Java – Spring Security and JSF, Failed to find resource /j_spring_security_check.jsp

jakarta-eejavajsfspringspring-security

I am having a little trouble getting Spring Security and JSF to work together properly. I have created a basic login page that returns a "login" outcome when the Login button is clicked. However, I am getting a 404, "Failed to find resource /j_spring_security_check.jsp." For some reason, it is tacking a .jsp at the end of my specified in my faces-config. I was able to get this working by doing a code-side redirect in an action method (ie: context.redirect(root + "/j_spring_security_check?j_username=" + userName + "&j_password=" + password); ). I would really like to put the j_spring_security_check in my faces-config, though. My code is shown below:

web.xml:

<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="2.4"
 xmlns="http://java.sun.com/xml/ns/j2ee"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
 <display-name>BBB_WEB</display-name>

 <context-param>
  <description>
   Comma-delimited list of context-relative resource paths
   under which the JSF implementation will look for application
   configuration resources, before loading a configuration
   resource named /WEB-INF/facesconfig.xml (if such a resource
   exists).
  </description>
  <param-name>javax.faces.CONFIG_FILES</param-name>
  <param-value></param-value>
 </context-param>

 <context-param>
    <param-name>javax.faces.DEFAULT_SUFFIX</param-name> 
  <param-value>.jsp</param-value> 
 </context-param>

 <!-- <context-param>-->
 <!--        <param-name>facelets.LIBRARIES</param-name>-->
 <!--        <param-value>/WEB-INF/tomahawk.taglib.xml</param-value>-->
 <!--    </context-param>-->

 <context-param>
  <param-name>contextConfigLocation</param-name>
  <param-value>
   classpath:applicationContext.xml
   classpath:applicationContext-security.xml
  </param-value>
 </context-param>

 <context-param>
  <description>
   The location where state information is saved. Valid values
   are 'server' (typically saved in HttpSession) and 'client'
   (typically saved as a hidden field in the form. Default is
   server.
  </description>
  <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
  <param-value>server</param-value>
 </context-param>

 <context-param>
  <description>
   Number of Views to be stored in the session when Server-Side
   State Saving is being used. Default is 15.
  </description>
  <param-name>
   com.sun.faces.NUMBER_OF_VIEWS_IN_SESSION
  </param-name>
  <param-value>15</param-value>
 </context-param>

 <context-param>
  <description>
   If set to true while server-side state saving is being used,
   a serialized representation of the view is stored on the
   server. This allows for failover and sever clustering
   support. Default is false. This parameter is not available
   in JSF 1.0.
  </description>
  <param-name>com.sun.faces.enableHighAvailability</param-name>
  <param-value>false</param-value>
 </context-param>

 <context-param>
  <description>
   If set to true while client-side state saving is being used,
   reduces the number of bytes sent to the client by
   compressing the state before it is encoded and written as a
   hidden field. Default is false. This parameter is not
   available in JSF 1.0.
  </description>
  <param-name>com.sun.faces.COMPRESS_STATE</param-name>
  <param-value>false</param-value>
 </context-param>

 <listener>
  <listener-class>
   com.sun.faces.config.ConfigureListener
  </listener-class>
 </listener>

 <listener>
  <listener-class>
   org.springframework.web.context.ContextLoaderListener
  </listener-class>
 </listener>

 <listener>
  <listener-class>
   org.springframework.web.context.request.RequestContextListener
  </listener-class>
 </listener>

 <servlet>
  <servlet-name>Faces Servlet</servlet-name>
  <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
  <load-on-startup>1</load-on-startup>
 </servlet>

 <servlet-mapping>
  <servlet-name>Faces Servlet</servlet-name>
  <url-pattern>*.jsf</url-pattern>
 </servlet-mapping>

 <filter>
  <filter-name>springSecurityFilterChain</filter-name>
  <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
 </filter>
 <filter-mapping>
  <filter-name>springSecurityFilterChain</filter-name>
  <url-pattern>/*</url-pattern>
 </filter-mapping>

