I have a problem applying css to the web pages, using spring security (3.0.7 version). I have the following config:
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/faces/resources/**" filters="none"/>
<intercept-url pattern="/faces/inicio.xhtml" access="permitAll"/>
<intercept-url pattern="/faces/paginas/autenticacion/login.xhtml*" access="permitAll"/>
<intercept-url pattern="/faces/paginas/administracion/**" access="isAuthenticated()"/>
<intercept-url pattern="/faces/paginas/barco/**" access="isAuthenticated()"/>
<intercept-url pattern="/faces/paginas/catalogo/**" access="permitAll"/>
<intercept-url pattern="/faces/paginas/error/**" access="permitAll"/>
<intercept-url pattern="/faces/paginas/plantillas/**" access="permitAll"/>
<intercept-url pattern="/**" access="denyAll" />
By default, I deny access to the whole pages. Then, I apply authorization to the concrete pages specifying their URLs patterns, and they apply first in the given order, being the denyAll rule the last one.
- "inicio.xhtml" is the homepage.
- "login.xhtml" is the login form.
- "administracion" and "barco" directories contain pages that should be accessed just by authenticated users.
- "catalogo" directory contains pages that should be accessed by everyone.
- "error" directory contains the error pages of the app.
- "plantillas" directory contains the template facelets pages of the app (I use JSF2).
The "resources" directory contain images, css files, and javascript. So in the first line I tell spring security not to use the security filter for it.
However, with this configuration, when I run the app, css styles are not applied to pages!!
I've checked that if I turn the default authorization to "permitAll", it works. But I don't want to do that, beacuse it isn't a good practice.
Any idea why not working? I think it should work.
