Home/ Questions/Q 7821149
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-02T07:32:52+00:00

Question 1: i have set up spring security in my application but now i

  • 0

Question 1:

i have set up spring security in my application but now i have a little weird problem.
what i have learned from spring security is, you dont need to add this line of code @RolesAllowed({"ROLE_ADMIN"}) above your method if you set this up 

<sec:http auto-config="true" access-denied-page="/faces/accessDenied.xhtml">
    <sec:form-login login-page="/faces/login.xhtml" />
    <sec:intercept-url pattern="/faces/admin/**" access="ROLE_ADMIN" />
</sec:http>

but apparently i can go to the page that is in the “/faces/admin” folder without spring security redirects me to the login page.

Question 2:

When i have the @RolesAllowed({"ROLE_ADMIN"}) code above my method, it redirects me to the login page and works correctly but with this one, i got access denied error in my console with bunch of error codes (application still runs correctly though). is it OK that i get access denied errors in the console or if not what is the best way to handle it ?

i still want to have the restricted pages folder and do not have to write @RolesAllowed above all the methods that are in the admin folder.

PS: it is a JSF 2.0 project.

thanks in advance, cheers.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Question 1: I think you are missing the DelegatingFilterProxy in your web.xml. Configure like this:

    <filter>
  <filter-name>springSecurityFilterChain</filter-name>
  <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
  <filter-name>springSecurityFilterChain</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

    And configure the http element as below:

    <http auto-config="true" >
   <intercept-url pattern="/faces/login.xhtml*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
   <intercept-url pattern="/faces/admin/**" access="ROLE_ADMIN" />
   <access-denied-handler error-page="/faces/accessDenied.xhtml" />
   <form-login login-page='/faces/login.xhtml' default-target-url='/faces/index.xhtml'
        always-use-default-target='true'/>
</http>

    And instead of the access-denied-page attribute, use access-denied-handler as the above attribute is deprecated.Source

    Question 2: Yes, this is normal if you set your log level to DEBUG and access the protected resource the first time as an anonymous user. See 1.3 of this FAQ

    • 0