Develop Reference

Http Session is Null in AuthenticatedWebSession Wicket And Spring Security

Environment:
<wicket.version>7.7.0</wicket.version>
<spring.version>4.3.8.RELEASE</spring.version>
<springsecurity.version>4.2.3.RELEASE</springsecurity.version>
I have custom class from AuthenticatedWebSession like:
public class WicketSession extends AuthenticatedWebSession {
private static final Logger log = LoggerFactory.getLogger(WicketSession.class);
private static final long serialVersionUID = 1L;
private final HttpSession httpSession;
#SpringBean(name = "authenticationManager")
private AuthenticationManager authenticationManager;
public WicketSession(Request request) {
super(request);
this.httpSession = ((HttpServletRequest) request.getContainerRequest()).getSession();
log.debug("Got httpSession: {}", this.httpSession);
Injector.get().inject(this);
}
#Override
public boolean authenticate(String username, String password) {
try {
final Authentication auth = authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(username, password));
log.debug("Username '{}' is {} auth with authorities: {}",
username, auth.isAuthenticated(), auth.getAuthorities());
if (auth.isAuthenticated()) {
// the authentication object has to be stored in the SecurityContextHolder and in the HttpSession manually, so that the
// security context will be accessible in the next request
SecurityContextHolder.getContext().setAuthentication(auth);
httpSession.setAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY,
SecurityContextHolder.getContext());
return true;
} else {
return false;
}
} catch (AuthenticationException e) {
log.warn("Failed login attempt due to exception!", e);
return false;
}
}
}
Spring Security Config like:
#Configuration
#EnableWebSecurity
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
public SpringSecurityConfig() {
super(false);
}
#Override
#Bean
public UserDetailsService userDetailsService() {
final InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
manager.createUser(User.withUsername("admin").password("admin").roles("ADMIN").build());
manager.createUser(User.withUsername("rudi").password("rudi").roles("USER").build());
return manager;
}
#Bean(name = "authenticationManager")
#Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/user/**").authenticated()
.antMatchers("/admin/**").hasRole("ADMIN")
.antMatchers("/**").permitAll()
.and().formLogin().loginPage("/login")
.and().addFilter(new SecurityContextPersistenceFilter()).securityContext();
}
}
Spring Application Config like:
#PropertySource({"classpath:/META-INF/rcommerce.properties"})
#Configuration
#EnableWebMvc
#EnableTransactionManagement
#Import({
SpringSecurityConfig.class})
public class AppConfig {
#Bean
public AuthenticatedWebApplication webApp() {
return new WicketApplication();
}
}
custom class from AbstractSecurityWebApplicationInitializer like:
public class SecurityWebApplicationInitializer extends AbstractSecurityWebApplicationInitializer {
public SecurityWebApplicationInitializer() {
super(SpringSecurityConfig.class);
}
}
web.xml:
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<display-name>rcommerce</display-name>
<!-- WICKET FILTER-->
<filter>
<filter-name>wicket.rcommerce</filter-name>
<filter-class>org.apache.wicket.protocol.http.WicketFilter</filter-class>
<init-param>
<param-name>applicationFactoryClassName</param-name>
<param-value>org.apache.wicket.spring.SpringWebApplicationFactory</param-value>
</init-param>
<init-param>
<param-name>applicationBean</param-name>
<param-value>webApp</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>wicket.rcommerce</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- MDC FILTER -->
<filter>
<description>A servlet filter that inserts various values retrieved from the incoming http request into the MDC.</description>
<filter-name>MDCInsertingServletFilter</filter-name>
<filter-class>ch.qos.logback.classic.helpers.MDCInsertingServletFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>MDCInsertingServletFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>MoreMdcServletFilter</filter-name>
