After Spring Security login, I'm redirected to a CSS/JS resource instead of a HTML page

Question

I have a project with spring-security and PrimeFaces and I got an error, when I execute my project.

this URL always appear /javax.faces.resource/primefaces.js.xhtml?ln=primefaces&v=5.1

This happens, when I overwrite this method:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable();
    http.authorizeRequests()
        .anyRequest().authenticated()
        .and()
        .formLogin().loginPage("/login.xhtml")
        .permitAll();
}

and put my own login page. However my web.xml call the page home.xhtml

<welcome-file-list>
    <welcome-file>home.xhtml</welcome-file>
</welcome-file-list>

That's what it shows up is this:

Answer 1

The login will by default redirect to the last requested restricted resource of the current HTTP session. Apparently you've (unawarely) also covererd JS/CSS/image resources of JSF-generated HTML pages as restricted resources. When the login page itself references exactly that JavaScript file, then it would be remembered as last requested restricted resource and Spring Security would then blindly redirect to it after successful login.

You need to tell Spring Security to exclude them from restricted resources. One way would be adding the below line to the Spring Security XML configuration file.

<intercept-url pattern="/javax.faces.resource/**" filters="none"/>

Another way would be to override SecurityConfig#configure(WebSecurity).

@Override
public void configure(WebSecurity web) throws Exception {
    web.ignoring().antMatchers("/javax.faces.resource/**");
}

This should also immediately solve all broken CSS/JS/images on the login page itself (which you should have noticed by checking the browser's builtin HTTP traffic monitor and/or JS console when loading the login page).