Search code examples
jsfspring-securityredirect-loop

Integration Spring Security with JSF results in redirect loop

I have a custom login page created using JSF. But once i run the application i get the error message "Firefox has detected that the server is redirecting the request for this address in a way that will never complete."

Here's my web.xml:

<context-param>
  <param-name>contextConfigLocation</param-name>
  <param-value>
            /WEB-INF/applicationContext.xml
            /WEB-INF/applicationContext-security.xml
  </param-value>
</context-param>


<!-- Enable Spring Security -->
<filter>
 <filter-name>springSecurityFilterChain</filter-name>
 <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<!-- Allow login pages with JSF which redirects to security check,
 therefore we have to add the forward entry here -->
<filter-mapping>
  <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>FORWARD</dispatcher>
    <dispatcher>REQUEST</dispatcher>
 </filter-mapping>

And my applicationContext-security.xml

<http auto-config='true' use-expressions="true" access-denied-page="/index.xhtml">
    <intercept-url pattern="/jsf/admin_*" access="hasRole('ADMIN')"/>
    <intercept-url pattern="/jsf/pm_*" access="hasRole('PM')"/>
    <intercept-url pattern="/jsf/la_*" access="hasRole('ACCOUNT_APPROVER')"/>
    <intercept-url pattern="/jsf/bc_*" access="hasRole('BILLING_CONTACT')"/>
    <intercept-url pattern="/**" access="hasRole('USER') or hasRole('ADMIN') or hasRole('PM')"/> 
    <form-login login-processing-url="/j_spring_security_check" login-page="/login.xhtml" />
</http>

<authentication-manager>
    <authentication-provider user-service-ref='myUserDetailsService'>
        <password-encoder hash="sha"/>
    </authentication-provider>
</authentication-manager>    

<beans:bean id="myUserDetailsService" class="lk.mazarin.wcplus.security.WcUserDetailsServiceWrapper">
    <beans:property name="wcUserDAO" ref="wcUserDAO"/>       
</beans:bean> 

<beans:bean id="wcPasswordEncoder" class="org.springframework.security.authentication.encoding.ShaPasswordEncoder"/>
Solution

  • As pointed by @Michael, you need to remove security restrictions from the login page. The filters attribute was deprecated and there is another way to do it in newest versions of Spring Security:

    <http ...>
    ....
    <!-- This line goes BEFORE /** pattern -->
    <intercept-url pattern="/login.xhtml*" access="permitAll" />
    ....
    <intercept-url pattern="/**" access="hasRole('USER') or hasRole('ADMIN') or hasRole('PM')"/> 
    ...
</http>