<filter-class>com.rudiwijaya.rcommerce.servlet.MoreMdcServletFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>MoreMdcServletFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- SPRING REST SERVLET-->
<servlet>
<servlet-name>spring-web</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextClass</param-name>
<param-value>org.springframework.web.context.support.AnnotationConfigWebApplicationContext</param-value>
</init-param>
<!-- <init-param> -->
<!-- use just the root WebApplicationContext -->
<!-- <param-name>contextConfigLocation</param-name> -->
<!-- <param-value>org.soluvas.sanad.app.ServletConfig</param-value> -->
<!-- <param-value></param-value> -->
<!-- </init-param> -->
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>spring-web</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<!-- SPRING REST FILTER-->
<filter>
<filter-name>httpPutFormFilter</filter-name>
<filter-class>org.springframework.web.filter.HttpPutFormContentFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>httpPutFormFilter</filter-name>
<servlet-name>spring-web</servlet-name>
</filter-mapping>
<!-- The SpringWebApplicationFactory will need access to a Spring Application
context, configured like this... -->
<!-- SPRING CONFIG -->
<context-param>
<param-name>contextClass</param-name>
<param-value>org.springframework.web.context.support.AnnotationConfigWebApplicationContext</param-value>
</context-param>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>com.rudiwijaya.rcommerce.AppConfig</param-value>
</context-param>
<!-- LISTENERS -->
<listener>
<listener-class>ch.qos.logback.classic.selector.servlet.ContextDetachingSCL</listener-class>
</listener>
<listener>
<listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
</listener>
<!-- ERROR PAGE HANDLING -->
<error-page>
<error-code>404</error-code>
<location>/404.html</location>
</error-page>
<!-- TIMEOUT -->
<session-config>
<session-timeout>120</session-timeout>
</session-config>
</web-app>
when I call session.signIn, got error like:
Root cause:
java.lang.NullPointerException
at com.rudiwijaya.rcommerce.WicketSession.authenticate(WicketSession.java:60)
at org.apache.wicket.authroles.authentication.AuthenticatedWebSession.signIn(AuthenticatedWebSession.java:66)
at com.rudiwijaya.rcommerce.pages.LoginButton.doAuthenticate(LoginButton.java:132)
at com.rudiwijaya.rcommerce.pages.LoginButton.onSubmit(LoginButton.java:165)
at org.apache.wicket.ajax.markup.html.form.AjaxButton$1.onSubmit(AjaxButton.java:113)
at org.apache.wicket.ajax.form.AjaxFormSubmitBehavior$AjaxFormSubmitter.onSubmit(AjaxFormSubmitBehavior.java:215)
at org.apache.wicket.markup.html.form.Form.delegateSubmit(Form.java:1307)
at org.apache.wicket.markup.html.form.Form.process(Form.java:976)
at org.apache.wicket.markup.html.form.Form.onFormSubmitted(Form.java:797)
at org.apache.wicket.ajax.form.AjaxFormSubmitBehavior.onEvent(AjaxFormSubmitBehavior.java:171)
at org.apache.wicket.ajax.AjaxEventBehavior.respond(AjaxEventBehavior.java:155)
at org.apache.wicket.ajax.AbstractDefaultAjaxBehavior.onRequest(AbstractDefaultAjaxBehavior.java:601)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.wicket.RequestListenerInterface.internalInvoke(RequestListenerInterface.java:258)
at org.apache.wicket.RequestListenerInterface.invoke(RequestListenerInterface.java:241)
at org.apache.wicket.core.request.handler.ListenerInterfaceRequestHandler.invokeListener(ListenerInterfaceRequestHandler.java:248)
at org.apache.wicket.core.request.handler.ListenerInterfaceRequestHandler.respond(ListenerInterfaceRequestHandler.java:234)
at org.apache.wicket.request.cycle.RequestCycle$HandlerExecutor.respond(RequestCycle.java:895)
at org.apache.wicket.request.RequestHandlerStack.execute(RequestHandlerStack.java:64)
The error (it is httpSession is null) in line:
httpSession.setAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY,
SecurityContextHolder.getContext());
What should I do, please?

