JSF and Container Managed Security

Question

I have a JSF login page that works very well when users navigate to it directly.

However, if users attempt to access a protected page without having logged on first, the container correctly intercepts this and throws them to the logon page. However, because the logon page is JSF there is a problem. What is sent to the user is the raw JSF page, completely unprocessed by FacesServlet.

Snippet Example - sent to browser after accessing a protected page without having logged on:

<ui:define name="body">
    <p:growl id="growl" showDetail="true" sticky="true"  /> 
    <div class="mytext">Please login to the application...</div>

    <form method="POST" action="j_security_check">
        <table cellpadding="0" cellspacing="0" border="0">
            <tr>
                <td align="right">Username:&nbsp;</td>
                <td>
                    <input type="text" name="j_username"/>
                </td>
            </tr>
            <tr>
                <td align="right">Password:&nbsp;</td>
                <td>
                    <input type="password" name="j_password"/>
                </td>
            </tr>
            <tr>
                <td></td>
                <td>
                    <input type="submit" value="Login"/>
                 </td>
             </tr>
            </table>
     </form>
 </ui:define>

Is there a way to force the container to render a response through the FacesServlet processor rather than simply returning the raw JSF file?

Answer 1

Either change the URL of the <form-login-page> to match the URL pattern of the FacesServlet, or, better, change the URL pattern of the FacesServlet to *.xhtml so that endusers can never see the raw JSF source code of any page by purposefully changing the URL in browser address bar.