I believe implementing security for a JSF application through <login-config>+<security-constraint>+ <security-role> & through use of <filter> are two different ways !? Are they ?
I tried implementing security through the first method above(using <login-config>+<security-constraint>+ <security-role>) but found that my protected webpage that was using both protected & unprotected HTML components was delivered with unprotected resources even to the unauthenticated users.
I need to protect the URLs completely so that the protected URLs don't even leak any part of that webpage to the unauthenticated users. How do I go about that ?
And, is security implementation using <filter> in web.xml a self managed way to deal with security ? I believe then you can then customize security more fine-grained as you are filtering/catching each & every request ?
It are indeed two distinct ways. The
<security-constraint>is part of container managed authentication (CMS). TheFilteris part of homegrown authentication.To restrict access to certain resources with CMS, you just have to set its
<url-pattern>:The above example puts the constraint on all URLs matching
/app/*and allows access to users withsomeRoleNameonly.To restrict access to certain resources with a
Filter, you have to set its<url-pattern>as well:You only have to define roles elsewhere, perhaps as an
<init-param>of the filter.