Exclude one jsf page from login authentication

Question

I'm trying to exclude one JSF page from login authentication. I've added a security-constraint with no auth-constraint tag in web.xml, as advised here : https://blog.mafr.de/2011/04/17/excluding-pages-from-auth/

That doesn't solve the problem, since I'm using container based login config, configured in my web.xml.

Is there a way to access just one JSF page without a need to log in, while keeping current login configuration?

Here's my login and security-constraint configuration:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Restricted Employees</web-resource-name>
        <url-pattern>/employee</url-pattern>
        <http-method>POST</http-method>
        <http-method>GET</http-method>
    </web-resource-collection>

    <auth-constraint>
        <role-name>team_leaders</role-name>
    </auth-constraint>
</security-constraint>

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Public</web-resource-name>
        <description>No login required for accepting requests</description>
        <url-pattern>/acceptRequests</url-pattern>
        <http-method>POST</http-method>
        <http-method>GET</http-method>
    </web-resource-collection>
</security-constraint>

<login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
        <form-login-page>/login.xhtml</form-login-page>
        <form-error-page>/login.xhtml</form-error-page>
    </form-login-config>
</login-config>

Does it work for a plain html file in that folder? Or a JSP? — Kukeltje, Dec 28 '18 at 09:58
Thanks for a suggestion! I just changed the file extension to plain html, updated view-id in pretty-config.xml, and the page doesn't require a login. Unfortunately, I can't use PrimeFaces tags in this file, so I would have to style the whole page by myself. Is there a better solution, to make it work with .xhtml file or somehow use primefaces styles in plain html? — mklepa, Dec 28 '18 at 10:39
It was not meant as a solution, just to narrow things down. Is the request path you see in the http request identical (besides the filename) — Kukeltje, Dec 28 '18 at 10:39
And keep in mind that you need to exclude ALL JSF and PrimeFaces resources as well! https://stackoverflow.com/questions/13696204/exclude-css-image-resources-in-web-xml-security-constraint — Kukeltje, Dec 28 '18 at 10:43
OK, great. I excluded the resources as well. Request path is identical due to PrettyFaces mapping, unless you mean something else? — mklepa, Dec 28 '18 at 11:47
No I meant the request path when doing an html page request vs an xhtml page — Kukeltje, Dec 28 '18 at 12:12
I'm sorry, but I don't understand what do you mean by request path if it's not request url. Can you elaborate? — mklepa, Dec 28 '18 at 13:03
Read [this](https://www.ibm.com/support/knowledgecenter/en/SSGMCP_5.1.0/com.ibm.cics.ts.internet.doc/topics/dfhtl_uricomp.html). The path part is what is relevant here — Kukeltje, Dec 28 '18 at 15:38
I solved the issue, it turns out the configuration in web.xml was not being used, and there was a filter class that provides authorization. It was limited only to xhtml files, so that's why I had no issue with html files. Thanks for the help :) — mklepa, Dec 31 '18 at 15:28

score 0 · Answer 1 · answered Feb 03 '19 at 11:49

0

Turns out the configuration in web.xml was not being used, and there was a filter class that provides authorization. It was limited only to xhtml files, so that's why I had no issue with html files.

answered Feb 03 '19 at 11:49

mklepa

211
3
7

Exclude one jsf page from login authentication

1 Answers1