I need to implement security for a new JSF web app that is deployed along with a “legacy” JSP/servlet-based app in a single EAR file (container is WebLogic 11g). Right now I have a JSF Phase Listener that checks whether the user has a flag in their session that indicates that they’re logged in (note that “shared session data” has been turned on so that both web apps use the same HTTP session).
I would prefer to not use a Phase Listener if possible and instead specify in web.xml to redirect the user to the login page if they’re not logged in (this is how the check has been implemented in the legacy web app) However, the login page lives in the “legacy” app at a different context root than the JSF web app. (note the legacy app runs on an older servlet container version than the new JSF web app).
Is there a way to configure the JSF web app’s web.xml file to be able to redirect to the first web app’s login page if the they have different context roots?
There does not appear to be a way to do this (redirect to another context root’s login page) in WebLogic 11g. Appears as though the Phase Listener solution is the best approach.
Note WebLogic 11g does allow sharing session and User Principal information between web apps deployed in a single EAR, but does not support specifying a URL to a login page that is in different context root than that of the current web app where the web.xml lives. So a servlet filter-like solution that can do the redirection to the login page in the other web app is needed.