Search code examples
jsfservlet-filtersshiro

JSF Servlet Pattern / weird requests

Currently i want to refactor my project and remove the /faces/ from the urls. Reason is simple, that i want to avoid, that users can "remove" the faces part and see the source of the underlaying xhtml file.

I'm using Shiro for authentication. I'll first describe the prior situation (that worked) and now the new one, that's causing troubles.

Prior Situation:

web.xml:

<servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>/faces/*</url-pattern>
</servlet-mapping>

shiro.ini

[urls]
/faces/index.xhtml = authc
/faces/pages/** = authc
/faces/templates/** = authc
/faces/resources/** = authc

Current Situation:

web.xml:

<servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>*.xhtml</url-pattern>
</servlet-mapping>

shiro.ini

[urls]
/index.xhtml = authc
/pages/** = authc
/templates/** = authc
/resources/** = authc

For people that might have still "faces" bookmarks, i added a filter, and doing this:

HttpServletRequest srequest = (HttpServletRequest) request;
HttpServletResponse sresponse = (HttpServletResponse) response;

String url = srequest.getRequestURI().trim();
System.out.println("Filtering url: " + url);

if (url.contains("/faces/")){
        url = url.replace("/faces/", "/");

        System.out.println("Redirecting to: " + url);
        sresponse.setStatus(HttpResponseCodes.SC_MOVED_PERMANENTLY);
        sresponse.sendRedirect(url);
    }else{
        //no filtering required, proceed with chain.
        chain.doFilter(request, response);
    }

Now, when i cleared the cache of the browser, and call http://localhost/project/login.xhtml i receive a huge amount of attempts to find xhtml files inside the various resource folders:

12:27:46,735 INFO [stdout] (http--0.0.0.0-8090-6) Filtering url: /project/resources/css/login.xhtml

12:27:46,737 INFO [stdout] (http--0.0.0.0-8090-6) Filtering url: /project/resources/css/login.xhtml

12:27:46,836 INFO [stdout] (http--0.0.0.0-8090-6) Filtering url: /project/resources/js/login.xhtml

12:27:46,837 INFO [stdout] (http--0.0.0.0-8090-1) Filtering url: /project/resources/js/login.xhtml

...

which is obviously wrong. Switching back to the prior layout, but keeping the redirect filter does not cause any invalid requests.

Solution

  • It's because requests on JSF resources (CSS/JS/image files) are also been blocked by Shiro and redirected to login.xhtml. Didn't you notice that all the CSS/JS/images on your login page has been disappeared?

    You need to map the /javax.faces.resource/* requests to the anon user in the very top of the shiro.ini.

    /javax.faces.resource/** = anon