Home/ Questions/Q 6071309
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T10:01:57+00:00

I am using spring security with jsf 2. I have a filter that control

  • 0

I am using spring security with jsf 2. I have a filter that control if db access is ok in each page. :

public void doFilter(ServletRequest aReq, ServletResponse aResponse, FilterChain aChain) throws IOException,
        ServletException
{

    ...
    if(!myContext.isdbRunning())
    {
        mLogger.debug("System not working. Redirecting to: "+"/error.jsf");
        aReq.setAttribute("errorMsj", "DB is not started. Please contact DB admin.");
        aReq.getRequestDispatcher("/error.jsf").forward(aReq, aResponse);
        return;
    }

    aChain.doFilter(aReq, aResponse);
    return; 
}

If everything is ok, my jsf page is rendered correctly. but when filter finds a problem in db, it processes to an error page. 

aReq.getRequestDispatcher("/error.jsf").forward(aReq, aResponse);

but that page dosn’t show images and other css based stuff..

does spring security take control and disallow my page contents? or do I have a mistake? How can I solve it? Can I use Phase listener?

Edit: part of my web.xml is

  <filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
  </filter>

  <filter>
    <filter-name>Gatekeeper</filter-name>
    <filter-class>com.jsfsample.filter.GateKeeperFilter</filter-class>
  </filter>

   <filter-mapping>
    <filter-name>Gatekeeper</filter-name>
    <url-pattern>*.jsf</url-pattern>
   </filter-mapping>


  <filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Are your css/scripts/images loaded with a separate request ?

    If so make sure their url (http://domain.com/styles.css) is not secured.

    A bit more detail on unsecuring specific URLs.

    In your security context config file you should have something like:

    <http auto-config="false" use-expressions="true" entry-point-ref="authenticationEntryPoint">
    <intercept-url pattern="/something/relativeUrlThatLoadsImages.jsf" filters="none" />

    <!-- OR -->    

    <intercept-url pattern="/something/relativeUrlThatLoadsImages.jsf" access="IS_AUTHENTICATED_ANONYMOUSLY" />
</http>

    Either filters="none" or access="IS_AUTHENTICATED_ANONYMOUSLY" will unsecure the relative URL specified in the pattern attribute.

    I personally prefer using filters="none", because it tells spring not to load the filter chain at all for these URLs.

    This way you won’t need to code to make spring ignore these URLs and you will have a place to change access to them easily in the future if you need to.

    • 0