I am transitioning to GlassFish 3.1.2, and can't seem to resolve a problem with authentication.
The agenda is simple: I want a login bean to do programmatic authentication for a user. The authentication seems to work (the code goes past the login() method), but the server ends up shown 403 for the protected resources... Please help :)
Here are more details. There is a pure JSF login page with name/pass pair:
<ui:composition xmlns="http://www.w3.org/1999/xhtml"
xmlns:h="http://java.sun.com/jsf/html"
xmlns:f="http://java.sun.com/jsf/core"
xmlns:ui="http://java.sun.com/jsf/facelets"
xmlns:p="http://primefaces.org/ui" template="/templates/main.xhtml">
<ui:define name="body">
<h:form id="form">
<p:messages />
<p:panel>
<h:panelGrid>
<h:outputText value="User Name" />
<p:inputText value="#{loginBean.userName}" id="userName"
required="true" />
<p:message for="userName" />
<h:outputText value="Password" />
<p:password value="#{loginBean.password}" id="password"
required="true" />
<p:message for="password" />
</h:panelGrid>
<h:panelGrid columns="2">
<p:commandButton value="Clear"
actionListener="#{loginBean.clear()}" ajax="false" />
<p:commandButton value="Login" action="#{loginBean.login()}"
ajax="false" />
</h:panelGrid>
</p:panel>
</h:form>
</ui:define>
</ui:composition>
and a bean that carries out the login
#Named("loginBean")
#SessionScoped
public class LoginBean implements Serializable {
private static final long serialVersionUID = 1L;
#Inject
#Named("dao")
private Dao dao;
private String userName;
private String password;
#Inject
private UserBean userBean;
...
public String login() {
HttpServletRequest request = (HttpServletRequest) FacesContext
.getCurrentInstance().getExternalContext().getRequest();
try {
request.login(getUserName(), getPassword());
Principal principal = request.getUserPrincipal();
logger.info("Logged in successfully: " + principal);
} catch (ServletException e) {
Messages.addError("Invalid user name or password.");
return null;
}
User user = dao.findSingle("SELECT u FROM User AS u WHERE u.name = ?1",
getUserName());
if (user == null) {
logger.severe("Unable to find user record after successful authentication");
Messages.addError("Unable to load user record");
try {
request.logout();
} catch (ServletException e) {
logger.log(Level.SEVERE, "Unable to logout after failed login attempt", e);
}
return null;
}
getUserBean().setUser(user);
return "/list/list.xhtml?faces-redirect=true";
}
...
accessors
...
}
Here is my web.xml
<?xml version='1.0' encoding='UTF-8'?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<display-name>GM</display-name>
<context-param>
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value>Development</param-value>
</context-param>
<!-- Faces Servlet -->
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
<login-config>
<realm-name>gmRealm</realm-name>
</login-config>
<security-role>
<role-name>user</role-name>
</security-role>
<security-role>
<role-name>admin</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/list/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin Area</web-resource-name>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<welcome-file-list>
<welcome-file>login.xhtml</welcome-file>
</welcome-file-list>
</web-app>
Here is the folder structure for the project:
I was also able to set up the realm as discussed here: http://blog.gamatam.com/2009/11/jdbc-realm-setup-with-glassfish-v3.html
Nothing fancy, AFAICT.
However, whenever I get to the protected resource after a successful login, I get:
HTTP Status 403 - Access to the requested resource has been denied
Despite the fact that the server log contains the message:
INFO: Logged in successfully: nick
Also note that when I remove "?faces-redirect=true", from the login() method's return value, the initial protected resource is rendered just fine right after the login, but all the subsequent requests to it fail with 403.
Here is what it shows in the debugger:
I also think that I've done my homework:
Performing user authentication in Java EE / JSF using j_security_check
Programmatically control login with Servlet 3.0
JSF 2.0 Simple login page
Glassfish 3 security - Form based authentication using a JDBC Realm
Please help...
