I read that it is a problem of expired session, but in my case it's impossible because the session was just opened when the exception is thrown: I get to login page, fill up form and submit. After that I get ViewExpiredException. What can I do to resolve the problem?
This is my web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<context-param>
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value>Development</param-value>
<param-name>org.apache.myfaces.SERIALIZE_STATE_IN_SESSION</param-name>
<param-value>false</param-value>
<param-name>com.sun.faces.numberOfLogicalViews</param-name>
<param-value>100</param-value>
</context-param>
<listener>
<listener-class>org.apache.myfaces.webapp.StartupServletContextListener</listener-class>
</listener>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>pages/login.xhtml</welcome-file>
</welcome-file-list>
<security-constraint>
<display-name>Admin</display-name>
<web-resource-collection>
<web-resource-name>Admin</web-resource-name>
<url-pattern>/pages/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>User</display-name>
<web-resource-collection>
<web-resource-name>User</web-resource-name>
<url-pattern>/pages/user/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>admin</role-name>
</security-role>
<security-role>
<description/>
<role-name>user</role-name>
</security-role>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/pages/login.xhtml</form-login-page>
<form-error-page>/pages/errorLogin.xhtml?faces-redirect=true</form-error-page>
</form-login-config>
</login-config>
<error-page>
<error-code>403</error-code>
<location>/pages/errorLogin.xhtml</location>
</error-page>
<error-page>
<error-code>500</error-code>
<location>/pages/sessionExpired.xhtml</location>
</error-page>
<error-page>
<exception-type>javax.faces.application.ViewExpiredException</exception-type>
<location>/pages/sessionExpired.xhtml</location>
</error-page>
Try to use the STATE_SAVING_METHOD to client in your web.xml.
<context-param>
<param-name>javax.faces.STATE_SAVING_METHOD</param-name>
<param-value>client</param-value>
</context-param>
If you want to stick with the server mode try to increase your views:
<context-param>
<param-name>org.apache.myfaces.NUMBER_OF_VIEWS_IN_SESSION</param-name>
<param-value>40</param-value>
<description>Only applicable if state saving method is "server" (= default).
Defines the amount (default = 20) of the latest views are stored in session.
</description>
</context-param>
Related
On my JSF page (Primefaces) googlebot is causing ViewExpiredException when accessing site. It happens only on POST requests (invalid javax.faces.ViewState?).
I'm running on Wildfly 9.0.1.Final, Primefaces 5.3
My web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
version="3.1">
<context-param>
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value>Production</param-value>
</context-param>
<context-param>
<param-name>javax.faces.PARTIAL_STATE_SAVING</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>javax.faces.STATE_SAVING_METHOD</param-name>
<param-value>server</param-value>
</context-param>
<context-param>
<param-name>javax.faces.DEFAULT_SUFFIX</param-name>
<param-value>.xhtml</param-value>
</context-param>
<context-param>
<param-name>com.sun.faces.resourceUpdateCheckPeriod</param-name>
<param-value>0</param-value>
</context-param>
<context-param>
<param-name>com.sun.faces.defaultResourceMaxAge</param-name>
<param-value>3628800000</param-value>
</context-param>
<context-param>
<param-name>primefaces.SUBMIT</param-name>
<param-value>partial</param-value>
</context-param>
<context-param>
<param-name>primefaces.THEME</param-name>
<param-value>bootstrap</param-value>
</context-param>
<context-param>
<param-name>primefaces.UPLOADER</param-name>
<param-value>native</param-value>
</context-param>
<context-param>
<param-name>org.primefaces.extensions.DELIVER_UNCOMPRESSED_RESOURCES</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>org.primefaces.extensions.WRAP_PRIME_FACES_RESOURCES</param-name>
<param-value>false</param-value>
</context-param>
<context-param>
<param-name>org.ocpsoft.rewrite.annotation.BASE_PACKAGES</param-name>
<param-value>pl.izen.carmen.rewrite</param-value>
</context-param>
<filter>
<filter-name>PrimeFaces FileUpload Filter</filter-name>
<filter-class>org.primefaces.webapp.filter.FileUploadFilter</filter-class>
<init-param>
<param-name>thresholdSize</param-name>
<param-value>51200</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>PrimeFaces FileUpload Filter</filter-name>
<servlet-name>Faces Servlet</servlet-name>
</filter-mapping>
<listener>
<listener-class>org.ocpsoft.rewrite.servlet.impl.RewriteServletRequestListener</listener-class>