Do you have more than one web container nodes ? With session replication ?
As a general rule you should never keep a hard reference to the Http Session. Especially in Wicket applications! Because if WicketSession is serialized and then deserialized this member field will be null!
Better lookup the HttpSession whenever you need it, i.e. extract((HttpServletRequest) request.getContainerRequest()).getSession(); in a method and call it when you need the session in the methods' bodies.

redirect after authentication

After I integrated spring security into vaadin there of course appeared a need to redirect user after successfull authentication.
I integrated spring security using two servlets - one for vaadin and another - for spring security.
Here my web.xml
<?xml version="1.0"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath:/pmc-web-context.xml
</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
</listener>
<servlet>
<servlet-name>another-pmc-servlet</servlet-name>
<servlet-class>ru.xpoft.vaadin.SpringVaadinServlet</servlet-class>
<init-param>
<param-name>beanName</param-name>
<param-value>pmcVaadin</param-value>
</init-param>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value></param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>another-pmc-servlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<!-- Spring Security -->
<servlet>
<servlet-name>login-pmc-servlet</servlet-name>
<servlet-class>ru.xpoft.vaadin.SpringVaadinServlet</servlet-class>
<init-param>
<param-name>beanName</param-name>
<param-value>loginVaadin</param-value>
</init-param>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value></param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>login-pmc-servlet</servlet-name>
<url-pattern>/login/*</url-pattern>
</servlet-mapping>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
My security context looks like this
<http auto-config="true">
<intercept-url pattern="/*" access="ROLE_USER"/>
<form-login login-page="/login/" default-target-url="/*" authentication-failure-url="/login/?login_error=true"/>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="user" password="pass" authorities="ROLE_USER"/>
<user name="admin" password="admin" authorities="ROLE_ADMIN, ROLE_USER"/>
</user-service>
</authentication-provider>
</authentication-manager>
On my loginUI(bean name loginVaadin) page there is a login form
public class LoginForm extends Window {
private TextField login;
private TextField password;
private Button enter;
private HorizontalLayout buttonLayout;
private FormLayout formLayout;
private Image facebookIcon;
#Override
public void attach() {
setCaption(StringValues.LOGIN_FORM_CAPTION);
setSizeUndefined();
setResizable(false);
setModal(true);
setContent(createLayout());
super.attach();
}
private FormLayout createLayout() {
login = new TextField("Login");
password = new TextField("Password");
enter = new Button("Enter(close)");
final LoginUi ui = (LoginUi) LoginUi.getCurrent();
enter.addClickListener(new ClickListener() {
#Override
public void buttonClick(ClickEvent event) {
String loginValue = login.getValue();
String passwordValue = password.getValue();
AuthenticationService authenticationService = ui.getAuthenticationService();
String result = authenticationService.authorize(loginValue, passwordValue);
if (StringUtils.isBlank(result)) {
LoginForm.this.close();
}
ui.getPage().setLocation("localhost:8080/pmc-web/");
}
});
buttonLayout = new HorizontalLayout();
String pathToFile = VaadinService.getCurrent().getBaseDirectory()
.getAbsolutePath() + "\\WEB-INF\\images\\facebook_icon.png";
FileResource resource = new FileResource(new File(pathToFile));
facebookIcon = new Image(null, resource);
facebookIcon.addClickListener(new MouseEvents.ClickListener() {
#Override
public void click(com.vaadin.event.MouseEvents.ClickEvent event) {
try {
ui.getPage().setLocation(ui.getAuthenticationService()
.redirect(ui.getProperty("oauth.application"), ui.getProperty("oauth.callback")));
} catch (Exception e) {
Notification.show(e.getMessage());
}
}
});
buttonLayout.addComponent(facebookIcon);
buttonLayout.addComponent(enter);
buttonLayout.setComponentAlignment(enter, Alignment.BOTTOM_LEFT);
formLayout = new FormLayout(login, password, buttonLayout);
formLayout.setComponentAlignment(buttonLayout, Alignment.BOTTOM_LEFT);
formLayout.setMargin(true);
return formLayout;
}
}
But how to make it redirect to required me vaadin page with all components(ui bean name pmcVaadin)? Because when I do like this - it's again being intercepted and it shows me loginform again.

