JSF - Spring Security Integration issue
The Servlet 2.4+ API allows us to use the FORWARD to interce
-
From the horse's mouth (oracle documentation)
If a navigation case does not use the redirect element, the new page is rendered as a response to the current request, which means that the URL in the browser's address field does not change and that it will contain the address of the previous page.
What this seems to translate to is that there is no 'forward' happening to the next page during the JSF lifecycle... and so Spring Security will never get a handle to this.
讨论(0) -
By default the FilterSecurityInterceptor will only execute once-per-request and doesn't do security re-checking unless there is change in the url but with JSP/JSF forwards the page is rendered as a response to the current request and the url in the browser contains the address of the previous page. So for this just set once-per-request attribute to false in your http element in applicationContext thus forcing security rechecking.
<http auto-config="true" use-expressions="true" once-per-request="false">and add a dispatcher for forwards in springSecurityFilterChain filter-mapping in your web.xml
<filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> <dispatcher>FORWARD</dispatcher> <dispatcher>REQUEST</dispatcher> </filter-mapping>More info
Alternatively, you can also enable page redirection by appending the parameter faces-redirect=true to the outcome like this:
<h:form> <h:commandButton action="page1?faces-redirect=true" value="Page1" /> </h:form>But as BalusC says its not good practice to use POST for page to page navigation. Always do GET using
<h:link> or <h:button>Also see:
when-should-i-use-houtputlink-instead-of-hcommandlink
Post-Redirect-Get pattern
讨论(0)
加载中...
- 热议问题