JSF Servlet Pattern / weird requests

Question

Currently i want to refactor my project and remove the /faces/ from the urls. Reason is simple, that i want to avoid, that users can "remove" the faces part and see the source of the underlaying xhtml file.

I'm using Shiro for authentication. I'll first describe the prior situation (that worked) and now the new one, that's causing troubles.

Prior Situation:

web.xml:

<servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>/faces/*</url-pattern>
</servlet-mapping>

shiro.ini

[urls]
/faces/index.xhtml = authc
/faces/pages/** = authc
/faces/templates/** = authc
/faces/resources/** = authc

Current Situation:

web.xml:

<servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>*.xhtml</url-pattern>
</servlet-mapping>

shiro.ini

[urls]
/index.xhtml = authc
/pages/** = authc
/templates/** = authc
/resources/** = authc

For people that might have still "faces" bookmarks, i added a filter, and doing this:

HttpServletRequest srequest = (HttpServletRequest) request;
HttpServletResponse sresponse = (HttpServletResponse) response;

String url = srequest.getRequestURI().trim();
System.out.println("Filtering url: " + url);

if (url.contains("/faces/")){
        url = url.replace("/faces/", "/");

        System.out.println("Redirecting to: " + url);
        sresponse.setStatus(HttpResponseCodes.SC_MOVED_PERMANENTLY);
        sresponse.sendRedirect(url);
    }else{
        //no filtering required, proceed with chain.
        chain.doFilter(request, response);
    }

Now, when i cleared the cache of the browser, and call http://localhost/project/login.xhtml i receive a huge amount of attempts to find xhtml files inside the various resource folders:

12:27:46,735 INFO [stdout] (http--0.0.0.0-8090-6) Filtering url: /project/resources/css/login.xhtml

12:27:46,737 INFO [stdout] (http--0.0.0.0-8090-6) Filtering url: /project/resources/css/login.xhtml

12:27:46,836 INFO [stdout] (http--0.0.0.0-8090-6) Filtering url: /project/resources/js/login.xhtml

12:27:46,837 INFO [stdout] (http--0.0.0.0-8090-1) Filtering url: /project/resources/js/login.xhtml

...

which is obviously wrong. Switching back to the prior layout, but keeping the redirect filter does not cause any invalid requests.

Answer 1

It's because requests on JSF resources (CSS/JS/image files) are also been blocked by Shiro and redirected to login.xhtml. Didn't you notice that all the CSS/JS/images on your login page has been disappeared?

You need to map the /javax.faces.resource/* requests to the anon user in the very top of the shiro.ini.

/javax.faces.resource/** = anon

Answer 2

I found the solution:

In Shiro.ini I also changed authc.loginUrl = /faces/login.xhtml to authc.loginUrl = login.xhtml.

combined with the rule /resources/** = authc this now caused an infinite loop of trying to access a resource, and redirecting to a login.xhtml inside THAT Resource Folder.

1.) I now changed the loginUrl to authc.loginUrl = /login.xhtml.

2.) I noticed, that securing resources this way does no longer make sence, since i want to access style sheets and stuff without login, also. (it worked with the prior version, because resources haven't been accessed using the /faces/ path, so shiro didn't protect them anyway.)