I have a JSF login page that works very well when users navigate to it directly.
However, if users attempt to access a protected page without having logged on first, the container correctly intercepts this and throws them to the logon page. However, because the logon page is JSF there is a problem. What is sent to the user is the raw JSF page, completely unprocessed by FacesServlet.
Snippet Example – sent to browser after accessing a protected page without having logged on:
<ui:define name="body">
<p:growl id="growl" showDetail="true" sticky="true" />
<div class="mytext">Please login to the application...</div>
<form method="POST" action="j_security_check">
<table cellpadding="0" cellspacing="0" border="0">
<tr>
<td align="right">Username: </td>
<td>
<input type="text" name="j_username"/>
</td>
</tr>
<tr>
<td align="right">Password: </td>
<td>
<input type="password" name="j_password"/>
</td>
</tr>
<tr>
<td></td>
<td>
<input type="submit" value="Login"/>
</td>
</tr>
</table>
</form>
</ui:define>
Is there a way to force the container to render a response through the FacesServlet processor rather than simply returning the raw JSF file?
Either change the URL of the
<form-login-page>to match the URL pattern of theFacesServlet, or, better, change the URL pattern of theFacesServletto*.xhtmlso that endusers can never see the raw JSF source code of any page by purposefully changing the URL in browser address bar.