Oh, well, I guess this one is too deployment specific. I ended up re-conding the prototype in Spring for Tomcat stack. Works like charm now :).
i think you are not permitted jsf resources in spring security. add following line in security.xml in http tags.
<http .........>
<intercept-url pattern="/javax.faces.resource/**" access="permitAll"/>
</http>
Related
I tried solutions from topics with same issue but that didn't work for me. So here is my story. I created very simple web project:
project
Here the code:
package user.bean;
import javax.annotation.ManagedBean;
#ManagedBean
public class User {
private String firstName;
private String lastName;
private String email;
User() {
}
public String getFirstName() {
return firstName;
}
public void setFirstName(String firstName) {
this.firstName = firstName;
}
public String getLastName() {
return lastName;
}
public void setLastName(String lastName) {
this.lastName = lastName;
}
public String getEmail() {
return email;
}
public void setEmail(String email) {
this.email = email;
}
}
First JSF:
<!DOCTYPE html>
<html lang="en"
xmlns="http://www.w3.org/1999/xhtml"
xmlns:h="http://xmlns.jcp.org/jsf/html"
xmlns:f="http://xmlns.jcp.org/jsf/core">
<h:head>
<title>User Registration Form</title>
<style>
.error {color:red}
</style>
</h:head>
<h:body>
<h:form>
<h:messages styleClass="error"/>
First Name: <h:inputText value="#{user.firstName}"
label="First name"/>
<br/><br/>
Last Name: <h:inputText value="#{user.lastName}"
label="Last name"
required="true"/>
<br/><br/>
Email: <h:inputText value="#{user.email}"
label="Email"
required="true"/>
<br/><br/>
<h:commandButton value="Submit" action="user_response"/>
</h:form>
</h:body>
</html>
Second JSF:
<html lang="en"
xmlns="http://www.w3.org/1999/xhtml"
xmlns:h="http://xmlns.jcp.org/jsf/html">
<h:head>
<title>User Confirmation</title>
</h:head>
<h:body>
<h:form>
User is confirmed: #{user.firstName} #{user.lastName}
<br/><br/>
Email: #{user.email}
</h:form>
</h:body>
</html>
At
xmlns:h="http://xmlns.jcp.org/jsf/html"
xmlns:f="http://xmlns.jcp.org/jsf/core"
I have: NLS missing message: CANNOT_FIND_FACELET_TAGLIB in:
org.eclipse.jst.jsf.core.validation.internal.facelet.messages
I tried:
Close/reopen project.
Rightclick project > Validate.
Project > Clean... and clean selected project.
Restart Eclipse.
Its didnt worked.
When I run it I faced: HTTP Status 404
So I tried this:
Click on Window > Show view > Server or right click on the server in
"Servers" view, select "Properties".
In the "General" panel, click on the "Switch Location" button.
The "Location: [workspace metadata]" should replace by something else.
Open the Overview screen for the server by double clicking it.
In the Server locations tab , select "Use Tomcat location".
Save the configurations and restart the Server.
Than I add JSF 2.2 (Mojarra 2.2.0) by properties -> Java Build Path. No changes. So I delete it from Build Path and add to WEB-INF->lib. Run on server and face: HTTP Status 500 - Servlet.init() for servlet Faces Servlet threw exception. I added url-pattern and listener to my web.xmp:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID" version="3.0">
<display-name>JSF</display-name>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>index.jsp</welcome-file>
<welcome-file>default.html</welcome-file>
<welcome-file>default.htm</welcome-file>
<welcome-file>default.jsp</welcome-file>
</welcome-file-list>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/faces/*</url-pattern>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
<listener>
<listener-class>com.sun.faces.config.ConfigureListener</listener-class>
</listener>
</web-app>
and faced HTTP Status 404 - /JSF/user_form.xhtml
Well I'm complete newbe right now and will be very greatful for little help here. Thanks.
Objective: Want to retrieve and store the user related info (over 5 columns in USER table) in the session when user is authenticated, so that I can use the user info at various point in time during the current session.
