CODEWITHSUNDEEP
url-rewritingservlet-filtersprettyfacespicketlink
Xavier Dury
Xavier Dury

Reputation: 1571

Combining PrettyFaces and PicketLink

When using PrettyFaces/Rewrite to rewrite URLs in a JSF application and PicketLink to secure it, PicketLink does not seem to use the rewriting rules.

For example, if I configure PicketLink with something like this:

builder
    .http()
        .allPaths()
            .authenticateWith()
                .form()
                    .loginPage("/common/login.xhtml")

And have a rewrite rule like this:

<url-mapping id="login">
    <pattern value="/login" />
    <view-id value="/common/login.xhtml" />
</url-mapping>

The user will be redirected to /common/login.xhtml instead of /login.

I know that I could use /login as loginPage in PicketLink but, until now, I have been able to use PrettyFaces/Rewrite in a totally transparent way for my application (I could remove it and everything would still be working... but with ugly URLs).

I noticed that the SecurityFilter from PicketLink seems to come before the RewriteFilter from PrettyFaces/Rewrite:

    at org.ocpsoft.rewrite.servlet.impl.HttpRewriteResultHandler.handleResult(HttpRewriteResultHandler.java:41)
    at org.ocpsoft.rewrite.servlet.RewriteFilter.rewrite(RewriteFilter.java:268)
    at org.ocpsoft.rewrite.servlet.RewriteFilter.doFilter(RewriteFilter.java:188)
    at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
    at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
    at org.picketlink.http.internal.SecurityFilter.processRequest(SecurityFilter.java:346)
    at org.picketlink.http.internal.SecurityFilter.performOutboundProcessing(SecurityFilter.java:237)
    at org.picketlink.http.internal.SecurityFilter.doFilter(SecurityFilter.java:196)

So, if PrettyFaces is wrapping the HttpServletResponse somehow to override the encodeRedirectUrl(), the SecurityFilter will not see this wrapped response as it comes before.

Is there a way to make the RewriteFilter come before the SecurityFilter?

I didn't declare those filters in my deployment descriptors, they are being automatically registered via a web-fragment.xml for PrettyFaces and via a @WebListener for PicketLink.

Upvotes: 1

Views: 114

Answers (1)

chkal
chkal

Reputation: 5668

You could try to add an absolute-ordering element to your web.xml to control the ordering. Something like:

<web-app> 
    ... 
    <absolute-ordering> 
        <name>com_ocpsoft_rewrite</name> 
        <others/> 
    <absolute-ordering> 
    ...
</web-app>

Upvotes: 1

Related Questions