0

I'm just starting down the track of developing web apps and have started with JSF 2.2 on Java EE 7, GlassFish 4.

I thought I'd start with the very basics. I just want to protect the entire site, so every page you navigate to would first require you to authenticate yourself. So I read through the Java EE 7 Tutorial and tried the samples, modified them and then started to break them in ways I didn't think they would break. I tried all sorts of angles, but I'd generally end up in two situations:

  1. I'd try to access a page using a partial request, which would land me at /index.xhtml as defined by <welcome-file-list>, and be prompted to login; but on submitting the username/password I'd be instantly directed back to the login form.
  2. I added an action to the <h:commandButton> to point to index. This worked, but when I submitted the form on the index page which should take me to the response.xhtml page, I'd end up back at the login form instead of at the response page.

After many hours of trawling the net, it seemed that the reason I had broken the login procedure was because I had changed the plain HTML login form to use JSF tags like <h:form>, instead of <form>.

There is a discussion here that says you should not do this with login forms. To quote an interesting line from that page:

To make such a page login, make the actual login form be HTML and not JSF and code it according to the j2EE standards for login forms. Use the HTML form tag instead of the JSF form, and make sure you code an HTML SUBMIT button and not a JSF commandButton!

Once I changed it back to plain old HTML it worked. But I don't understand why. Can anyone enlighten me?! I think I am missing something fundamental which I need to understand if I'm going to start writing web apps in JSF.

Many thanks...

Arjan Tijms
  • 37,782
  • 12
  • 108
  • 140
Paul
  • 328
  • 3
  • 16

1 Answers1

2

It's because <h:form> submits to the current URL (in web development terms also known as "postback"), not to j_security_check, while the form based authentication intercepts on j_security_check URLs.

It's however not true that using a JSF form for form based authentication is impossible. It's quite possible, you only need to perform the login in backing bean using HttpServletRequest#login() yourself.

See also:

Community
  • 1
  • 1
BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
  • Thanks for the quick response! This is interesting as I'm obviously misunderstanding some basics. In my naïve view of JSF, I thought that the JSF tags are just simply representations of their plain HTML counterparts, nonetheless functionally the same. – Paul Jul 28 '13 at 21:52
  • (Sorry, wasn't finished didn't think hitting return on my iPhone would submit the comment - then editing timed out!) So even though the 'action' method of the form tag is the same for both representations (HTML/JSF), one is doing something the other isn't. Is this specific to just the form tag, or do other tags exhibit different behaviour between JSF/HTML? – Paul Jul 28 '13 at 22:00
  • `` doesn't support `action` attribute. It's completely ignored. JSF generates its own which poins to the current URL. – BalusC Jul 28 '13 at 23:23
  • Ah, that would explain it! Many thanks for your help. Out of interest, how do you know this? Are there some good books/resources you'd recommend? I'm not sure that was mentioned in the tutorial and guess I'll need some more in depth material to get to grips with this. – Paul Jul 29 '13 at 05:24
  • Check tag documentation: http://docs.oracle.com/javaee/6/javaserverfaces/2.1/docs/vdldocs/facelets/h/form.html The introduction of the tag documentation mentions this *"The value of the "action" attribute must be the result of passing the view identifier of the current view to the getActionURL() method of the ViewHandler for this application"*. The `action` attribute is also not listed in attributes. The IDE autocomplete/intellisense would also not list it. On the other hand, looking in `FormRenderer` source code should also give clues. – BalusC Jul 29 '13 at 11:52
  • Looks like I didn't quite appreciate this comment in the [Java EE 7 Tutorial](http://docs.oracle.com/javaee/7/tutorial/doc/security-advanced003.htm#BABIFJGI): _Facelets forms, using the h:form, h:inputText, and h:inputSecret tags, however, generate the action and input IDs automatically, which means developers are unable to specify j_security_check as the form action_ ... Thanks again for the help. – Paul Jul 29 '13 at 20:56