Hi, I dont know if I really understood Martins proposal.
We have to use the scurity constraint I think. Here is the web.xml: <?xml version="1.0" encoding="UTF-8"?> <web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd";> <description>Data Staging area for Static data</description> <display-name>App</display-name> <filter> <display-name>Ajax4jsf Filter</display-name> <filter-name>ajax4jsf</filter-name> <filter-class>org.ajax4jsf.FastFilter</filter-class> </filter> <!-- Tomahawk stuff --> <filter> <filter-name>extensionsFilter</filter-name> <!-- Old: org.apache.myfaces.component.html.util.ExtensionsFilter --> <filter-class>org.apache.myfaces.webapp.filter.ExtensionsFilter</filter-class> <init-param> <description></description> <param-name>maxFileSize</param-name> <param-value>2m</param-value> </init-param> <init-param> <param-name>uploadThresholdSize</param-name> <param-value>100k</param-value> </init-param> </filter> <filter-mapping> <filter-name>ajax4jsf</filter-name> <servlet-name>faces</servlet-name> <dispatcher>REQUEST</dispatcher> <dispatcher>FORWARD</dispatcher> <dispatcher>INCLUDE</dispatcher> </filter-mapping> <filter-mapping> <filter-name>extensionsFilter</filter-name> <servlet-name>faces</servlet-name> </filter-mapping> <filter-mapping> <filter-name>extensionsFilter</filter-name> <url-pattern>/faces/myFacesExtensionResource/*</url-pattern> </filter-mapping> <context-param> <description></description> <param-name>javax.faces.CONFIG_FILES</param-name> <param-value> /WEB-INF/faces-beans.xml,/WEB-INF/faces-nav.xml </param-value> </context-param> <context-param> <description></description> <param-name>javax.faces.STATE_SAVING_METHOD</param-name> <param-value>server</param-value> </context-param> <!-- IMPORTANT for ajax4jsf --> <context-param> <param-name>org.ajax4jsf.VIEW_HANDLERS</param-name> <param-value>com.sun.facelets.FaceletViewHandler</param-value> </context-param> <!-- Use Documents Saved as *.xhtml --> <context-param> <param-name>javax.faces.DEFAULT_SUFFIX</param-name> <param-value>.xhtml</param-value> </context-param> <context-param> <param-name>facelets.REFRESH_PERIOD</param-name> <param-value>2</param-value> </context-param> <context-param> <param-name>facelets.DEVELOPMENT</param-name> <param-value>true</param-value> </context-param> <context-param> <param-name>com.sun.faces.validateXml</param-name> <param-value>true</param-value> </context-param> <context-param> <param-name>com.sun.faces.verifyObjects</param-name> <param-value>true</param-value> </context-param> <context-param> <param-name>org.ajax4jsf.SKIN</param-name> <param-value>dkib</param-value> </context-param> <context-param> <param-name>facelets.LIBRARIES</param-name> <param-value> /WEB-INF/taglib/tomahawk.taglib.xml;/WEB-INF/taglib/facestrace.taglib.xml </param-value> </context-param> <context-param> <description></description> <param-name>org.apache.myfaces.ALLOW_JAVASCRIPT</param-name> <param-value>true</param-value> </context-param> <context-param> <param-name>org.apache.myfaces.DETECT_JAVASCRIPT</param-name> <param-value>false</param-value> </context-param> <context-param> <description></description> <param-name>org.apache.myfaces.PRETTY_HTML</param-name> <param-value>true</param-value> </context-param> <context-param> <description></description> <param-name>org.apache.myfaces.AUTO_SCROLL</param-name> <param-value>true</param-value> </context-param> <context-param> <param-name>org.apache.myfaces.COMPRESS_STATE_IN_SESSION</param-name> <param-value>false</param-value> </context-param> <context-param> <param-name>org.apache.myfaces.CHECK_EXTENSIONS_FILTER</param-name> <param-value>false</param-value> </context-param> <servlet> <servlet-name>faces</servlet-name> <servlet-class>javax.faces.webapp.FacesServlet</servlet-class> <load-on-startup>1</load-on-startup> </servlet> <servlet> <servlet-name>jsp</servlet-name> <servlet-class> org.apache.jasper.servlet.JspServlet </servlet-class> <init-param> <param-name>keepgenerated</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>logVerbosityLevel</param-name> <param-value>FATAL</param-value> </init-param> <init-param> <param-name>classdebuginfo</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>enablePooling</param-name> <param-value>false</param-value> </init-param> <load-on-startup>0</load-on-startup> </servlet> <servlet> <servlet-name>JspRedirector</servlet-name> <jsp-file>/test/jspRedirector.jsp</jsp-file> </servlet> <!