 <listener>
     <listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
 </listener>


 <welcome-file-list>
  <welcome-file>/jsp/public/login.jsf</welcome-file>
 </welcome-file-list>

</web-app>

faces-config

<?xml version="1.0"?>

<!DOCTYPE faces-config PUBLIC
  "-//Sun Microsystems, Inc.//DTD JavaServer Faces Config 1.0//EN"
  "http://java.sun.com/dtd/web-facesconfig_1_0.dtd">

<!-- =========== FULL CONFIGURATION FILE ================================== -->

<faces-config>
 <application>
  <variable-resolver>org.springframework.web.jsf.DelegatingVariableResolver</variable-resolver>
 </application>

 <navigation-rule>
  <from-view-id>/jsp/*</from-view-id>

  <!-- loginBean -->
  <navigation-case>
   <from-outcome>login</from-outcome>
   <to-view-id>/j_spring_security_check</to-view-id>
  </navigation-case>
  <navigation-case>
   <from-action>#{loginBean.newAccountAction}</from-action>
   <from-outcome>success</from-outcome>
   <to-view-id>/jsp/public/newAccount.jsp</to-view-id>
  </navigation-case>
 </navigation-rule>

</faces-config>

login.jsp

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<%-- jsf:pagecode language="java" location="/src/pagecode/jsp/public1/Login.java" --%><%-- /jsf:pagecode --%>
<%@page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1"%>
<%@taglib uri="http://java.sun.com/jsf/core" prefix="f"%>
<%@taglib uri="http://java.sun.com/jsf/html" prefix="h"%>

<html>
<head>
 <title>Login</title>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <meta name="GENERATOR" content="Rational Application Developer">
</head>
<f:view>
 <body>
  <h:form id="login">
   <h:inputHidden id="sessionChecker" value="#{loginBean.sessionTrackerValue}" />

   <%@ include file="/jsp/public/header.jsp"%>

   <div id="content">
    <div id="headerImage">
     <h:graphicImage id="headerImage" url="#{headerBean.headerImageUrl}"/>
    </div>

    <div id="colMerge">
     <h2>
      <h:outputText id="contentTitleText" value="#{loginBean.pageTitle}"/>
     </h2>
     <h:panelGrid columns="1">

      <h:messages id="errorMsg"/>

        <h:panelGroup>
       <h:outputText value="Username " />
       <h:inputText id="j_username" value="#{loginBean.userName}" />
      </h:panelGroup>
      <h:panelGroup>
       <h:outputText value="Password " />
       <h:inputSecret id="j_password" value="#{loginBean.password}"/>
      </h:panelGroup>
      <h:commandButton  value="Login" action="login"/>
      <h:commandLink value="New Account" action="#{loginBean.newAccountAction}">
       <h:outputText id="newAccountLoginText" value="" />
      </h:commandLink>
     </h:panelGrid>  
    </div>
   </div>
  </h:form>
 </body>
</f:view>
</html>

applicationContext-security

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xmlns:security="http://www.springframework.org/schema/security"
 xsi:schemaLocation="http://www.springframework.org/schema/beans
                         http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
                        http://www.springframework.org/schema/security
                         http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">


 <security:global-method-security secured-annotations="enabled" />

 <security:http auto-config="true" access-denied-page="/jsp/public/loginError.jsf">

  <security:intercept-url pattern="/jsp/public/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
  <security:intercept-url pattern="/jsp/player/**" access="ROLE_USER,ROLE_ADMIN" />
  <security:intercept-url pattern="/jsp/admin/**" access="ROLE_ADMIN" />

  <security:form-login
   login-page="/jsp/public/login.jsf"
   default-target-url="/jsp/player/myPicks.jsf"
   authentication-failure-url="/jsp/public/login.jsf" />
  <security:logout logout-url="/jsp/public/logout.jsf" logout-success-url="/jsp/public/login.jsf" />
 </security:http>

 <security:authentication-provider user-service-ref="userDetailsService">
 </security:authentication-provider>

    <bean id="userDetailsService" class="graz.bbb.service.UserDetailsServiceImpl">
        <constructor-arg ref="playerDao"/>
    </bean>


</beans>

Anyone have any ideas?