Approach: I have chosen to do this by using a managed Bean (LoginBean.java) for authentication in my JavaServerFaces application. I would retrieve the user info and store them in the session in the LoginBean.login() method.
Ref: http://docs.oracle.com/javaee/6/tutorial/doc/glxce.html#glxef
Bean Code:
#ManagedBean
#SessionScoped
public class LoginBean {
private String id;
private String password;
public LoginBean() {
System.out.println("LoginBean() called .....");
}
public String getId() {
return id;
}
public void setId(String id) {
this.id = id;
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
public String login() {
System.out.println("login() invoked .....");
FacesContext facesContext = FacesContext.getCurrentInstance();
HttpServletRequest request = (HttpServletRequest)facesContext.getExternalContext().getRequest();
try {
request.login(id, password);
} catch (ServletException e) {
facesContext.addMessage(null, new FacesMessage("Login failed."));
return "error";
}
return "home";
}
public void logout() {
System.out.println("logout() invoked .....");
FacesContext facesContext = FacesContext.getCurrentInstance();
HttpServletRequest request = (HttpServletRequest)facesContext.getExternalContext().getRequest();
try {
request.logout();
} catch (ServletException e) {
facesContext.addMessage(null, new FacesMessage("Logout failed."));
}
}
}
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">
<display-name>AuthenticationUsingLoginBean</display-name>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>jdbcRealm</realm-name>
<form-login-config>
<form-login-page>/login.xhtml</form-login-page>
<form-error-page>/error.xhtml</form-error-page>
</form-login-config>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>All resources are restricted</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
</web-app>
login.xhtml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:h="http://java.sun.com/jsf/html" xmlns:f="http://java.sun.com/jsf/core" xmlns:ui="http://java.sun.com/jsf/facelets">
<h:head>
<title>Form based authentication with login bean</title>
</h:head>
<h:body>
<h:form>
<h:outputLabel for="usernameInput">User ID:</h:outputLabel>
<h:inputText id="usernameInput" value="#{loginBean.id}" required="true" />
<h:message for="usernameInput"/>
<br />
<h:outputLabel for="passwordInput">Password:</h:outputLabel>
<h:inputSecret id="passwordInput" value="#{loginBean.password}" required="true" />
<h:message for="passwordInput" />
<br />
<h:commandButton value="Login" action="#{loginBean.login}" />
</h:form>
</h:body>
</html>
Issue
I've started new browser window and accessed the home page (home.xhml).
I am redirected to login.xhtml, which is fine.
But, on clicking Login button on login.xhtml UI, LoginBean.login() method is NOT getting invoked.
Note
login.xhtml should be correct as LoginBean.login() method is invoked successfully when I comment out <login-config> in web.xml file. Obviously, I can't keep it commented as the authentication won't work as expected.
Update
I have the necessary JDBCRealm configured in my tomcat's server.xml file and made sure that it works fine by implementing a sample form based authentication using j_security_check.
<Realm className="org.apache.catalina.realm.JDBCRealm"
driverName="com.mysql.jdbc.Driver"
connectionURL="jdbc:mysql://localhost/xyz"
connectionName="root"
connectionPassword="xxxxx"
userTable="USER" userCredCol="PASSWORD"
userRoleTable="USER_ROLE_MPNG" userNameCol="ID" roleNameCol="ROLE_NAME" />
Software used:
apache-tomcat-7.0.47
JSF 2.1 (Mojarra 2.1.6)
<h:commandButton value="Login" action="#{loginBean.login()}" />
mind the () after login. you're calling a methode not trying to getter/setter a var with the name login in LoginBean.
The reason this is not working is because you are restricting all resources in your web.xml. You can see your login and error pages, but that does not mean that everything surrounding it is accessible, on the contrary.
Solution
Add a new security constraint for public resources, like this:
<security-constraint>
<web-resource-collection>
<web-resource-name>Open Resources</web-resource-name>
<url-pattern>/public/*</url-pattern>
</web-resource-collection>
</security-constraint>
Now, create a new sub-folder where your login.xhtml and error.xhtml are and call it public, as in the security constraint. Move your login.xhtml and error.xhtml into the newly created folder and adjust the login configuration in your web.xml accordingly.
