CODEWITHSUNDEEP
javajboss
robin
robin

Reputation: 1925

Issue With JSecurity Check

I have my jboss-web.xml like below.

<jboss-web>
    <security-domain>java:/jaas/test</security-domain>
    <valve>
        <class-name>com.test.WebFormAuthenticator</class-name>
        <param>
            <param-name>landingPage</param-name>
            <param-value>/index.html</param-value>
        </param>
    </valve>
    <context-root>mycontext</context-root>
</jboss-web>

My web.xml have the below lines.

<login-config>
        <auth-method>FORM</auth-method>
        <realm-name>test</realm-name>
        <form-login-config>
            <form-login-page>/login.html</form-login-page>
            <form-error-page>/loginError.html</form-error-page>
        </form-login-config>
    </login-config>
<security-constraint>
        <web-resource-collection>
            <web-resource-name>My Application</web-resource-name>
            <url-pattern>/rest/*</url-pattern>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>*</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>My Application</web-resource-name>
            <url-pattern>/bower_components/*</url-pattern>
            <url-pattern>/scripts/*</url-pattern>
        </web-resource-collection>
    </security-constraint>

When the login is successful instead of the index.html the url is changed to /src/assets/images/favicon.ico

the html code am using is like 

<form id="loginForm" method="POST" action="j_security_check">

Any idea why this is happening ?

Upvotes: 0

Views: 397

Answers (1)

Dainesch
Dainesch

Reputation: 1340

You have protected all resources on your application server. In this case it means the browser requests for example "index.jsp" and is redirected to the login page. The browser then also tries to request the favicon (have you specified it in your form login page?), but as it is protected too, again it is redirected to the login page (check with you browser debug tools).

You need to know that the form login module saves the last requested resource that is protected as redirect target after login. In this case the favicon request overwrites the request to "index.jsp" and so you are redirected to the favicon after login.

You need to exclude your static resources from the security constraint. Here is how to do it.

Sample on request:

<security-constraint>
  <web-resource-collection>
    <web-resource-name>app</web-resource-name>
    <url-pattern>/src/assets/*</url-pattern>
  </web-resource-collection>
  <!-- OMIT auth-constraint -->
</security-constraint>

Upvotes: 2

Related Questions