlevelpage.jsf</form-error-page>
    </form-login-config>
  </login-config>

But it doesn't work. I obtain and ampty page and the following error:

javax.servlet.ServletException: ExtensionsFilter not correctly 
configured. JSF mapping missing. JSF pages not covered. Please see: 
http://myfaces.apache.org/tomahawk/extensionsFilter.html




Obviously, extensionFilter is already defined since the application 
exists. :-)



what's am I doing wrong ? and, more general question: is it the right 
way to apply security to webapp ?


thanks to all,

--Francesco Consumi
Ufficio Sistemi informativi
Istituto degli Innocenti
Piazza SS.Annunziata, 12
50122 Firenze
consumi at istitutodeglinnocenti.it
Tel. +39 055 2037320
ICQ# 12516133

























					Reply via email to