1

I have created a servlet filter to handle session timeout and authentication.

@WebFilter(urlPatterns={"/acc/*"})
public class ResourceAuthorizationFilter implements Filter { ... }

The pages that I want to filter have a pattern like this: /acc/login-flow, /acc/profiles-flow. The filter gets called also for resources(css, js and images). How can I configure the urlPatterns to exclude from filtering these resources?

EDIT1
Here are some urls that are filtered:

http://localhost:8081/acme-0.0.1/acc/login-flow
http://localhost:8081/acme-0.0.1/acc/javax.faces.resource/theme.css
http://localhost:8081/acme-0.0.1/acc/javax.faces.resource/jquery/jquery.js
http://localhost:8081/acme-0.0.1/acc/javax.faces.resource/primefaces.js
http://localhost:8081/acme-0.0.1/acc/javax.faces.resource/ajax.gif
http://localhost:8081/acme-0.0.1/acc/javax.faces.resource/login.png
http://localhost:8081/acme-0.0.1/acc/javax.faces.resource/header.png
http://localhost:8081/acme-0.0.1/acc/javax.faces.resource/images/ui-bg_flat_75_ffffff_40x100.png
http://localhost:8081/acme-0.0.1/acc/javax.faces.resource/images/default.png
http://localhost:8081/acme-0.0.1/acc/javax.faces.resource/images/ui-icons_888888_256x240.png

I have some custom css/js files under webapp/resources folder, but these ones are not from there.

The acc part comes from:

<servlet-mapping>
    <servlet-name>Spring MVC Servlet</servlet-name>
    <url-pattern>/acc/*</url-pattern>
</servlet-mapping>

EDIT2
These code samples come from a project that is implemented with JSF 2.0, PrimeFaces 3.4.1, Spring 3.0.5.RELEASE, Spring Security 3.0.3.RELEASE and Spring Web Flow 2.3.0.RELEASE.

Seitaridis
  • 4,459
  • 9
  • 53
  • 85
  • In future JSF questions, please don't forget to mention that you're using Spring as well. This can then be taken into account by the potential answerers. – BalusC Oct 18 '12 at 14:32

2 Answers2

2

Just move resources to a different folder outside /acc. They're by default supposed to be in /resources folder anyway so that you can use <h:outputScript>, <h:outputStylesheet> and <h:graphicImage> the right way.

If you can't fix that for some reason, then you'd really need to check the request URI in the doFilter() implementation. There's namely no way to exclude sub-patterns in an URL pattern.

String path = request.getRequestURI().substring(request.getContextPath().length());

if (path.startsWith("/acc" + ResourceHandler.RESOURCE_IDENTIFIER)) {
    chain.doFilter(request, response);
} else {
    // ...
}

Update: as per your question update, you're using Spring MVC for some unclear reason. It's also processing all JSF resource requests. You should tell it to not do that. I can't tell from top of head how to do that, but it's at least something with <mvc:resources>.

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
  • I use a implementation similar to this: http://stackoverflow.com/questions/8658949/in-a-web-xml-url-pattern-matcher-is-there-a-way-to-exclude-urls. I thought that `urlPatterns` can accept regex expression, but haven't found an example to confirm this. – Seitaridis Oct 18 '12 at 14:19
  • No, they definitely don't use regexps. It's a pure wildcard prefix/suffix matching. See also http://stackoverflow.com/questions/3466897/filter-mapping-url-pattern-that-excludes-subdirectories/3469738#3469738 By the way, after re-reading your question, I wonder how `/javax.faces.resource/*` requests (as stated in your title, but not in your question) would ever hit a filter mapped on `/acc/*`. Didn't you obfuscate/change something too much while preparing the question? – BalusC Oct 18 '12 at 14:22
  • Oh, as per your edit you're using Spring MVC. That explains everything. It's messing up JSF resource URLs. You'd need to add some XML entry to Spring MVC configuration instead to skip `/javax.faces.resource` from being handled by Spring MVC controller servlet. I can't tell the exact XML entry from top of head, but if you search carefully, you'll find it. – BalusC Oct 18 '12 at 14:24
  • I will search to see if url patterns can be set from one of the Spring configuration files. Thank you for your support. – Seitaridis Oct 18 '12 at 14:50
1

If you are already using Spring Security in your project. It is easy to register your custom session management filter in the security context and then you can easily exclude the pattern adding a new intercept-url element like this:

<intercept-url pattern="/javax.faces.resource/**" filters="none"/>

Refer to namespace config documentation.

If set to "none" then the path is removed from having any filters applied.

See also:

Community
  • 1
  • 1
Ravi Kadaboina
  • 8,494
  • 3
  • 30
  • 42