1

I'm trying to create a login into my application. I'm using PrimeFaces and Oracle Glassfish 3.1.2. I have created a user inside a file realm on Glassfish server. And selected authentication using form. Here is the code:

Login page:

<?xml version='1.0' encoding='UTF-8' ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
      xmlns:h="http://java.sun.com/jsf/html"
      xmlns:f="http://java.sun.com/jsf/core"
      xmlns:ui="http://java.sun.com/jsf/facelets"
      xmlns:p="http://primefaces.org/ui" 
      xmlns:c="http://java.sun.com/jsp/jstl/core">
    <h:head>
        <title>Test</title>
    </h:head>
    <h:body>    
            <p:panel header="Prihlásenie" style="width: 300px; margin-left: auto; margin-right: auto;">
                <form method="POST" action="j_security_check">
                    <h:panelGrid columns="2" id="logingrid" style="width: 100%;">

                        <h:outputLabel for="j_username" value="Meno:" />
                        <p:inputText id="j_username" required="true" label="j_username" style="width: 100%;"/>

                        <h:outputLabel for="j_password" value="Heslo:" />   
                        <p:password id="j_password" label="Heslo" required="true" style="width: 100%;"/>

                        <f:facet name="footer">
                            <h:commandButton type="submit" value="Prihlás" style="width: 100%"/>
                        </f:facet>
                    </h:panelGrid>
                </form>
            </p:panel>
    </h:body>
</html>

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
    <context-param>
        <param-name>javax.faces.PROJECT_STAGE</param-name>
        <param-value>Development</param-value>
    </context-param>
    <servlet>
        <servlet-name>Faces Servlet</servlet-name>
        <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>Faces Servlet</servlet-name>
        <url-pattern>/faces/*</url-pattern>
    </servlet-mapping>
    <session-config>
        <session-timeout>
            30
        </session-timeout>
    </session-config>
    <welcome-file-list>
        <welcome-file>faces/secure/temy.xhtml</welcome-file>
    </welcome-file-list>
    <security-constraint>
        <display-name>Sec</display-name>
        <web-resource-collection>
            <web-resource-name>Secure</web-resource-name>
            <description/>
            <url-pattern>/faces/secure/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>PUT</http-method>
            <http-method>HEAD</http-method>
            <http-method>POST</http-method>
            <http-method>OPTIONS</http-method>
            <http-method>TRACE</http-method>
            <http-method>DELETE</http-method>
        </web-resource-collection>
        <auth-constraint>
            <description/>
            <role-name>spravcovia</role-name>
        </auth-constraint>
        <user-data-constraint>
            <description/>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>
    <security-constraint>
        <display-name>Pub</display-name>
        <web-resource-collection>
            <web-resource-name>Public</web-resource-name>
            <description/>
            <url-pattern>*.css</url-pattern>
            <url-pattern>*.jpg</url-pattern>
            <url-pattern>*.gif</url-pattern>
            <url-pattern>/error.xhtml</url-pattern>
            <url-pattern>/login.xhtml</url-pattern>
            <http-method>GET</http-method>
            <http-method>PUT</http-method>
            <http-method>HEAD</http-method>
            <http-method>POST</http-method>
            <http-method>OPTIONS</http-method>
            <http-method>TRACE</http-method>
            <http-method>DELETE</http-method>
        </web-resource-collection>
        <user-data-constraint>
            <description/>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>
    <login-config>
        <auth-method>FORM</auth-method>
        <realm-name>dbrealm</realm-name>
        <form-login-config>
            <form-login-page>/login.xhtml</form-login-page>
            <form-error-page>/error.xhtml</form-error-page>
        </form-login-config>
    </login-config>
    <security-role>
        <description/>
        <role-name>spravcovia</role-name>
    </security-role>
</web-app>

glassfish-web.xml

  <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glassfish-web-app PUBLIC "-//GlassFish.org//DTD GlassFish Application Server 3.1 Servlet 3.0//EN" "http://glassfish.org/dtds/glassfish-web-app_3_0-1.dtd">
<glassfish-web-app error-url="">
  <security-role-mapping>
    <role-name>spravcovia</role-name>
    <group-name>spravcovia</group-name>
  </security-role-mapping>
  <class-loader delegate="true"/>
  <jsp-config>
    <property name="keepgenerated" value="true">
      <description>Keep a copy of the generated servlet class' java code.</description>
    </property>
  </jsp-config>
</glassfish-web-app>

The fact is that when I don't use Primefaces tags or jsf tags for input, but only this kinds of inputs, it works fine:

Username: <input type='text' name='j_username' />
Password: <input type='password' name='j_password' />

I thought if by blokcking /* I did not block the use of primefaces, but I don't know how to enable it.

UPDATE: I've updated web.xml and glassfish-web.xml . And here is also my project directory (NetBeans). In WEB-INF there is only glassfish-web.xml and web.xml:

Project directory structure

Sergey Kalinichenko
  • 714,442
  • 84
  • 1,110
  • 1,523
Reshi
  • 799
  • 4
  • 15
  • 32

2 Answers2

4

Your problem is you are blocking all resources when user is not logged in, you should let resources like CSS, JavaScript... to be processed even if user is not logged in. To do this add this part in your web.xml:

<security-constraint>
  <web-resource-collection>
    <web-resource-name>Public</web-resource-name>
    <url-pattern>*.css</url-pattern>
    <url-pattern>*.jpg</url-pattern>
    <url-pattern>*.gif</url-pattern>
    <url-pattern>/javax.faces.resource/*</url-pattern>
  </web-resource-collection>
</security-constraint>
partlov
  • 13,789
  • 6
  • 63
  • 82
  • after ading this statement it's the same. Shouldn't I modify also the constraint where I revoke the privileges to /* ? – Reshi Apr 02 '13 at 09:07
  • Yes indeed, you shouldn't use `/*` for the url that you want to secure. Provide all the url pattern(s) that you want to secure **excluding** the resources that you need for login (css, jpg, etc) – phoenix7360 Apr 02 '13 at 10:12
  • I suggest you add `*.xhtml` in place of `/*` – partlov Apr 02 '13 at 10:41
  • and is there some file that I should put into resources connected to primefaces or jsf ? because I set constraint to /faces/secure/* and my login page is located in /faces/login.xhtml But in login page it still does not work. When i succesfully log into my application primefaces/JSF work but before that it does not work at all. Only basic html input types. – Reshi Apr 02 '13 at 13:47
  • aand /javax.faces.resource/* has no effect :( – Reshi Apr 02 '13 at 13:47
0

Maybe this post can help you out

Performing user authentication in Java EE / JSF using j_security_check

Look at BalusC answer. Good Luck.

Community
  • 1
  • 1
Siew Ling
  • 1
  • 1