First of all shorten and clean up your "createLayout" method. ;)
Try:
ui.getNavigator().navigateTo("pmc-web");

How to handle Navigation in Managed Bean?

I have a JSF 2.1 with Primefaces mobile project which should run on desktop and mobile platforms. I wrote a renderkit handler which provides required renderkit based on the device the web app is running on. I'm having tough time in redirecting a desktop page to a mobile page.
URL used to access : http://localhost:8080
My Application structure is :
root
- WebContent
--desktop
---login.xhtml
--mobile
---login.xhtml
--WEB-INF
---web.xml
---faces-config.xml
--META-INF
faces-config.xml
<application>
<view-handler>com.renderkit.CustomViewHandler</view-handler>
</application>
<navigation-rule>
<display-name>Desktop-Login</display-name>
<from-view-id>/desktop/login.xhtml</from-view-id>
<navigation-case>
<from-outcome>MOBILE</from-outcome>
<to-view-id>/mobile/login.xhtml</to-view-id>
</navigation-case>
</navigation-rule>
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID" version="3.0">
<display-name>AnalyzerUI</display-name>
<welcome-file-list>
<welcome-file>/desktop/login.xhtml</welcome-file>
</welcome-file-list>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/faces/*</url-pattern>
<url-pattern>*.jsf</url-pattern>
<url-pattern>*.faces</url-pattern>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
<context-param>
<description>State saving method: 'client' or 'server' (=default). See JSF Specification 2.5.2</description>
<param-name>javax.faces.STATE_SAVING_METHOD</param-name>
<param-value>client</param-value>
</context-param>
<context-param>
<param-name>javax.servlet.jsp.jstl.fmt.localizationContext</param-name>
<param-value>resources.application</param-value>
</context-param>
<context-param>
<param-name>com.sun.faces.expressionFactory</param-name>
<param-value>com.sun.el.ExpressionFactoryImpl</param-value>
</context-param>
<context-param>
<param-name>javax.faces.INTERPRET_EMPTY_STRING_SUBMITTED_VALUES_AS_NULL</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>javax.faces.DATETIMECONVERTER_DEFAULT_TIMEZONE_IS_SYSTEM_TIMEZONE</param-name>
<param-value>true</param-value>
</context-param>
<listener>
<listener-class>com.sun.faces.config.ConfigureListener</listener-class>
</listener>
</web-app>
User class, a Session scoped Managed Bean class for login.xhtml
#ManagedBean
#SessionScoped
public class User implements Serializable
{
private String name;
private String password;
#PostConstruct
public void myPostConstruct()
{
String renderKitId = FacesContext.getCurrentInstance().getViewRoot().getRenderKitId();
System.out.println(" renderKitId >>> " + renderKitId);
if (renderKitId.equalsIgnoreCase("PRIMEFACES_MOBILE"))
{
try
{
FacesContext.getCurrentInstance().getApplication(). getNavigationHandler().handleNavigation(FacesContext.getCurrentInstance(), null , "MOBILE");
}
catch (IOException e)
{
e.printStackTrace();
}
}
}
//getters and setters
}
CustomViewHandler
public class CustomViewHandler extends ViewHandlerWrapper
{
private ViewHandler wrapped;
public CustomViewHandler(ViewHandler wrapped)
{
this.wrapped = wrapped;
}
#Override
public ViewHandler getWrapped()
{
return this.wrapped;
}
#Override
public String calculateRenderKitId(FacesContext context)
{
HttpServletRequest req = (HttpServletRequest) context.getExternalContext().getRequest();
String userAgent = req.getHeader("user-agent");
String accept = req.getHeader("Accept");
System.out.println("userAgent ::: "+ userAgent+ " accept :: "+accept);
if (userAgent != null && accept != null) {
UAgentInfo agent = new UAgentInfo(userAgent, accept);
if (agent.isMobileDevice()) {
return "PRIMEFACES_MOBILE";
}
}
return this.wrapped.calculateRenderKitId(context);
}
}

