StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POServlet 3.0 odd declarative security behavior
primarykey
Id
11714071
data
AcceptedAnswerId
11728917
AnswerCount
1
ClosedDate
CommentCount
2
CommunityOwnedDate
CreationDate
2012-07-30T00:11:17.190
FavoriteCount
0
LastActivityDate
2012-07-30T20:15:32.747
LastEditDate
2012-07-30T18:24:51.640
LastEditorUserId
984932
OwnerUserId
984932
ParentId
0
PostTypeId
1
Score
1
ViewCount
171
LastEditorDisplayName
text
Body
I have a security constraint declared in web.xml: <pre><code> <security-constraint> <web-resource-collection> <web-resource-name>LoggedIn</web-resource-name> <url-pattern>/screens/*</url-pattern> </web-resource-collection> <auth-constraint/> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> </code></pre> After logging in, when I make a GET request against the application I get the expected behavior e.g. <code>https://localhost:8443/Patrac/screens/user.xhtml</code> --> results in access denied. However, when I do a postback e.g. <code><rich:menuItem submitMode="ajax" label="User" action="/screens/user"/></code> I can view the screen. If I do a second identical postback, I get the access denied message. Each time I submit a postback the result alternates between displaying the screen and issuing a 403. The URL displayed in the browser alternates between the following: <code>https://localhost:8443/Patrac/screens/user.xhtml</code> --> browser URL when access denied <code>https://localhost:8443/Patrac/public/403.xhtml</code> --> browser URL when user screen is displayed I understand the way the displayed browser URL in JSF lags behind the screen that is currently displayed, so that's no mystery. But I don't understand how I'm able to view the screen every other time the same postback is submitted. Again, GET requests are always denied. EDIT : I did try post-redirect-get and that made the strange behavior go away, as expected. <pre><code><rich:menuItem submitMode="ajax" label="User" action="/screens/user?faces-redirect=true"/> </code></pre> However, I don't want to do PRG every time and besides PRG doesn't eliminate the security problem. What am I missing here? Thanks for any insights!
Tags
<jsf-2><servlet-3.0>
Title
Servlet 3.0 odd declarative security behavior
singulars
PostAcceptedAnswerId
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
PostParentId
1. This table or related slice is empty.
PostTypePostTypeId
1. PTQuestion
UserLastEditorUserId
1. USPatrick Garner
UserOwnerUserId
1. USPatrick Garner
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 POServlet 3.0 odd declarative security behavior
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId
1. COSo at first you are accessing a resource in public directory and then doing a forward to screens and as expected it won't restrict that. But after that did you try to view the same view again I mean /public/ -> /screens/user.xhtml --> /screens/user.xhtml
 singulars
 PostPostId
 POServlet 3.0 odd declarative security behavior
 UserUserId
 USRavi
2. COIt doesn't seem to matter whether I first view a screen in /public or not. If I try to view any of the screens under /screens (e.g. /screens/xxxx.xhtml) via postback I get the alternating behavior described above (back and forth between showing the screen and then issuing a 403). When I submit a GET the alternating behavior goes away.
 singulars
 PostPostId
 POServlet 3.0 odd declarative security behavior
 UserUserId
 USPatrick Garner

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.