Issue With JSecurity Check

Question

I have my jboss-web.xml like below.

<jboss-web>
    <security-domain>java:/jaas/test</security-domain>
    <valve>
        <class-name>com.test.WebFormAuthenticator</class-name>
        <param>
            <param-name>landingPage</param-name>
            <param-value>/index.html</param-value>
        </param>
    </valve>
    <context-root>mycontext</context-root>
</jboss-web>

My web.xml have the below lines.

<login-config>
        <auth-method>FORM</auth-method>
        <realm-name>test</realm-name>
        <form-login-config>
            <form-login-page>/login.html</form-login-page>
            <form-error-page>/loginError.html</form-error-page>
        </form-login-config>
    </login-config>
<security-constraint>
        <web-resource-collection>
            <web-resource-name>My Application</web-resource-name>
            <url-pattern>/rest/*</url-pattern>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>*</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>My Application</web-resource-name>
            <url-pattern>/bower_components/*</url-pattern>
            <url-pattern>/scripts/*</url-pattern>
        </web-resource-collection>
    </security-constraint>

When the login is successful instead of the index.html the url is changed to /src/assets/images/favicon.ico

the html code am using is like

<form id="loginForm" method="POST" action="j_security_check">

Any idea why this is happening ?

whats the < form > code you use? – MaVRoSCy Nov 17 '15 at 09:04 — MaVRoSCy, Nov 17 '15 at 09:04

score 2 · Accepted Answer · edited May 23 '17 at 12:15

You have protected all resources on your application server. In this case it means the browser requests for example "index.jsp" and is redirected to the login page. The browser then also tries to request the favicon (have you specified it in your form login page?), but as it is protected too, again it is redirected to the login page (check with you browser debug tools).

You need to know that the form login module saves the last requested resource that is protected as redirect target after login. In this case the favicon request overwrites the request to "index.jsp" and so you are redirected to the favicon after login.

You need to exclude your static resources from the security constraint. Here is how to do it.

Sample on request:

<security-constraint>
  <web-resource-collection>
    <web-resource-name>app</web-resource-name>
    <url-pattern>/src/assets/*</url-pattern>
  </web-resource-collection>
  <!-- OMIT auth-constraint -->
</security-constraint>

How can i ommit it ? can you please show what should i add to omit it ? — robin, Nov 17 '15 at 09:38
Added an example. But you are the only one that can now exactly which resources are requested by the login page / browser that need to be ommited. — Dainesch, Nov 17 '15 at 09:47

Issue With JSecurity Check

1 Answers1