-- Faces Servlet Mapping extension mapping --> <servlet-mapping> <servlet-name>faces</servlet-name> <url-pattern>*.jsf</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>faces</servlet-name> <url-pattern>*.faces</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>JspRedirector</servlet-name> <url-pattern>/JspRedirector</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>jsp</servlet-name> <url-pattern>*.jsp</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>jsp</servlet-name> <url-pattern>*.jspf</url-pattern> </servlet-mapping> <session-config> <session-timeout>600</session-timeout> </session-config> <!-- Welcome files --> <welcome-file-list> <welcome-file>index.html</welcome-file> <welcome-file>index.jsp</welcome-file> <welcome-file>/jsf/index.jsf</welcome-file> </welcome-file-list> <error-page> <error-code>401</error-code> <location>/Http401Unauthorized</location> </error-page> <error-page> <exception-type>java.lang.Throwable</exception-type> <location>/ErrorCtrl</location> </error-page> <jsp-config> <taglib> <taglib-uri>jstl-sql-rt.tld</taglib-uri> <taglib-location>/WEB-INF/taglib/jstl-sql-rt.tld</taglib-location> </taglib> <taglib> <taglib-uri>jstl-fmt.tld</taglib-uri> <taglib-location>/WEB-INF/taglib/jstl-fmt.tld</taglib-location> </taglib> <taglib> <taglib-uri>jstl-core.tld</taglib-uri> <taglib-location>/WEB-INF/taglib/jstl-core.tld</taglib-location> </taglib> </jsp-config> <security-constraint> <web-resource-collection> <web-resource-name>SSL Scheduler Pages</web-resource-name> <description /> <url-pattern>/scheduler/schedulerManager.xhtml</url-pattern> <http-method>GET</http-method> <http-method>PUT</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <description /> <role-name>RDSstaticdatadeveloper</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>SSL Rule Pages</web-resource-name> <description /> <url-pattern>/rule/ruleList.xhtml</url-pattern> <http-method>GET</http-method> <http-method>PUT</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <description /> <role-name>RDSstaticdatarulesrw</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>CLIENT-CERT</auth-method> <realm-name>gds</realm-name> </login-config> <security-role> <description>developer role - access to developer areas</description> <role-name>RDSstaticdatadeveloper</role-name> </security-role> <security-role> <description>user who have permissions to maintain the rule defintions</description> <role-name>RDSstaticdatarulesrw</role-name> </security-role> </web-app> Thanks a lot ! -----Original Message----- From: David Delbecq [mailto:[EMAIL PROTECTED] Sent: 19 April 2007 10:49 To: MyFaces Discussion Subject: Re: Security - protect JSF pages (.xhtml) via security in web.xml -> DOES NOT WORK ? One of those <url-pattern>/rule/ruleList.faces</url-pattern> <url-pattern>/faces/rule/ruleList.xhtml</url-pattern> <url-pattern>/faces/rule/*</url-pattern> will most probably work better, depending on how you mapped your facelets context. If not, please provide full web.xml so we can see where problem is :) PS: security contraints apply to url submitted by browser, not internal forwards that may appear as a result of JSF navigation rule. En l'instant précis du 19/04/07 10:14, Zohner, Michael s'exprimait en ces termes: > Sorry, there was a small mistake: > > WRONG: > So, when I become an "RDSstaticdatarulesrw" user, I can see the page. > It has no effect. > > RIGHT: > So, when I become ANOTHER USER than "RDSstaticdatarulesrw" user, I can > see the page. > So, all that has no effect. > > > Regards > Michael > > > -----Original Message----- > From: Zohner, Michael > Sent: 19 April 2007 10:10 > To: MyFaces Discussion > Subject: Security - protect JSF pages (.xhtml) via security in web.xml > -> DOES NOT WORK ? > > Hi, > > I am trying to protect several pages in our jsf application (myFaces, > facelets, richfaces). > > We have a security server where our users have specific roles. > > Its an https application. > > This is in my web.xml: > > <security-constraint> > <web-resource-collection> > <web-resource-name>SSL