Can Spring security be made to work for JSF navigations?

Question

My problem is very similar to this existing SO post:
JSF - Spring Security Integration issue

Ravi's response regarding disabling once-per-request and specifying FORWARD to "get it to work" is echo'd other places on the web, namely:
http://www.coderanch.com/t/61490/oa/Spring-security-intercept-url
and long ago:
http://forum.springsource.org/showthread.php?11025-lt-jsp-forward-gt-bypasses-Acegi

However, I'm just not able to get this to work. I've done both the items Ravi's response suggests:

1) put once-per-request in spring's config:

<http auto-config="true" use-expressions="true" once-per-request="false">
   <intercept-url pattern="/partners/**" access="ROLE_PARTNER" />
.
.
.
</http>

2) include FORWARD:

<filter-mapping>
  <filter-name>springSecurityFilterChain</filter-name>
  <url-pattern>/*</url-pattern>
  <dispatcher>REQUEST</dispatcher>
  <dispatcher>FORWARD</dispatcher>
</filter-mapping>

In my case, I've got a command link into the partners section of my application that works (but shouldn't). It is true that every link after this first one and any searches posted do NOT work. But the initial navigation into /parterns/** does work, and I don't think it should.

<p:menuitem>
  <h:commandLink ajax="false" action="/partners/search/partnerSearch"
                 styleClass="ui-menuitem-link
                 ui-corner-all">
                 <h:outputText value="Partners"/>
  </h:commandLink>
</p:menuitem>

I'm assuming this means that JSF doesn't actually use a request dispatcher forward to "forward" to the navigation outcome (and thus, Spring never gets a chance to re-evaluate the security). I've tried placing breakpoints and looking for myself, but it's slightly beyond my understanding what I'm seeing.

I'm aware that I can use a redirect (but like the first SO post I linked to, don't want to do this). I'm also aware that I can put <sec:ifAnyGranted roles="ROLE_PARTNER"> around the menu item to prevent the click in the first place.

I'm actually just curious as to why this doesn't work at all, when a few sources seem to indicate it should.

My experience of it not working, is echo'd at least one other place:
http://forum.springsource.org/showthread.php?82900-FilterSecurityInterceptor-not-being-called-for-a-JSF-forward

My stuff is:

<spring.version>3.1.3.RELEASE</spring.version>
<jsf.version>2.1.23</jsf.version> (mojarra)
<primeFaces.version>3.5.9</primeFaces.version>

Hey, one more reason why navigation using POST is a bad practice. — BalusC, Jul 24 '13 at 22:01
fair enough, but any ideas as to why it won't work as desired? — MikeCWpg, Jul 24 '13 at 22:13

Can Spring security be made to work for JSF navigations?

0 Answers0