If used with security-constraint in web.xml, all redirects after login goes to 403.xhtml

[mnesarco]

Issue Overview

I have configured a realm and a security constraint in web.xml, in conjunction with AdminSession specialization bean. But the template saves the 403.xhml page as redirect url after login.

Current Behaviour

after login, redirects to 403.xhtml if the requested url is protected under a security-constraint

Expected Behaviour

after login, must redirect to the correct requested url.

How to reproduce

A sample xhtml code may help, ex:

web.xml

  <security-constraint>
    <display-name>all</display-name>
    <web-resource-collection>
      <web-resource-name>Config</web-resource-name>
      <url-pattern>/config/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <description/>
      <role-name>admin</role-name>
    </auth-constraint>
  </security-constraint>

LoginManager

@Named("loginManager")
@SessionScoped
@Specializes
public class AdminSessionImpl extends AdminSession implements Serializable {

  private String username;

  private String password;

  private boolean loggedIn = false;

  @Override
  public boolean isLoggedIn() {
    return loggedIn;
  }

  public String getUsername() {
    return username;
  }

  public void setUsername(String username) {
    this.username = username;
  }

  public String getPassword() {
    return password;
  }

  public void setPassword(String password) {
    this.password = password;
  }

  public void login() throws IOException {
    ExternalContext externalContext = FacesContext.getCurrentInstance().getExternalContext();
    HttpServletRequest request = (HttpServletRequest) externalContext.getRequest();
    try {
      request.login(username, password);
      loggedIn = true;
      Faces.redirect("index.xhtml");
    }
    catch (ServletException e) {
      loggedIn = false;
      String loginErrorMessage = e.getLocalizedMessage();
      FacesContext.getCurrentInstance().addMessage(null, new FacesMessage(loginErrorMessage));
    }
    finally {
      password = null;
    }
  }

  public void logout() throws IOException {
    ExternalContext externalContext = FacesContext.getCurrentInstance().getExternalContext();
    externalContext.invalidateSession();
    Faces.redirect("login.xhtml");
  }

}

Additional Information

• Affected version: I am using com.github.adminfaces:admin-theme:1.0.0-RC9
• Browser version: N/A

[rmpestano]

Hi, can you share your login page or a sample project?

[rmpestano]

Also you are probably getting a 403 response after logon, thats the only way to be redirected to 403 page, see here: https://github.com/adminfaces/admin-template/blob/master/src/main/resources/META-INF/web-fragment.xml#L12

[mnesarco]

Hi @rmpestano , I am pretty sure the 403 response is generated before I am redirected to the login form, so after login successfully, I am redirected to 403.xhtml. Unfortunately I am in a hurry to finish the current project, so my working workaround was to remove the AdminSession specialization and rely only on JAAS which works out of the box. I will try to do something as soon as I have some spare time to clarify this case.

[rmpestano]

I see, it's been long time since I've worked with JAAS but if you point me to a simple maven example I can try to debug AdminFilter , I'm quite sure the filter is redirecting you to login or index before you have authenticated in JAAS.

[mnesarco]

Hi @rmpestano , I will try to provide a sample project as soon as i have some time. in the mean time the case is this:

1. Unauthenticated user tries to acces a JAAS protected page
2. The container throws the security exception
3. AdminTemplate catchs and redirects to 403.xhtml, but because the AdminSession.isLoggedIn return false, AdminFiltes saves the current url (403.xhtml) to be used as redirect after login and redirects the user to the login page.
4. The user successfully authenticates itself, then the AdminTemplate redirects the user to the previously saved URL(403.xhtml) ** The user is effectively authenticated because it can now access the protected page directly. The problem is just with the redirection after login.

[rmpestano]

Hi @mnesarco,

can you try with following SNAPSHOT?

<dependency>
      <groupId>com.github.adminfaces</groupId>
      <artifactId>admin-template</artifactId>
      <version>1.0.0-20170929.011951-82</version>
</dependency>

Don't forget to add snapshots repository in your pom.xml.

[mnesarco]

Hi @rmpestano Thanks for your time. I have already deployed my App with only JAAS, but I will try your changes in the next Sprint (next two weeks). Thank you.