your security constraint's url pattern <url-pattern>/rule/ruleList.xhtml</url-pattern>
Only prevent unauthorized users from pointing their browser at http://server/yourWebapp//rule/ruleList.xhtml It does not prevent them from pointing browser to http://server/yourWebapp/rule/ruleList.faces or http://server/yourWebapp/rule/ruleList.jsf you probably want to have url pattern for .faces and .jsf instead of .xhtml En l'instant précis du 19/04/07 10:52, Zohner, Michael s'exprimait en ces termes: > Hi, > > I dont know if I really understood Martins proposal. > > We have to use the scurity constraint I think. > > Here is the web.xml: > > <?xml version="1.0" encoding="UTF-8"?> > > <web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee > http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd";> > <description>Data Staging area for Static data</description> > <display-name>App</display-name> > > <filter> > <display-name>Ajax4jsf Filter</display-name> > <filter-name>ajax4jsf</filter-name> > <filter-class>org.ajax4jsf.FastFilter</filter-class> > </filter> > > <!-- Tomahawk stuff --> > <filter> > <filter-name>extensionsFilter</filter-name> > <!-- Old: org.apache.myfaces.component.html.util.ExtensionsFilter --> > > <filter-class>org.apache.myfaces.webapp.filter.ExtensionsFilter</filter-class> > <init-param> > <description></description> > <param-name>maxFileSize</param-name> > <param-value>2m</param-value> > </init-param> > <init-param> > <param-name>uploadThresholdSize</param-name> > <param-value>100k</param-value> > </init-param> > </filter> > > > <filter-mapping> > <filter-name>ajax4jsf</filter-name> > <servlet-name>faces</servlet-name> > <dispatcher>REQUEST</dispatcher> > <dispatcher>FORWARD</dispatcher> > <dispatcher>INCLUDE</dispatcher> > </filter-mapping> > <filter-mapping> > <filter-name>extensionsFilter</filter-name> > <servlet-name>faces</servlet-name> > </filter-mapping> > <filter-mapping> > <filter-name>extensionsFilter</filter-name> > <url-pattern>/faces/myFacesExtensionResource/*</url-pattern> > </filter-mapping> > > <context-param> > <description></description> > <param-name>javax.faces.CONFIG_FILES</param-name> > <param-value> > /WEB-INF/faces-beans.xml,/WEB-INF/faces-nav.xml > </param-value> > </context-param> > > <context-param> > <description></description> > <param-name>javax.faces.STATE_SAVING_METHOD</param-name> > <param-value>server</param-value> > </context-param> > > <!-- IMPORTANT for ajax4jsf --> > <context-param> > <param-name>org.ajax4jsf.VIEW_HANDLERS</param-name> > <param-value>com.sun.facelets.FaceletViewHandler</param-value> > </context-param> > > <!-- Use Documents Saved as *.xhtml --> > <context-param> > <param-name>javax.faces.DEFAULT_SUFFIX</param-name> > <param-value>.xhtml</param-value> > </context-param> > > <context-param> > <param-name>facelets.REFRESH_PERIOD</param-name> > <param-value>2</param-value> > </context-param> > > <context-param> > <param-name>facelets.DEVELOPMENT</param-name> > <param-value>true</param-value> > </context-param> > > <context-param> > <param-name>com.sun.faces.validateXml</param-name> > <param-value>true</param-value> > </context-param> > > <context-param> > <param-name>com.sun.faces.verifyObjects</param-name> > <param-value>true</param-value> > </context-param> > > <context-param> > <param-name>org.ajax4jsf.SKIN</param-name> > <param-value>dkib</param-value> > </context-param> > > <context-param> > <param-name>facelets.LIBRARIES</param-name> > <param-value> > /WEB-INF/taglib/tomahawk.taglib.xml;/WEB-INF/taglib/facestrace.taglib.xml > </param-value> > </context-param> > > <context-param> > <description></description> > <param-name>org.apache.myfaces.ALLOW_JAVASCRIPT</param-name> > <param-value>true</param-value> > </context-param> > > <context-param> > <param-name>org.apache.myfaces.DETECT_JAVASCRIPT</param-name> > <param-value>false</param-value> > </context-param> > > <context-param> > <description></description> > <param-name>org.apache.myfaces.PRETTY_HTML</param-name> > <param-value>true</param-value> > </context-param> > > <context-param> > <description></description> > <param-name>org.apache.myfaces.AUTO_SCROLL</param-name> > <param-value>true</param-value> > </context-param> > > <context-param> > <param-name>org.apache.myfaces.COMPRESS_STATE_IN_SESSION</param-name> > <param-value>false</param-value> > </context-param> > > <context-param> > <param-name>org.apache.myfaces.CHECK_EXTENSIONS_FILTER</param-name> > <param-value>false</param-value> > </context-param> > > > <servlet> > <servlet-name>faces</servlet-name> > <servlet-class>javax.faces.webapp.FacesServlet</servlet-class> > <load-on-startup>1</load-on-startup> > </servlet> > > <servlet> > <servlet-name>jsp</servlet-name> > <servlet-class> > org.apache.jasper.servlet.JspServlet > </servlet-class> > <init-param> > <param-name>keepgenerated</param-name> > <param-value>true</param-value> > </init-param> > <init-param> > <param-name>logVerbosityLevel</param-name> > <param-value>FATAL</param-value> > </init-param> > <init-param> > <param-name>classdebuginfo</param-name> > <param-value>true</param-value> > </init-param> > <init-param> > <param-name>enablePooling</param-name> > <param-value>false</param-value> > </init-param> > <load-on-startup>0</load-on-startup> > </servlet> > > <servlet> > <servlet-name>JspRedirector</servlet-name> > <jsp-file>/test/jspRedirector.jsp</jsp-file> > </servlet> > > <!-- Faces Servlet Mapping extension mapping --> > <servlet-mapping> > <servlet-name>faces</servlet-name> > <url-pattern>*.jsf</url-pattern> > </servlet-mapping> > > <servlet-mapping> > <servlet-name>faces</servlet-name> > <url-pattern>*.faces</url-pattern> > </servlet-mapping> > > <servlet-mapping> > <servlet-name>JspRedirector</servlet-name> > <url-pattern>/JspRedirector</url-pattern> > </servlet-mapping> > > <servlet-mapping> > <servlet-name>jsp</servlet-name> > <url-pattern>*.jsp</url-pattern> > </servlet-mapping> > > <servlet-mapping> > <servlet-name>jsp</servlet-name> > <url-pattern>*.jspf</url-pattern> > </servlet-mapping> > > <session-config> > <session-timeout>600</session-timeout> > </session-config> > > <!-- Welcome files --> > <welcome-file-list> > <welcome-file>index.html</welcome-file> > <welcome-file>index.jsp</welcome-file> > <welcome-file>/jsf/index.jsf</welcome-file> > </welcome-file-list> > <error-page> > <error-code>401</error-code> > <location>/Http401Unauthorized</location> > </error-page> > <error-page> > <exception-type>java.lang.Throwable</exception-type> > <location>/ErrorCtrl</location> > </error-page> > > <jsp-config> > <taglib> > <taglib-uri>jstl-sql-rt.tld</taglib-uri> > <taglib-location>/WEB-INF/taglib/jstl-sql-rt.tld</taglib-location> > </taglib> > <taglib> > <taglib-uri>jstl-fmt.tld</taglib-uri> > <taglib-location>/WEB-INF/taglib/jstl-fmt.tld</taglib-location> > </taglib> > <taglib> > <taglib-uri>jstl-core.tld</taglib-uri> > <taglib-location>/WEB-INF/taglib/jstl-core.tld</taglib-location> > </taglib> > </jsp-config> > > <security-constraint> > <web-resource-collection> > <web-resource-name>SSL Scheduler Pages</web-resource-name> > <description /> > <url-pattern>/scheduler/schedulerManager.xhtml</url-pattern> > <http-method>GET</http-method> > <http-method>PUT</http-method> > <http-method>POST</http-method> > </web-resource-collection> > <auth-constraint> > <description /> > <role-name>RDSstaticdatadeveloper</role-name> > </auth-constraint> > <user-data-constraint> > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > </user-data-constraint> > </security-constraint> > > <security-constraint> > <web-resource-collection> > <web-resource-name>SSL Rule Pages</web-resource-name> > <description /> > <url-pattern>/rule/ruleList.xhtml</url-pattern> > <http-method>GET</http-method> > <http-method>PUT</http-method> > <http-method>POST</http-method> > </web-resource-collection> > <auth-constraint> > <description /> > <role-name>RDSstaticdatarulesrw</role-name> > </auth-constraint> > <user-data-constraint> > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > </user-data-constraint> > </security-constraint> > > <login-config> > <auth-method>CLIENT-CERT</auth-method> > <realm-name>gds</realm-name> > </login-config> > > <security-role> > <description>developer role - access to developer areas</description> > <role-name>RDSstaticdatadeveloper</role-name> > </security-role> > > <security-role> > <description>user who have permissions to maintain the rule > defintions</description> > <role-name>RDSstaticdatarulesrw</role-name> > </security-role> > > </web-app> > > Thanks a lot ! > > -----Original Message----- > From: David Delbecq [mailto:[EMAIL PROTECTED] > Sent: 19 April 2007 10:49 > To: MyFaces Discussion > Subject: Re: Security - protect JSF pages (.xhtml) via security in web.xml -> > DOES NOT WORK ? > > One of those > <url-pattern>/rule/ruleList.faces</url-pattern> > <url-pattern>/faces/rule/ruleList.xhtml</url-pattern> > <url-pattern>/faces/rule/*</url-pattern> > will most probably work better, depending on how you mapped your facelets > context. If not, please provide full web.xml so we can see where problem is :) > > PS: security contraints apply to url submitted by browser, not internal > forwards that may appear as a result of JSF navigation rule. > > > En l'instant précis du 19/04/07 10:14, Zohner, Michael s'exprimait en ces > termes: > >> Sorry, there was a small mistake: >> >> WRONG: >> So, when I become an "RDSstaticdatarulesrw" user, I can see the page. >> It has no effect. >> >> RIGHT: >> So, when I become ANOTHER USER than "RDSstaticdatarulesrw" user, I can >> see the page. >> So, all that has no effect. >> >> >> Regards >> Michael >> >> >> -----Original Message----- >> From: Zohner, Michael >> Sent: 19 April 2007 10:10 >> To: MyFaces Discussion >> Subject: Security - protect JSF pages (.xhtml) via security in web.xml >> -> DOES NOT WORK ? >> >> Hi, >> >> I am trying to protect several pages in our jsf application (myFaces, >> facelets, richfaces). >> >> We have a security server where our users have specific roles. >> >> Its an https application. >> >> This is in my web.xml: >> >> <security-constraint> >> <web-resource-collection> >> <web-resource-name>SSL Rule Pages</web-resource-name> >> <description /> >> <url-pattern>/rule/ruleList.xhtml</url-pattern> >> <http-method>GET</http-method> >> <http-method>PUT</http-method> >> <http-method>POST</http-method> >> </web-resource-collection> >> <auth-constraint> >> <description /> >> <role-name>RDSstaticdatarulesrw</role-name> >> </auth-constraint> >> <user-data-constraint> >> <transport-guarantee>CONFIDENTIAL</transport-guarantee> >> </user-data-constraint> >> </security-constraint> >> >> So, when I become an "RDSstaticdatarulesrw" user, I can see the page. >> It has no effect. >> >> When I write <url-pattern>/rule/*</url-pattern> instead of >> <url-pattern>/rule/ruleList.xhtml</url-pattern>, I cannot see ANY pages. >> Also