I have a custom login page created using JSF. But once i run the application i get the error message "Firefox has detected that the server is redirecting the request for this address in a way that will never complete."
Here's my web.xml
:
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/applicationContext.xml
/WEB-INF/applicationContext-security.xml
</param-value>
</context-param>
<!-- Enable Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<!-- Allow login pages with JSF which redirects to security check,
therefore we have to add the forward entry here -->
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
And my applicationContext-security.xml
<http auto-config='true' use-expressions="true" access-denied-page="/index.xhtml">
<intercept-url pattern="/jsf/admin_*" access="hasRole('ADMIN')"/>
<intercept-url pattern="/jsf/pm_*" access="hasRole('PM')"/>
<intercept-url pattern="/jsf/la_*" access="hasRole('ACCOUNT_APPROVER')"/>
<intercept-url pattern="/jsf/bc_*" access="hasRole('BILLING_CONTACT')"/>
<intercept-url pattern="/**" access="hasRole('USER') or hasRole('ADMIN') or hasRole('PM')"/>
<form-login login-processing-url="/j_spring_security_check" login-page="/login.xhtml" />
</http>
<authentication-manager>
<authentication-provider user-service-ref='myUserDetailsService'>
<password-encoder hash="sha"/>
</authentication-provider>
</authentication-manager>
<beans:bean id="myUserDetailsService" class="lk.mazarin.wcplus.security.WcUserDetailsServiceWrapper">
<beans:property name="wcUserDAO" ref="wcUserDAO"/>
</beans:bean>
<beans:bean id="wcPasswordEncoder" class="org.springframework.security.authentication.encoding.ShaPasswordEncoder"/>
As pointed by @Michael, you need to remove security restrictions from the login page. The filters
attribute was deprecated and there is another way to do it in newest versions of Spring Security:
<http ...>
....
<!-- This line goes BEFORE /** pattern -->
<intercept-url pattern="/login.xhtml*" access="permitAll" />
....
<intercept-url pattern="/**" access="hasRole('USER') or hasRole('ADMIN') or hasRole('PM')"/>
...
</http>