jdbcRealm secured folders in JSF2.0 accessed by adding "/faces/faces"

Question

I have web app project (NetBeans 7.1.2+GlassFish 3.1.2) with jdbcRealm secured folders secureuser, and secureadmin. The jdbc security is usual form login, with added security constraints. Glassfish deployment descriptor, and web.xml defined as usual. Servlet configuration is default "/faces/*".

Security works as expected when trying to access urls of the form "localhost8080/app/faces/secureduser/". However, if alternatively "localhost8080/app/faces/faces/secureduser/" is used, security is bypassed. Same goes for the other secured folder.

Adding a "/faces" to the url patterns defined in security constraints, [so that if defined pattern is "/faces/secureduser", then added "/faces/faces/secureduser"] seems to always override the security.

Since the login form is JSF, or the design requirement of the initial page at least being outside security, using a filter on context of the form "app/faces/" cannot be used.

How can security be maintained even if user types in an added prefix "/faces"?

Ravi Kadaboina Ravi Kadaboina · Accepted Answer · 2012-07-08T23:50:40

Here is a paragraph from Servlet 3.0 Specification on how URL path matching is done:

The first successful match is used with no further matches attempted:

The container will try to find an exact match of the path of the request to the path of the servlet. A successful match selects the servlet.
The container will recursively try to match the longest path-prefix. This is done by stepping down the path tree a directory at a time, using the ’/’ character as a path separator. The longest match determines the servlet selected.
If the last segment in the URL path contains an extension (e.g. .jsp), the servlet container will try to match a servlet that handles requests for the extension. An extension is defined as the part of the last segment after the last ’.’ character.
If neither of the previous three rules result in a servlet match, the container will attempt to serve content appropriate for the resource requested. If a "default" servlet is defined for the application, it will be used. Many containers provide an implicit default servlet for serving content.

The container must use case-sensitive string comparisons for matching

So exact matches take precedence over prefix which takes precedence over extension and finally universal patterns.

So what you can do is just add a universal mapping /* with no role specified. The universal mapping is matched at the end and if no role is specified no one can access the resource like this:

<security-constraint>
    <web-resource-collection>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint />
</security-constraint>

<!--No Authorization Required -->
<security-constraint>
    <web-resource-collection>
      <url-pattern>/faces/index.xhtml</url-pattern>
    </web-resource-collection>
</security-constraint>

<!--All roles can access -->
<security-constraint>
    <web-resource-collection>
      <url-pattern>/faces/users.xhtml</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>*</role-name>
    </auth-constraint>
</security-constraint>

Servlet 3.0 Documentation See Section 12.1 Use of URL paths

jdbcRealm secured folders in JSF2.0 accessed by adding "/faces/faces"

2 Answers