Servlet filter (autologin) precedence over declarative security checks

Short question. How is it possible to execute servlet filters before any declarative security check is performed?

Long question. For my web application I'm trying to manage all my security needs using server declarative security: I have set a security constraint on <url-pattern>/secure/*</url-pattern> with <auth-method>FORM</auth-method> and <form-login-page>/sign-in.xhtml</form-login-page>.

In order to provide a (cookie-based) "remember me" function, I have set a servlet filter which intercepts each request, checks if the user is not logged in, checks if he can be logged in automatically (via cookie), eventually logs him in using servlet based login.


Now, if the user opens his browser and connects to everything just works. But if the user opens his browser and makes a straight request to something like I observe the following behaviour:

  1. GET /secure/secret.xhtml
  2. the backing beans of log-in.xhtml are instantiated (FacesContext is available)
  3. the CustomLoginFilter.doFilter( ) gets called, (FacesContext is NULL)

This obviously hinders all the process. I cannot find any way to give precedence to my CustomLoginFilter over the server "declarative security filter" (or whatever); changing the web.xml order of declarations doesn't help too... any ideas? Thank you!


How is it possible to execute servlet filters before any declarative security check is performed?

That's not possible due to specification and security restrictions.

Your best bet is a hook on preRenderView event in the login page and use programmatic login by the new Servlet 3.0 HttpServletRequest#login() method.


<f:event type="preRenderView" listener="#{authenticator.checkAutoLogin}" />

with something like

public void checkAutoLogin() throws IOException {
    ExternalContext externalContext = FacesContext.getCurrentInstance().getExternalContext();
    Cookie autoLogin = externalContext.getRequestCookieMap().get("autoLoginCookieName");

    if (autoLogin != null) {
        User user = decryptCookieValueAndExtractUser(autoLogin.getValue()); // Yes, it must be encrypted! Otherwise a too easy hack.

        if (user != null) {
            HttpServletRequest request = (HttpServletRequest) externalContext.getRequest();

            try {
                request.login(user.getName(), user.getPassword());
                String originalRequestURI = externalContext.getRequestMap().get(RequestDispatcher.FORWARD_REQUEST_URI);
                externalContext.redirect(originalRequestURI != null ? originalRequestURI : "someDefaultIndex.xhtml");
            } catch (ServletException e) {
                // Login failed. It's up to you how to handle it.

Need Your Help

Adding an Event Handler to a Newly Created Window using C++

c++ windows event-handling winapi

How do I add an event-handler to a newly created window using C++?

Komodo Edit 8.5 tab settings

php komodo komodoedit

I use Komodo Edit 8.5 and I have problems with tabs. When I press tab key it jumps 8 characters instead of 4 which I use in preferences (Edit – Preferences - Indentation).

About UNIX Resources Network

Original, collect and organize Developers related documents, information and materials, contains jQuery, Html, CSS, MySQL, .NET, ASP.NET, SQL, objective-c, iPhone, Ruby on Rails, C, SQL Server, Ruby, Arrays, Regex, ASP.NET MVC, WPF, XML, Ajax, DataBase, and so on.