not the pages which are NOT in directory "rule". >> >> So, HOW can I get this working ? >> >> The best would be to protect whole dirs and single pages. >> >> Best regards >> Michael >> >> >> ________________ >> Dresdner Bank AG >> Sitz/Registered Office: Frankfurt am Main, Handelsregister/Commercial >> Register: Amtsgericht/Local Court, Frankfurt am Main, HRB 14000 >> Vorsitzender des Aufsichtsrats/Chairman of the Supervisory Board: >> Michael Diekmann Vorstand/Board of Managing Directors: Herbert Walter >> (Vorsitzender/Chairman), Andreas Georgi, Stefan Jentzsch, Wulf Meier, >> Andree Moschner, Klaus Rosenfeld, Otto Steinmetz, Friedrich Woebking >> >> This e-mail is confidential and the information contained in it may be >> privileged. It should not be read, copied or used by anyone other >> than the intended recipient. If you have received it in error, please >> contact the sender immediately by telephoning +44 (0)20 7623 8000 or >> by return email, and delete the e-mail and do not disclose its >> contents to any person. We believe, but do not warrant, that this >> e-mail and any attachments are virus free, but you must take full >> responsibility for virus checking. Please refer to >> http://www.dresdnerkleinwort.com/disc/email/ and read our e-mail >> disclaimer statement and monitoring policy. >> ________________ >> >> >> ________________ >> Dresdner Bank AG >> Sitz/Registered Office: Frankfurt am Main, Handelsregister/Commercial >> Register: Amtsgericht/Local Court, Frankfurt am Main, HRB 14000 >> Vorsitzender des Aufsichtsrats/Chairman of the Supervisory Board: >> Michael Diekmann Vorstand/Board of Managing Directors: Herbert Walter >> (Vorsitzender/Chairman), Andreas Georgi, Stefan Jentzsch, Wulf Meier, >> Andree Moschner, Klaus Rosenfeld, Otto Steinmetz, Friedrich Woebking >> >> This e-mail is confidential and the information contained in it may be >> privileged. It should not be read, copied or used by anyone other than the >> intended recipient. If you have received it in error, please contact the >> sender immediately by telephoning +44 (0)20 7623 8000 or by return email, >> and delete the e-mail and do not disclose its contents to any person. We >> believe, but do not warrant, that this e-mail and any attachments are virus >> free, but you must take full responsibility for virus checking. Please >> refer to http://www.dresdnerkleinwort.com/disc/email/ and read our e-mail >> disclaimer statement and monitoring policy. >> ________________ >> >> >> > > > ________________ > Dresdner Bank AG > Sitz/Registered Office: Frankfurt am Main, Handelsregister/Commercial > Register: Amtsgericht/Local Court, Frankfurt am Main, HRB 14000 > Vorsitzender des Aufsichtsrats/Chairman of the Supervisory Board: Michael > Diekmann > Vorstand/Board of Managing Directors: Herbert Walter (Vorsitzender/Chairman), > Andreas Georgi, Stefan Jentzsch, Wulf Meier, Andree Moschner, Klaus > Rosenfeld, Otto Steinmetz, Friedrich Woebking > > This e-mail is confidential and the information contained in it may be > privileged. It should not be read, copied or used by anyone other than the > intended recipient. If you have received it in error, please contact the > sender immediately by telephoning +44 (0)20 7623 8000 or by return email, and > delete the e-mail and do not disclose its contents to any person. We > believe, but do not warrant, that this e-mail and any attachments are virus > free, but you must take full responsibility for virus checking. Please refer > to http://www.dresdnerkleinwort.com/disc/email/ and read our e-mail > disclaimer statement and monitoring policy. > ________________ > >