I am building a web application that uploads files and am trying to add CDI features that require the use of a beans.xml file. The problem is that when I add a beans.xml file to the webapp it breaks the previously functional input file uploading, even before I switch over to any features that require beans.xml. Why is even the presence of a beans.xml file breaking this feature?
Environment and Dependencies:
JDK 1.7.0_45
Netbeans IDE 7.4 Patch 2
Windows 7 version 6.1 running on x86
javaee-web-api-6.0
primefaces-3.5
tomahawk-1.1.14
GlassFish Server 4.0
Here's the code if that will help:
beans.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/beans_1_0.xsd">
</beans>
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0"
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" >
<context-param>
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value>Development</param-value>
</context-param>
<context-param>
<param-name>javax.faces.CONFIG-FILES</param-name>
<param-value>WEB-INF/faces-config.xml</param-value>
</context-param>
<context-param>
<param-name>com.sun.faces.expressionFactory</param-name>
<param-value>com.sun.el.ExpressionFactoryImpl</param-value>
</context-param>
<filter>
<filter-name>MyFacesExtensionsFilter</filter-name>
<filter-class>org.apache.myfaces.webapp.filter.ExtensionsFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>MyFacesExtensionsFilter</filter-name>
<servlet-name>Faces Servlet</servlet-name>
</filter-mapping>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.jsf</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>30</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>login.jsf</welcome-file>
</welcome-file-list>
<error-page>
<error-code>401</error-code>
<location>/WEB-INF/errorpages/unauthorized.xhtml</location>
</error-page>
</web-app>
Web Page (login.xhtml)
<?xml version='1.0' encoding='UTF-8' ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:h="http://java.sun.com/jsf/html"
xmlns:p="http://primefaces.org/ui"
xmlns:t="http://myfaces.apache.org/tomahawk"
xmlns:f="http://java.sun.com/jsf/core"
xmlns:c="http://java.sun.com/jsp/jstl/core">
<h:head>
<title>Input File Test</title>
<c:set value="${facesContext.externalContext.requestContextPath}" var="path" scope="view"/>
<link href="${path}/css/default.css" rel="stylesheet" type="text/css"/>
</h:head>
<h:body>
<div id="main">
<h:form enctype="multipart/form-data">
<p:panel header="Submit Object Relational Model">
<h:panelGrid columns="2" >
<t:inputFileUpload id="file" name="path" value="#{fileUploadController.file}"/>
<f:facet name="footer">
<h:commandButton value="Submit" action="#{fileUploadController.upload()}"/>
</f:facet>
</h:panelGrid>
<p:messages showDetail="true"/>
</p:panel>
</h:form>
</div>
</h:body>
</html>
Bean (FileUploadController.java)
import java.io.Serializable;
import javax.faces.application.FacesMessage;
import javax.faces.context.FacesContext;
import javax.faces.bean.ManagedBean;
import javax.faces.bean.SessionScoped;
import org.apache.myfaces.custom.fileupload.UploadedFile;
#SessionScoped
#ManagedBean(name = "fileUploadController")
public class FileUploadController implements Serializable {
private UploadedFile file;
public UploadedFile getFile() {
return file;
}
public void setFile(UploadedFile file) {
this.file = file;
}
public void upload() {
if(file != null) {
FacesMessage msg = new FacesMessage("Succesful! ", file.getName() + " is uploaded.");
FacesContext.getCurrentInstance().addMessage(null, msg);
}
else {
FacesMessage msg = new FacesMessage("Failure to upload.");
FacesContext.getCurrentInstance().addMessage(null, msg);
}
}
}
faces-config.xml
<?xml version="1.0" encoding="utf-8"?>
<faces-config version="2.0" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-facesconfig_2_0.xsd">
</faces-config>
GlassFish 4 ships with JSF 2.2 which has already a native file upload support in flavor of <h:inputFile>. The FacesServlet has already processed the uploaded file before it hits Tomahawk's <t:inputFileUpload>.
