Url pattern to exclude javax.faces.resource from being invoked by servlet filter

Question

I have created a servlet filter to handle session timeout and authentication.

@WebFilter(urlPatterns={"/acc/*"})
public class ResourceAuthorizationFilter implements Filter { ... }

The pages that I want to filter have a pattern like this: /acc/login-flow, /acc/profiles-flow. The filter gets called also for resources(css, js and images). How can I configure the urlPatterns to exclude from filtering these resources?

EDIT1
Here are some urls that are filtered:

http://localhost:8081/acme-0.0.1/acc/login-flow
http://localhost:8081/acme-0.0.1/acc/javax.faces.resource/theme.css
http://localhost:8081/acme-0.0.1/acc/javax.faces.resource/jquery/jquery.js
http://localhost:8081/acme-0.0.1/acc/javax.faces.resource/primefaces.js
http://localhost:8081/acme-0.0.1/acc/javax.faces.resource/ajax.gif
http://localhost:8081/acme-0.0.1/acc/javax.faces.resource/login.png
http://localhost:8081/acme-0.0.1/acc/javax.faces.resource/header.png
http://localhost:8081/acme-0.0.1/acc/javax.faces.resource/images/ui-bg_flat_75_ffffff_40x100.png
http://localhost:8081/acme-0.0.1/acc/javax.faces.resource/images/default.png
http://localhost:8081/acme-0.0.1/acc/javax.faces.resource/images/ui-icons_888888_256x240.png

I have some custom css/js files under webapp/resources folder, but these ones are not from there.

The acc part comes from:

<servlet-mapping>
    <servlet-name>Spring MVC Servlet</servlet-name>
    <url-pattern>/acc/*</url-pattern>
</servlet-mapping>

EDIT2
These code samples come from a project that is implemented with JSF 2.0, PrimeFaces 3.4.1, Spring 3.0.5.RELEASE, Spring Security 3.0.3.RELEASE and Spring Web Flow 2.3.0.RELEASE.

Answer 1

Just move resources to a different folder outside /acc. They're by default supposed to be in /resources folder anyway so that you can use <h:outputScript>, <h:outputStylesheet> and <h:graphicImage> the right way.

If you can't fix that for some reason, then you'd really need to check the request URI in the doFilter() implementation. There's namely no way to exclude sub-patterns in an URL pattern.

String path = request.getRequestURI().substring(request.getContextPath().length());

if (path.startsWith("/acc" + ResourceHandler.RESOURCE_IDENTIFIER)) {
    chain.doFilter(request, response);
} else {
    // ...
}

---

Update: as per your question update, you're using Spring MVC for some unclear reason. It's also processing all JSF resource requests. You should tell it to not do that. I can't tell from top of head how to do that, but it's at least something with <mvc:resources>.

Answer 2

If you are already using Spring Security in your project. It is easy to register your custom session management filter in the security context and then you can easily exclude the pattern adding a new intercept-url element like this:

<intercept-url pattern="/javax.faces.resource/**" filters="none"/>

Refer to namespace config documentation.

If set to "none" then the path is removed from having any filters applied.

See also:

• Example of a custom session management filter : JSF 2, Spring Security 3.x and Richfaces 4 redirect to login page on session time out for ajax requests
• spring security css styles don't work