Best Answer

Are you running on Websphere? Are you getting this error?

Error 404: SRVE0190E: File not found: /j_spring_security_check

If so, you need to configure a Webcontainer custom property in your local server and set "com.ibm.ws.webcontainer.invokefilterscompatibility" to "true". I have the same problem running Spring Security 3.x in Websphere 6.1, and that fixed it.

By the way, I see that your error message is "Failed to find resource /j_spring_security_check.jsp.". You shouldn't have ".jsp" in that link, it should be just "/j_spring_security_check". Fix that, and it should work for you.

JSP (JavaServer Pages)

JSP is a Java view technology running on the server machine which allows you to write template text in client side languages (like HTML, CSS, JavaScript, ect.). JSP supports taglibs, which are backed by pieces of Java code that let you control the page flow or output dynamically. A well-known taglib is JSTL. JSP also supports Expression Language, which can be used to access backend data (via attributes available in the page, request, session and application scopes), mostly in combination with taglibs.

When a JSP is requested for the first time or when the web app starts up, the servlet container will compile it into a class extending HttpServlet and use it during the web app's lifetime. You can find the generated source code in the server's work directory. In for example Tomcat, it's the /work directory. On a JSP request, the servlet container will execute the compiled JSP class and send the generated output (usually just HTML/CSS/JS) through the web server over a network to the client side, which in turn displays it in the web browser.

Servlets

Servlet is a Java application programming interface (API) running on the server machine, which intercepts requests made by the client and generates/sends a response. A well-known example is the HttpServlet which provides methods to hook on HTTP requests using the popular HTTP methods such as GET and POST. You can configure HttpServlets to listen to a certain HTTP URL pattern, which is configurable in web.xml, or more recently with Java EE 6, with @WebServlet annotation.

When a Servlet is first requested or during web app startup, the servlet container will create an instance of it and keep it in memory during the web app's lifetime. The same instance will be reused for every incoming request whose URL matches the servlet's URL pattern. You can access the request data by HttpServletRequest and handle the response by HttpServletResponse. Both objects are available as method arguments inside any of the overridden methods of HttpServlet, such as doGet() and doPost().

JSF (JavaServer Faces)

JSF is a component based MVC framework which is built on top of the Servlet API and provides components via taglibs which can be used in JSP or any other Java based view technology such as Facelets. Facelets is much more suited to JSF than JSP. It namely provides great templating capabilities such as composite components, while JSP basically only offers the <jsp:include> for templating in JSF, so that you're forced to create custom components with raw Java code (which is a bit opaque and a lot of tedious work) when you want to replace a repeated group of components with a single component. Since JSF 2.0, JSP has been deprecated as view technology in favor of Facelets.

Note: JSP itself is NOT deprecated, just the combination of JSF with JSP is deprecated.

Note: JSP has great templating abilities by means of Taglibs, especially the (Tag File) variant. JSP templating in combination with JSF is what is lacking.

As being a MVC (Model-View-Controller) framework, JSF provides the FacesServlet as the sole request-response Controller. It takes all the standard and tedious HTTP request/response work from your hands, such as gathering user input, validating/converting them, putting them in model objects, invoking actions and rendering the response. This way you end up with basically a JSP or Facelets (XHTML) page for View and a JavaBean class as Model. The JSF components are used to bind the view with the model (such as your ASP.NET web control does) and the FacesServlet uses the JSF component tree to do all the work.

Best Answer

Related Solutions

Java – the difference between JSF, Servlet and JSP

JSP (JavaServer Pages)

Servlets

JSF (JavaServer Faces)

Related questions

Spring Security with Openid and Database Integration

Related Topic