0

I have recently upgraded a web application from JSF 1.2 to JSF 2.2 as well as RF 3.3.3 to RF 4.5.7. I'm currently experiencing console errors when loading the first login.html page. This only happens when either the page is first loaded or when I refresh (F5 or shift F5). When I log in and log out again I don't receive these errors! The URL is exactly the same, e.g. host:port/xxx/login.html

This issue only occurs on this page. I'm using Spring (3.1.0) for the login although not sure if the issue is related. Security config in applicationContext.xml is:

<sec:http auto-config='true' pattern="/login.html*" security="none"/>
    <sec:http pattern="/a4j/**" security="none"/>
    <sec:http pattern="/css/**" security="none"/>
    <sec:http pattern="/img/**" security="none"/>
    <sec:http realm="Name goes here">
    <sec:form-login login-processing-url="/j_spring_security_check"
                    login-page="/login.html"
                    authentication-failure-url="/login.html?fail"
                    default-target-url="/main.html"
                    always-use-default-target="true"/>
    <sec:logout logout-url="/logout.html"/>
    <sec:intercept-url pattern="/**" access="ROLE_USER"/>
</sec:http>

and in login.xhtml:

<form id="frm-login" action="j_spring_security_check" method="post"> <label class="above">Username<h:inputText id="j_username" /></label> <rich:jQuery selector="#j_username" query="focus()"/><br/> <label class="above">Password<h:inputSecret id="j_password" /></label><br/> <h:commandButton id="submit" name="submit" type="submit" value="Login"> </h:commandButton> </form>

Before the upgrade this was fine. Using Firebug I have compared the generated HTML between the times where I see console errors and times I don't.

Bad Generated HTML when throwing console errors

Console errors

Good Generated HTML when working fine

I believe I have applied all necessary updates such as removing old jar files (including removal of redundant Facelets 1.1.14, view handler references), updating RF code, XHTML page code and namespaces as well as web.xml and faces-config.xml updates.

One thing I do know is that when I comment out the following config I do not receive the error. So somehow this is interfering with the loading of resources on this page.

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>FORWARD</dispatcher>
    <dispatcher>REQUEST</dispatcher>
    <dispatcher>INCLUDE</dispatcher>
</filter-mapping>

Any ideas how to resolve this? Apologies in advance if I have missed some vital information required in helping resolve this.

UPDATE 1: Images taken when loading page using Network tab on google chrome:

Bad enter image description here

Good enter image description here

UPDATE 2:

Good enter image description here enter image description here

Bad enter image description here

user1746582
  • 541
  • 1
  • 7
  • 19
  • So the webbrowser obtained a XML (or perhaps just HTML with an inappropriate XML prolog) document instead of a JS file when it tries to download those individual JS files? At least, this is what those console errors suggest. Now please tab back to the "Network" tab and inspect the HTTP response. How does it look like? Is it the login page? Or is it some custom error page? – BalusC Aug 03 '15 at 12:32
  • Hi BallasC, thanks for your response. I've updated my post with network results. If there is any other info I can provide let me know. Or anything else to try. Appreciate the help. – user1746582 Aug 03 '15 at 20:42
  • What does the response body contain? Anyway, they have the same file size as login page itself which thus only confirms more that the server actually returned a login page when the browser requested those script and style resources. This in turn indicates that Spring Security is overly restrictive configured that it also blocks access to those resources. – BalusC Aug 03 '15 at 20:50
  • I've updated my post with response information. Could it be working when I log out because it is obtaining the response from the cache as indicated in new pics above? And not working due to Spring security blocking access to those resources from the server? – user1746582 Aug 03 '15 at 23:30
  • @BallusC, ok think I've found it. When I comment this out it works: So it looks like I need to remove this entry from applicationContext.xml and configure security for each individual HTTP pattern. I will try this and report back. – user1746582 Aug 04 '15 at 00:40

1 Answers1

0

Ok I found it (with some helpful pointers from BallusC). After the upgrade I had to update the security config in applicationContext.xml as follows:

<sec:http auto-config='true' pattern="/login.html*" security="none"/>
    <sec:http pattern="/a4j/**" security="none"/>
    <sec:http pattern="/css/**" security="none"/>
    <sec:http pattern="/img/**" security="none"/>
    <sec:http realm="name goes here">
    <sec:form-login login-processing-url="/j_spring_security_check"
                    login-page="/login.html"
                    authentication-failure-url="/login.html?fail"
                    default-target-url="/main.html"
                    always-use-default-target="true"/>
    <sec:logout logout-url="/logout.html"/>
    <sec:intercept-url pattern="/login.html*" access="ROLE_USER"/>
    <sec:intercept-url pattern="/a4j/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
    <sec:intercept-url pattern="/css/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
    <sec:intercept-url pattern="/img/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
</sec:http>

The root cause of my issue above was having the following entry in applicationContext.xml:

<sec:intercept-url pattern="/**" access="ROLE_USER"/>

user1746582
  • 541
  • 1
  • 7
  • 19