</listener>
<listener>
<listener-class>org.ocpsoft.rewrite.servlet.impl.RewriteServletContextListener</listener-class>
</listener>
<filter>
<filter-name>OCPsoft Rewrite Filter</filter-name>
<filter-class>pl.izen.carmen.custom.servlet.IzenRewriteFilter</filter-class>
<async-supported>true</async-supported>
</filter>
<filter-mapping>
<filter-name>OCPsoft Rewrite Filter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher>
<dispatcher>INCLUDE</dispatcher>
<dispatcher>ASYNC</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
<servlet>
<servlet-name>Public Images Servlet</servlet-name>
<servlet-class>pl.izen.carmen.servlets.images.PublicImagesServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Public Images Servlet</servlet-name>
<url-pattern>/public_images/*</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>Product Images Servlet</servlet-name>
<servlet-class>pl.izen.carmen.servlets.images.ProductsImageServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Product Images Servlet</servlet-name>
<url-pattern>/product/image/*</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>CKEditorUploadServlet</servlet-name>
<servlet-class>pl.izen.carmen.servlets.images.CKEditorUploadServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>CKEditorUploadServlet</servlet-name>
<url-pattern>/ckeditor/upload/uploadimage</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.jsf</url-pattern>
<url-pattern>*.xhtml</url-pattern>
<url-pattern>*.html</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>PrimePushServlet</servlet-name>
<servlet-class>org.primefaces.push.PushServlet</servlet-class>
<init-param>
<param-name>org.atmosphere.cpr.broadcasterCacheClass</param-name>
<param-value>org.atmosphere.cache.UUIDBroadcasterCache</param-value>
</init-param>
<init-param>
<param-name>org.atmosphere.annotation.packages</param-name>
<param-value>org.primefaces.push</param-value>
</init-param>
<init-param>
<param-name>org.atmosphere.cpr.packages</param-name>
<param-value>pl.izen.push</param-value>
</init-param>
<load-on-startup>0</load-on-startup>
<async-supported>true</async-supported>
</servlet>
<servlet-mapping>
<servlet-name>PrimePushServlet</servlet-name>
<url-pattern>/primepush/*</url-pattern>
</servlet-mapping>
<!--
<servlet>
<servlet-name>RESTEasy JSAPI</servlet-name>
<servlet-class>org.jboss.resteasy.jsapi.JSAPIServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>RESTEasy JSAPI</servlet-name>
<url-pattern>/rest-js</url-pattern>
</servlet-mapping>
-->
<servlet-mapping>
<servlet-name>CeneoServlet</servlet-name>
<url-pattern>/ceneo/servlet/*</url-pattern>
</servlet-mapping>
<servlet>
<display-name>CeneoServlet</display-name>
<servlet-name>CeneoServlet</servlet-name>
<servlet-class>pl.izen.carmen.custom.integration.ceneo.CeneoServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>HeurekaServlet</servlet-name>
<url-pattern>/heureka/*</url-pattern>
</servlet-mapping>
<servlet>
<display-name>HeurekaServlet</display-name>
<servlet-name>HeurekaServlet</servlet-name>
<servlet-class>pl.izen.carmen.custom.integration.heureka.HeurekaServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>MerchantServlet</servlet-name>
<url-pattern>/merchant/servlet/*</url-pattern>
</servlet-mapping>
<servlet>
<display-name>MerchantServlet</display-name>
<servlet-name>MerchantServlet</servlet-name>
<servlet-class>pl.izen.carmen.custom.integration.google.GoogleMerchantServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>SitemapXmlServlet</servlet-name>
<servlet-class>pl.izen.carmen.custom.servlet.SitemapXmlServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>SitemapXmlServlet</servlet-name>
<url-pattern>/sitemap.xml</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>RobotsTxtServlet</servlet-name>
<servlet-class>pl.izen.carmen.custom.servlet.RobotsTxtServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>RobotsTxtServlet</servlet-name>
<url-pattern>/robots.txt</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>start.xhtml</welcome-file>
</welcome-file-list>
<security-role>
<role-name>admin</role-name>
</security-role>
<security-role>
<role-name>administrator</role-name>
</security-role>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.xhtml</form-login-page>
<form-error-page>/loginError.xhtml</form-error-page>
</form-login-config>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>CSS</web-resource-name>
<url-pattern>/javax.faces.resource/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>CSS</web-resource-name>
<url-pattern>/resources/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>SitemapXmlServlet</web-resource-name>
