PrimeFaces redirect after Glassfish Login

Question

I am trying to add PrimeFaces to my project. It is running on Glassfish 3 with form-based authentication. I downloaded the jar and put into WEB-INF/lib. After logging in, I was shown a css file with the URL:

localhost:8080/[webapp]/javax.faces.resource/theme.css.jsf?ln=primefaces-aristo

This does not happen if I disable security check. Here is the login part in my web.xml.

<login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
      <form-login-page>/login.jsf</form-login-page>
      <form-error-page>/login.jsf?failed=true</form-error-page>
    </form-login-config>
</login-config>

Can anyone tell me what is the problem? Thanks!

Answer 1

This is caused by the restricted pages being cached by the browser.

The container managed security will redirect to the last HTTP request which triggered the authentication check. In your case it's apparently the auto-included PrimeFaces theme CSS file. That can happen if the browser has loaded the to-be-authenticated page fully from the browser cache, while the browser has loaded the CSS file fully from the server side, or have tested the cache validity of the CSS file by a conditional GET request. The container managed security will then remember exactly this URL as redirect-after-successful-login URL.

You'd like to exclude the JSF resources (<h:outputScript>, <h:outputStylesheet> and <h:graphicImage> from authentication checks. You could do that by excluding the common URL pattern /javax.faces.resource/*.

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Allowed resources</web-resource-name>
        <url-pattern>/javax.faces.resource/*</url-pattern>
    </web-resource-collection>
    <!-- No Auth Contraint! -->
</security-constraint>

You also need to instruct the browser to not cache restricted pages to prevent the browser loading it from the cache (e.g. by pressing back button after logout). Map the following filter on the same URL pattern as the one of your <security-constraint>.

@WebFilter("/secured/*") // Use the same URL pattern as <security-constraint>
public class NoCacheFilter implements Filter {

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        HttpServletRequest req = (HttpServletRequest) request;
        HttpServletResponse res = (HttpServletResponse) response;

        if (!req.getRequestURI().startsWith(req.getContextPath() + ResourceHandler.RESOURCE_IDENTIFIER)) { // Skip JSF resources (CSS/JS/Images/etc)
            res.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
            res.setHeader("Pragma", "no-cache"); // HTTP 1.0.
            res.setDateHeader("Expires", 0); // Proxies.
        }

        chain.doFilter(request, response);
    }

    // ...
}

Note that this also fixes the "back button" problem. So the enduser would also not see the restricted pages anymore when back button is pressed after signout/logout as would happen in your current setup.