Home/ Questions/Q 8531197
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-11T09:25:43+00:00

I’m using Spring to handle security in my JSF application. I have a login

  • 0

I’m using Spring to handle security in my JSF application. I have a login page at /login and I’ve configured Spring like this:

<http authentication-manager-ref="authenticationManager">
    <intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <intercept-url pattern="/admin" access="ROLE_ADMIN" />
    <intercept-url pattern="/javax.faces.resource/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <intercept-url pattern="/**" access="ROLE_ADMIN,ROLE_USER" />
    <form-login login-page="/login" authentication-failure-url="/login" />
    <logout logout-url="/logout" />
</http>

I want the admin page at /admin to be available only for users with the ROLE_ADMIN role. Users with ROLE_ADMIN or ROLE_USER may access pages starting from the application root.

When I login with a user having either role I see the page you should see after login. However, whatever my next action may be I get redirected to /login like I’m not logged in. Can someone please explain this as I’m trying to get this thing to work for a day now. I’ve been reading the Spring 3.1.x documentation but it doesn’t give me a clue about how to solve the problem. I’m running Spring 3.1.1.Release by the way.

Extra bonus info: the page you should see after login has an element that should only render if the user had ROLE_ADIN. I can see that element after login. The problems began when I implemented PrettyFaces. I’ve searched the web for common problems and only came up with that the PrettyFaces filter should appear after the Spring security filter. This is the case so it should work right?

UPDATE: I’ve updated my config to use expressions. However the problem still exists.

<http authentication-manager-ref="authenticationManager" use-expressions="true">
    <intercept-url pattern="/login" access="permitAll" />
    <intercept-url pattern="/admin" access="hasRole('ROLE_ADMIN')" />
    <intercept-url pattern="/javax.faces.resource/**" access="permitAll" />
    <intercept-url pattern="/**" access="hasAnyRole('ROLE_ADMIN','ROLE_USER')" />
    <form-login login-page="/login" authentication-failure-url="/login" />
    <logout logout-url="/logout" />
</http>

Output in Firebug’s console just after login (the page tries an AJAX call):

Firebug console log

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    First, always debug Spring Security when having problems (add log4j.logger.org.springframework.security=DEBUG).

    Second, I think that you wanted hasAnyRole:

    <intercept-url pattern="/**" access="hasAnyRole(ROLE_ADMIN,ROLE_USER)" />

    plus add use-expressions="true" to http:

    <http authentication-manager-ref="authenticationManager" use-expressions="true">

    to allow ROLE_ADMIN xor ROLE_USER users to access page. In your current config user must have both roles to access /**.

    • 0