You have basically 2 options:
Get rid of Tomahawk and use native file upload component <h:inputFile> instead.
<h:form enctype="multipart/form-data">
<h:inputFile value="#{bean.uploadedFile}" />
...
</h:form>
with
import javax.servlet.http.Part;
// ...
private Part uploadedFile; // +getter +setter
Downgrade from JSF 2.2 to JSF 2.1 or 2.0. Downgrading the whole server as you did is one way, albeit somewhat clumsy.
I ended up switching to Glassfish Server 3.1.2.2 and the problem was solved.
I am trying to build a simple jsf application in which i take user id and name as parameter and trying to display on another page with the help of ManagedBean but so far i haven't succeeded and also the console is showing no error/exception, below are the list of files i'am using.
AddUser.jsp
<%# page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1"%>
<%# taglib prefix="f" uri="http://java.sun.com/jsf/core"%>
<%# taglib prefix="h" uri="http://java.sun.com/jsf/html"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Add New User Form</title>
</head>
<body>
<f:view>
<h:form>
<h:panelGrid border="1" columns="2">
<h:outputText value="ID"></h:outputText>
<h:inputText value="#{userBean.id}" required="true">
<f:validateLongRange minimum="1" maximum="500"/>
</h:inputText>
<h:outputText value="Name"></h:outputText>
<h:inputText value="#{userBean.name}"></h:inputText>
<h:commandButton action="#{userBean.addUser}"
value="Add Customer"></h:commandButton>
</h:panelGrid>
</h:form>
</f:view>
</body>
</html>
ManagedBean (UserBean)
package com.sapient.bean;
import java.io.Serializable;
public class UserBean implements Serializable{
/**
*
*/
private static final long serialVersionUID = 1L;
private int id;
private String name;
//Action method to add user
public String addUser() {
return "success";
}
public int getId() {
return id;
}
public void setId(int id) {
this.id = id;
}
public String getName() {
return name;
}
public void setName(String name) {
this.name = name;
}
}
ListUser
<%# page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1"%>
<%# taglib prefix="f" uri="http://java.sun.com/jsf/core"%>
<%# taglib prefix="h" uri="http://java.sun.com/jsf/html"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>List of Users</title>
</head>
<body>
<f:view>
<h:form>
<h:outputText value="User #{userBean.name} is added successfully.">
</h:outputText>
</h:form>
</f:view>
</body>
</html>
FacesConfig.xml
<?xml version="1.0" encoding="UTF-8"?>
<faces-config xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-facesconfig_1_2.xsd"
version="1.2">
<managed-bean>
<managed-bean-name>userBean</managed-bean-name>
<managed-bean-class>com.sapient.bean.UserBean</managed-bean-class>
<managed-bean-scope>session</managed-bean-scope>
</managed-bean>
<navigation-rule>
<display-name>AddUser</display-name>
<from-view-id>/AddUser.jsp</from-view-id>
<navigation-case>
<from-outcome>success</from-outcome>
<to-view-id>/ListUser.jsp</to-view-id>
</navigation-case>
</navigation-rule>
</faces-config>
Web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
id="WebApp_ID" version="2.5">
<display-name>Archetype Created Web Application</display-name>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/faces/*</url-pattern>
</servlet-mapping>
<context-param>
<param-name>javax.servlet.jsp.jstl.fmt.localizationContext</param-name>
<param-value>resources.application</param-value>
</context-param>
<context-param>
<description>State saving method: 'client' or 'server' (=default). See JSF Specification 2.5.2</description>
<param-name>javax.faces.STATE_SAVING_METHOD</param-name>
<param-value>client</param-value>
</context-param>
<context-param>
<description>
This parameter tells MyFaces if javascript code should be allowed in
the rendered HTML output.
If javascript is allowed, command_link anchors will have javascript code
that submits the corresponding form.
