Servlet filter (autologin) precedence over declarative security checks

Short question. How is it possible to execute servlet filters before any declarative security check is performed?

Long question. For my web application I'm trying to manage all my security needs using server declarative security: I have set a security constraint on <url-pattern>/secure/*</url-pattern> with <auth-method>FORM</auth-method> and <form-login-page>/sign-in.xhtml</form-login-page>.

In order to provide a (cookie-based) "remember me" function, I have set a servlet filter which intercepts each request, checks if the user is not logged in, checks if he can be logged in automatically (via cookie), eventually logs him in using servlet based login.


Now, if the user opens his browser and connects to everything just works. But if the user opens his browser and makes a straight request to something like I observe the following behaviour:

  1. GET /secure/secret.xhtml
  2. the backing beans of log-in.xhtml are instantiated (FacesContext is available)
  3. the CustomLoginFilter.doFilter( ) gets called, (FacesContext is NULL)

This obviously hinders all the process. I cannot find any way to give precedence to my CustomLoginFilter over the server "declarative security filter" (or whatever); changing the web.xml order of declarations doesn't help too... any ideas? Thank you!


How is it possible to execute servlet filters before any declarative security check is performed?

That's not possible due to specification and security restrictions.

Your best bet is a hook on preRenderView event in the login page and use programmatic login by the new Servlet 3.0 HttpServletRequest#login() method.


<f:event type="preRenderView" listener="#{authenticator.checkAutoLogin}" />

with something like

public void checkAutoLogin() throws IOException {
    ExternalContext externalContext = FacesContext.getCurrentInstance().getExternalContext();
    Cookie autoLogin = externalContext.getRequestCookieMap().get("autoLoginCookieName");

    if (autoLogin != null) {
        User user = decryptCookieValueAndExtractUser(autoLogin.getValue()); // Yes, it must be encrypted! Otherwise a too easy hack.

        if (user != null) {
            HttpServletRequest request = (HttpServletRequest) externalContext.getRequest();

            try {
                request.login(user.getName(), user.getPassword());
                String originalRequestURI = externalContext.getRequestMap().get(RequestDispatcher.FORWARD_REQUEST_URI);
                externalContext.redirect(originalRequestURI != null ? originalRequestURI : "someDefaultIndex.xhtml");
            } catch (ServletException e) {
                // Login failed. It's up to you how to handle it.

Need Your Help

Why does this throw a null reference exception?

c# nullreferenceexception conditional-operator

This will throw a null reference exception when InnerException is null.

Items without group in LongListSelector

windows-phone-7 data-binding longlistselector

I want to add items through binding to LongListSelector.These items are not supposed to be in a group and they should be on the top of the list. Other items are in groups. Is any way to do it?