Wrong redirect after logging in (Java EE w/ JSF) -


developing web application in java ee jsf. pages secured viewing authentication form action 'j_security_check' , inputs 'j_username' , 'j_password'.

after successful log in, however, redirected not page wanted access url

/faces/javax.faces.resource/jsf.js?ln=javax.faces&stage=development

so i'm looking @ script file jsf.js js code instead of page wanted view. doesn't matter if access web root or other page, i'm being redirected url every time. change url page, loads fine , logged in.

i have had problem magically went away redirected me correctly. after few weeks got broken again don't if fault, , if don't know cause. wasn't messing redirect or navigational rules @ all.

good mention i'm using prettyfaces.

edit:

<security-constraint>     <display-name>secured</display-name>     <web-resource-collection>         <web-resource-name>all</web-resource-name>         <description/>         <url-pattern>/*</url-pattern>     </web-resource-collection>     <auth-constraint>         <description/>         <role-name>admin</role-name>         <role-name>teacher</role-name>     </auth-constraint> </security-constraint> <security-constraint>     <display-name>secured admins</display-name>     <web-resource-collection>         <web-resource-name>admin pages</web-resource-name>         <description/>         <url-pattern>/admin/*</url-pattern>     </web-resource-collection>     <auth-constraint>         <description/>         <role-name>admin</role-name>     </auth-constraint> </security-constraint> <security-constraint>     <display-name>unsecured</display-name>     <web-resource-collection>         <web-resource-name>css</web-resource-name>         <description/>         <url-pattern>/css/*</url-pattern>     </web-resource-collection>     <web-resource-collection>         <web-resource-name>js</web-resource-name>         <description/>         <url-pattern>/js/*</url-pattern>     </web-resource-collection>     <web-resource-collection>         <web-resource-name>img</web-resource-name>         <description/>         <url-pattern>/img/*</url-pattern>     </web-resource-collection> </security-constraint> <login-config>     <auth-method>form</auth-method>     <realm-name>wetk-security</realm-name>     <form-login-config>         <form-login-page>/faces/login.xhtml</form-login-page>         <form-error-page>/faces/login.xhtml</form-error-page>     </form-login-config> </login-config>

the container managed security redirect last http request triggered authentication check. in case it's apparently auto-included jsf ajax api javascript file. can happen if browser has loaded to-be-authenticated page browser cache, while browser has loaded js file server side, or have tested cache validity of javascript file conditional request.

you'd exclude jsf resources (<h:outputscript>, <h:outputstylesheet> , <h:graphicimage> authentication checks. excluding common url pattern /javax.faces.resource/*. may want add /faces prefix pattern you're apparently using instead of *.xhtml suffix pattern.

you need instruct browser not cache restricted pages prevent browser loading cache (e.g. pressing button after logout). map following filter on same url pattern 1 of <security-constraint>.

@webfilter("/secured/*") // use same url pattern <security-constraint> public class nocachefilter implements filter {      @override     public void dofilter(servletrequest request, servletresponse response, filterchain chain) throws ioexception, servletexception {         httpservletrequest httpreq = (httpservletrequest) request;         httpservletresponse httpres = (httpservletresponse) response;          if (!httpreq.getrequesturi().startswith(httpreq.getcontextpath() + resourcehandler.resource_identifier)) { // skip jsf resources (css/js/images/etc)             httpres.setheader("cache-control", "no-cache, no-store, must-revalidate"); // http 1.1.             httpres.setheader("pragma", "no-cache"); // http 1.0.             httpres.setdateheader("expires", 0); // proxies.         }          chain.dofilter(request, response);     }      // ... }

Comments

Post a Comment

Popular posts from this blog

jquery - Invalid Assignment Left-Hand Side -

i trying assign class tag via jquery, resulting in error through firebug says "invalid assignment left-hand side" on fourth line below. <cfoutput> $('.pngfix a').each(function(index) { var hreflink = $(this).attr("href"); if (hreflink.tolowercase() = '../audio.cfm') { $(this).addclass('audioimg'); } }); </cfoutput> looking around online, looks syntax problem, don't seem see it... any tips? thanks if (hreflink.tolowercase() = '../audio.cfm') that attempts assign value, rather check equality. change = operator == .
Read more

java - Play! framework 2.0: How to display multiple image? -

i need display gallery of photos. here template: @(photos: list[photo]) @title = { <bold>gallery</bold> } @main(title,"photo"){ <ul class="thumbnails"> @for(photo <- photos) { <li class="span3"> <a href="#" class="thumbnail"> <img src="@photo.path" alt=""> </a> </li> } </ul> } and here controller method: public static result getphotos() { return ok(views.html.photo.gallery.render(photo.get())); } and here photo bean : @entity public class photo extends model { @id public long id; @required public string label; public string path; public photo(string path, string label) { this.path = path; this.label = label; } private static finder<long, photo> find = new finder<long, photo>( long.class, photo.class); public static list<phot...
Read more

gmail - Is there any documentation for read-only access to the Google Contacts API? -

i want read-only access user's google contacts. there stackoverflow member wanted this, , received following answer : yes, there is, use https://www.googleapis.com/auth/contacts.readonly scope , "view contacts". this exchange reference read-only access google contacts can find using google. simply using access token obtained attempt read usual google contacts api (i.e. https://www.google.com/m8/feeds ) fails insufficient permissions. similarly, using google contacts api on new target fails 404 errors (for example https://www.googleapis.com/auth/contacts.readonly/default/full ). is there documentation anywhere on how use api, or permissible way access google contacts api full read-write access?
Read more