If javascript is not allowed, the state saving info and nested parameters
will be added as url parameters.
Default is 'true'</description>
<param-name>org.apache.myfaces.ALLOW_JAVASCRIPT</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<description>
If true, rendered HTML code will be formatted, so that it is 'human-readable'
i.e. additional line separators and whitespace will be written, that do not
influence the HTML code.
Default is 'true'</description>
<param-name>org.apache.myfaces.PRETTY_HTML</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>org.apache.myfaces.DETECT_JAVASCRIPT</param-name>
<param-value>false</param-value>
</context-param>
<context-param>
<description>
If true, a javascript function will be rendered that is able to restore the
former vertical scroll on every request. Convenient feature if you have pages
with long lists and you do not want the browser page to always jump to the top
if you trigger a link or button action that stays on the same page.
Default is 'false'
</description>
<param-name>org.apache.myfaces.AUTO_SCROLL</param-name>
<param-value>true</param-value>
</context-param>
</web-app>
Please help, any word of advice will be appreciated.
Thanks
This is the problematic part of your code present in AddUser.jsp
<h:inputText value="#{userBean.id}" required="true">
<f:validateLongRange minimum="1" maximum="500"/>
</h:inputText>
As here you placed a required="true" in <h:inputText../> and I am damn sure that you are not giving the value in id field and you were just submitting the form by giving only name.So thats why your form is not submitting
Solution:
Now you have two solutions
1) Don't change even a single word in code and just give value in id textfield.(Don't think that 0) which you are seeing in id field as a default is a value which will pass the required field scenario
2) Remove tha required="true" part form here <h:inputText value="#{userBean.id}" required="true"> and you will see it running
I'm trying to do something like that: https://stackoverflow.com/a/2207147/494826
<security-constraint>
<display-name>Amministrazione</display-name>
<web-resource-collection>
<web-resource-name>wrcollAdmin</web-resource-name>
<description/>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>admin</role-name>
<role-name>guest</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Risorse</web-resource-name>
<url-pattern>/javax.faces.resource/*</url-pattern>
</web-resource-collection>
<!-- No Auth Contraint! -->
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.htm</form-login-page>
<form-error-page>/loginError.htm</form-error-page>
</form-login-config>
</login-config>
My login JSF contains:
<h:form id="loginForm">
<div class="inputlabel">
<h:outputLabel for="j_username" value="Utente:"/>
</div>
<div>
<h:inputText value="#{loginController.username}" id="j_username" size="25" />
</div>
<div class="inputlabel">
<h:outputLabel for="j_password" value="Password:"/>
</div>
<div>
<h:inputText value="#{loginController.password}" id="j_password" size="25" />
</div>
<div>
<h:commandButton action="#{loginController.login}" value="LOGIN" />
</div>
</h:form>
<h:messages styleClass="errors" />
...
And here's the login method:
public void login() throws IOException {
FacesContext context = FacesContext.getCurrentInstance();
ExternalContext externalContext = context.getExternalContext();
HttpServletRequest request = (HttpServletRequest) externalContext.getRequest();
try {
log4jLogger.info("LOGIN");
request.login(username, password);
externalContext.redirect("/");
} catch (ServletException e) {
log4jLogger.info("DENIED");
context.addMessage(null, new FacesMessage("Accesso Negato"));
}
}
This doesn't work, because the form never calls the login() method. Why? I suppose it behaves like that because of the web.xml security configuration. Maybe it considers the loginController (a named #ViewScoped bean) as a protected resource?
The second question is more general. Is that the right way for achieving programmatic security?
As the login page itself is also covered by the security constraint restriction and the login is not handled by j_security_check, you need to add the login page itself to the collection of allowed resources as well.
<security-constraint>
<web-resource-collection>
<web-resource-name>Risorse</web-resource-name>
<url-pattern>/javax.faces.resource/*</url-pattern>
<url-pattern>/login.htm</url-pattern>
</web-resource-collection>
<!-- No Auth Contraint! -->
</security-constraint>