<url-pattern>/sitemap.xml</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>RobotsTxtServlet</web-resource-name>
<url-pattern>/robots.txt</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Unsecured application frontend - object page</web-resource-name>
<description>Objects</description>
<url-pattern>/pages/seoObject.xhtml</url-pattern>
</web-resource-collection>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>login.xhtml</web-resource-name>
<description>Unprotect login.xhtml</description>
<url-pattern>/login.xhtml</url-pattern>
</web-resource-collection>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Public resources</web-resource-name>
<description>All visible resources</description>
<url-pattern>*</url-pattern>
</web-resource-collection>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>All resources</web-resource-name>
<description>Protects all resources</description>
<url-pattern>/pages/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
<role-name>administrator</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>All resources</web-resource-name>
<description>Protects all resources</description>
<url-pattern>/admin</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
<role-name>administrator</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>All resources</web-resource-name>
<description>Protects all resources</description>
<url-pattern>/index.xhtml</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
<role-name>administrator</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Public Images Servlet</web-resource-name>
<url-pattern>/public_images/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Unsecured application frontend</web-resource-name>
<description>Start page</description>
<url-pattern>/start.xhtml</url-pattern>
</web-resource-collection>
</security-constraint>
<session-config>
<session-timeout>60</session-timeout>
<cookie-config>
<http-only>true</http-only>
</cookie-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
<error-page>
<error-code>500</error-code>
<location>/error/error_500.xhtml</location>
</error-page>
<error-page>
<error-code>408</error-code>
<location>/error/error_408.xhtml</location>
</error-page>
<error-page>
<error-code>403</error-code>
<location>/error/error_404.xhtml</location>
</error-page>
<error-page>
<error-code>404</error-code>
<location>/error/error_404.xhtml</location>
</error-page>
<error-page>
<exception-type>java.lang.Exception</exception-type>
<location>/error/error.xhtml</location>
</error-page>
<security-constraint>
<web-resource-collection>
<web-resource-name>secure</web-resource-name>
<url-pattern>/secure/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
<role-name>administrator</role-name>
</auth-constraint>
</security-constraint>
<mime-mapping>
<extension>ico</extension>
<mime-type>image/x-icon</mime-type>
</mime-mapping>
</web-app>
Almost all components im using are #ViewScoped (CDI), I'm not using #ConversationScoped components.
As You can see in web.xml I'm also using rewrite-filter with primepush (both are working just fine).
Request that is causing error:
X-FORWARDED-FROM: 66.249.79.135
METHOD: POST
PARAM: viewUrl => some_product_name
PARAM: commands:j_idt55 => commands:j_idt55
PARAM: javax.faces.ViewState => 1802363348692608902:3687015195185271050
PARAM: width => 1024
PARAM: javax.faces.source => commands:j_idt55
PARAM: javax.faces.partial.ajax => true
PARAM: javax.faces.partial.execute => #all
PARAM: commands => commands
PARAM: height => 1024
Edit:
It's happenig mostly on one page which uses additional param (viewUrl) which decides what product will be shown. This is a GET param but googlebot uses POST method. On this page user can add product to cart or rate it, nothing else.
GET requests from crawlers (google too) are working fine.
Edit2:
I observed that I got same exception when doing POST navigation (faces-redirect=true) but when I changed com.sun.faces.numberOfLogicalViews to 100 exception is not being thrown anymore. Why JSF is constructing so many views?
Any help would be greatly appreciated.
After a long time I found the cause. Google bot is cachig site and from some time has possiblity of firing posts requests on cached sites. It seems it was firing primefaces remote commads with old JSF ViewId. And that was the issue.
I have implemented a JAAS form based security for my site, and it is suppose to protect all the .xhtml files inside a folder named "secured" but it does not until that page is refreshed.
On first visit the url does not name the file either and just shows"faces/catalog.xhtml" that was the previous unprotected page then if i hit refresh it works then.