Rule Pages</web-resource-name> > <description /> > <url-pattern>/rule/ruleList.xhtml</url-pattern> > <http-method>GET</http-method> > <http-method>PUT</http-method> > <http-method>POST</http-method> > </web-resource-collection> > <auth-constraint> > <description /> > <role-name>RDSstaticdatarulesrw</role-name> > </auth-constraint> > <user-data-constraint> > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > </user-data-constraint> > </security-constraint> > > So, when I become an "RDSstaticdatarulesrw" user, I can see the page. > It has no effect. > > When I write <url-pattern>/rule/*</url-pattern> instead of > <url-pattern>/rule/ruleList.xhtml</url-pattern>, I cannot see ANY pages. > Also not the pages which are NOT in directory "rule". > > So, HOW can I get this working ? > > The best would be to protect whole dirs and single pages. > > Best regards > Michael > > > ________________ > Dresdner Bank AG > Sitz/Registered Office: Frankfurt am Main, Handelsregister/Commercial > Register: Amtsgericht/Local Court, Frankfurt am Main, HRB 14000 > Vorsitzender des Aufsichtsrats/Chairman of the Supervisory Board: > Michael Diekmann Vorstand/Board of Managing Directors: Herbert Walter > (Vorsitzender/Chairman), Andreas Georgi, Stefan Jentzsch, Wulf Meier, > Andree Moschner, Klaus Rosenfeld, Otto Steinmetz, Friedrich Woebking > > This e-mail is confidential and the information contained in it may be > privileged. It should not be read, copied or used by anyone other > than the intended recipient. If you have received it in error, please > contact the sender immediately by telephoning +44 (0)20 7623 8000 or > by return email, and delete the e-mail and do not disclose its > contents to any person. We believe, but do not warrant, that this > e-mail and any attachments are virus free, but you must take full > responsibility for virus checking. Please refer to > http://www.dresdnerkleinwort.com/disc/email/ and read our e-mail > disclaimer statement and monitoring policy. > ________________ > > > ________________ > Dresdner Bank AG > Sitz/Registered Office: Frankfurt am Main, Handelsregister/Commercial > Register: Amtsgericht/Local Court, Frankfurt am Main, HRB 14000 > Vorsitzender des Aufsichtsrats/Chairman of the Supervisory Board: > Michael Diekmann Vorstand/Board of Managing Directors: Herbert Walter > (Vorsitzender/Chairman), Andreas Georgi, Stefan Jentzsch, Wulf Meier, > Andree Moschner, Klaus Rosenfeld, Otto Steinmetz, Friedrich Woebking > > This e-mail is confidential and the information contained in it may be > privileged. It should not be read, copied or used by anyone other than the > intended recipient. If you have received it in error, please contact the > sender immediately by telephoning +44 (0)20 7623 8000 or by return email, and > delete the e-mail and do not disclose its contents to any person. We > believe, but do not warrant, that this e-mail and any attachments are virus > free, but you must take full responsibility for virus checking. Please refer > to http://www.dresdnerkleinwort.com/disc/email/ and read our e-mail > disclaimer statement and monitoring policy. > ________________ > > ________________ Dresdner Bank AG Sitz/Registered Office: Frankfurt am Main, Handelsregister/Commercial Register: Amtsgericht/Local Court, Frankfurt am Main, HRB 14000 Vorsitzender des Aufsichtsrats/Chairman of the Supervisory Board: Michael Diekmann Vorstand/Board of Managing Directors: Herbert Walter (Vorsitzender/Chairman), Andreas Georgi, Stefan Jentzsch, Wulf Meier, Andree Moschner, Klaus Rosenfeld, Otto Steinmetz, Friedrich Woebking This e-mail is confidential and the information contained in it may be privileged. It should not be read, copied or used by anyone other than the intended recipient. If you have received it in error, please contact the sender immediately by telephoning +44 (0)20 7623 8000 or by return email, and delete the e-mail and do not disclose its contents to any person. We believe, but do not warrant, that this e-mail and any attachments are virus free, but you must take full responsibility for virus checking. Please refer to http://www.dresdnerkleinwort.com/disc/email/ and read our e-mail disclaimer statement and monitoring policy. ________________