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<context-param>
<param-name>javax.faces.FACELETS_LIBRARIES</param-name>
<param-value>/WEB-INF/bookstore.taglib.xml</param-value>
</context-param>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/faces/*</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>faces/catalog.xhtml</welcome-file>
</welcome-file-list>
<security-constraint>
<web-resource-collection>
<web-resource-name>customer</web-resource-name>
<description/>
<url-pattern>/faces/secured/checkout.xhtml</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>customer</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>myjdbc</realm-name>
<form-login-config>
<form-login-page>/login.xhtml</form-login-page>
<form-error-page>/login_error.xhtml</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>customer</role-name>
</security-role>
oh also calling the secured page like this:
public String buy() {
if (getNumberOfItems() < 1) {
message(null, "CartEmpty");
return (null);
} else {
return ("/secured/checkout");
}
}
Trying to figure this out for some time now, thanks for the help.
I have a created a project, i wish to make sure the user is logged in and authenticated with my ldap server, how would i go about this,
|-- META-INF
|-- WEB-INF
|-- resources
| |-- css
| | `-- style.css
|
|-- upload
| |-- uploadText.xhtml
|
|-- index.xhtml
|-- SubmittedText.xhtml
|-- etc.xhtml
i want to protect everything apart from the resources folder
this is my current web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<filter>
<filter-name>Upload Filter</filter-name>
<filter-class>richard.fileupload.UploadFilter</filter-class>
<init-param>
<param-name>sizeThreshold</param-name>
<param-value>1024</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>Upload Filter</filter-name>
<url-pattern>/upload/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>index.xhtml</welcome-file>
</welcome-file-list>
<context-param>
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value>Development</param-value>
</context-param>
<context-param>
<param-name>facelets.LIBRARIES</param-name>
<param-value>/WEB-INF/corejsf.taglib.xml</param-value>
</context-param>
<context-param>
<param-name>javax.faces.INTERPRET_EMPTY_STRING_SUBMITTED_VALUES_AS_NULL</param-name>
<param-value>true</param-value>
</context-param>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>LDAP</realm-name>
<form-login-config>
<form-login-page>/login.xhtml</form-login-page>
<form-error-page>/login-failed.xhtml</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>*</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>Restircted resources</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Allowed resources</web-resource-name>
<url-pattern>/javax.faces.resource/*</url-pattern>
<!-- <http-method>GETLIB</http-method>
<http-method>COPY</http-method>
<http-method>MOVE</http-method>
<http-method>DELETE</http-method>
<http-method>PROPFIND</http-method>
<http-method>GET</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>MKCOL</http-method>
<http-method>PROPPATCH</http-method>
<http-method>LOCK</http-method>
<http-method>UNLOCK</http-method>
<http-method>VERSION-CONTROL</http-method>
<http-method>CHECKIN</http-method>
<http-method>CHECKOUT</http-method>
<http-method>UNCHECKOUT</http-method>
<http-method>REPORT</http-method>
<http-method>UPDATE</http-method>
<http-method>CANCELUPLOAD</http-method>-->
</web-resource-collection>
<!-- No Auth Contraint! -->
</security-constraint>
</web-app>
Your <security-constraint> is missing the <auth-constraint>. A security constraint without an authentication constraint is basically a public resource. As an example, if you'd like to restrict all roles, then you should put the following authentication constraint within the security constraint.
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
All with all, if you want to restrict everything /* expect of /javax.faces.resource/*, then you should have the following security constraints, exactly in this order in web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Restircted resources</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Allowed resources</web-resource-name>
<url-pattern>/javax.faces.resource/*</url-pattern>
</web-resource-collection>
<!-- No Auth Contraint! -->
</security-constraint>
Your list of HTTP method restrictions is somewhat ridiculous, just omit it. It by default already applies on every single HTTP method.
I have been trying to secure my project. I have a log in page that authenticates with an LDAP server and if not right it pulls up an error page etc. I have now just added
<auth-constraint> <!-- Currently causing a 403, looks like stoping .css files -->
<role-name>*</role-name>
</auth-constraint>
to my web.xml, to make sure the users are authenticated before they can view any page, however it seems to be blocking my .css file, Ithink as now the log in page does not display any css at all, and is just white basic, and when I press submit I get:
http://localhost:8080/fileuploadWithPreview/javax.faces.resource/theme.css.xhtml?ln=primefaces-aristo
with this error:
HTTP Status 403 - Access to the requested resource has been denied
type Status report
message Access to the requested resource has been denied
description Access to the specified resource (Access to the requested resource has been denied) has been forbidden.
GlassFish Server Open Source Edition 3.1.2.2
This is my web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<filter>
<filter-name>Upload Filter</filter-name>
<filter-class>richard.fileupload.UploadFilter</filter-class>
<init-param>
<param-name>sizeThreshold</param-name>
<param-value>1024</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>Upload Filter</filter-name>
<url-pattern>/upload/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>index.xhtml</welcome-file>
</welcome-file-list>
<context-param>
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value>Development</param-value>
</context-param>
<context-param>
<param-name>facelets.LIBRARIES</param-name>
<param-value>/WEB-INF/corejsf.taglib.xml</param-value>
</context-param>
<context-param>
<param-name>javax.faces.INTERPRET_EMPTY_STRING_SUBMITTED_VALUES_AS_NULL</param-name>
<param-value>true</param-value>
</context-param>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>LDAP</realm-name>
<form-login-config>
<form-login-page>/login.xhtml</form-login-page>
<form-error-page>/login-failed.xhtml</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>user</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>Allowed resources</web-resource-name>
<url-pattern>/javax.faces.resources/*</url-pattern>
</web-resource-collection>
<!-- web resources that are protected -->
<web-resource-collection>
<web-resource-name>All Resources</web-resource-name>
<url-pattern>/*</url-pattern>
<!-- this is currently causing a 404 -->
<http-method>GETLIB</http-method>
<http-method>COPY</http-method>
<http-method>MOVE</http-method>
<http-method>DELETE</http-method>
<http-method>PROPFIND</http-method>
<http-method>GET</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>MKCOL</http-method>
<http-method>PROPPATCH</http-method>
<http-method>LOCK</http-method>
<http-method>UNLOCK</http-method>
<http-method>VERSION-CONTROL</http-method>
<http-method>CHECKIN</http-method>
<http-method>CHECKOUT</http-method>
<http-method>UNCHECKOUT</http-method>
<http-method>REPORT</http-method>
<http-method>UPDATE</http-method>
<http-method>CANCELUPLOAD</http-method>
</web-resource-collection>
<auth-constraint> <!-- Currently causing a 403, looks like stoping .css files -->
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
</web-app>
Basically, what is stopping my css file and how can I allow it?
Your security constraint is also blocking requests on CSS files (basically, it is blocking everything which matches the specified URL pattern of /* expect of the specified login page). You need to add another security constraint which should allow requests on JSF resources. The key is to omit the auth constraint to make those resources accessible by everyone.
<security-constraint>
<web-resource-collection>
<web-resource-name>Allowed resources</web-resource-name>
<url-pattern>/javax.faces.resource/*</url-pattern>
</web-resource-collection>
<!-- No Auth Contraint! -->
</security-constraint>
I have following web.xml. my jsf tags are rendered fine outsite folder /Pages but not inside it. Is there any problem with the configuration?
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<context-param>
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value>Development</param-value>
</context-param>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/faces/*</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>faces/GISPages/welcome.xhtml</welcome-file>
</welcome-file-list>
<resource-ref>
<res-ref-name>jdbc/Gis_WebApp</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
</resource-ref>
<resource-ref>
<res-ref-name>jdbc/SN</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
</resource-ref>
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Pages</web-resource-name>
<url-pattern>/fages/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>registereduser</role-name>
<role-name>invitedguest</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Live</realm-name>
<form-login-config>
<form-login-page>/login.xhtml</form-login-page>
<form-error-page>/noauth.xhtml</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>registereduser</role-name>
</security-role>
<security-role>
<role-name>invitedguest</role-name>
</security-role>
</web-app>
usually the mapping for the faces servlet is based on a file extension:
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.jsf</url-pattern>
or
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.xhtml</url-pattern>
your mapping only applies to the faces subfolder.
Please give whole predefined path for your welcome file inside
welcome-file-list tag. Like as i mention
<welcome-file-list>
<welcome-file>/company/dashboard.xhtml</welcome-file>
</welcome-file-list>