Integrating Spring Security with Vaadin 7

I am new to vaadin 7. I am finding some problem with Spring Security Vaadin Integration. I am using JSP Login form to Login into my application. I am not able to log into my application, and I am unable to find the problem.
web.xml
<display-name>Vaadin Web Application</display-name>
<context-param>
<description>Vaadin production mode</description>
<param-name>productionMode</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/applicationContext.xml
/WEB-INF/applicationContext-security.xml
</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
</listener>
<listener>
<listener-class>com.vaadin.ui.application.spring.ApplicationContextListener</listener-class>
</listener>
<servlet>
<servlet-name>TestApp</servlet-name>
<servlet-class>com.vaadin.ui.application.spring.SpringApplicationServlet</servlet-class>
<init-param>
<param-name>closeIdleSessions</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<description>Vaadin UIProvider class name</description>
<param-name>UIProvider</param-name>
<param-value>com.vaadin.ui.application.spring.ApplicationUIProvider</param-value>
</init-param>
<init-param>
<description>Vaadin application bean to start</description>
<param-name>UIBean</param-name>
<param-value>TestApplication</param-value>
</init-param>
<init-param>
<param-name>widgetset</param-name>
<param-value>com.vaadin.ui.application.AppWidgetSet</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>Test</servlet-name>
<url-pattern>/home/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Test</servlet-name>
<url-pattern>/VAADIN/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>default</servlet-name>
<url-pattern>/schema/*</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>loginform.jsp</welcome-file>
</welcome-file-list>
<session-config>
<session-timeout>100</session-timeout>
</session-config>
SpringApplicationServlet.java
#Component
public class SpringApplicationServlet extends VaadinServlet {
private WebApplicationContext applicationContext;
private Class<? extends UI> applicationClass;
private String applicationBean;
private LocaleResolver localeResolver;
#SuppressWarnings("unchecked")
#Override
public void init(ServletConfig servletConfig) throws ServletException {
super.init(servletConfig);
applicationBean = servletConfig.getInitParameter("applicationBean");
if (applicationBean == null) {
throw new ServletException(
"ApplicationBean not specified in servlet parameters");
}
applicationContext = WebApplicationContextUtils
.getWebApplicationContext(servletConfig.getServletContext());
applicationClass = (Class<? extends UI>) applicationContext
.getType(applicationBean);
initLocaleResolver(applicationContext);
}
private void initLocaleResolver(ApplicationContext context) {
try {
this.localeResolver = (LocaleResolver) context.getBean(
DispatcherServlet.LOCALE_RESOLVER_BEAN_NAME,
LocaleResolver.class);
} catch (NoSuchBeanDefinitionException ex) {
this.localeResolver = new SessionLocaleResolver();
}
}
protected void service(HttpServletRequest request,
HttpServletResponse response) throws ServletException, IOException {
final Locale locale = localeResolver.resolveLocale(request);
LocaleContextHolder.setLocale(locale);
ServletRequestAttributes requestAttributes = new ServletRequestAttributes(
request);
RequestContextHolder.setRequestAttributes(requestAttributes);
try {
super.service(new HttpServletRequestWrapper(request) {
#Override
public Locale getLocale() {
return locale;
}
}, response);
} finally {
if (!locale.equals(LocaleContextHolder.getLocale())) {
localeResolver.setLocale(request, response,
LocaleContextHolder.getLocale());
}
LocaleContextHolder.resetLocaleContext();
RequestContextHolder.resetRequestAttributes();
}
}
protected UI getNewApplication(HttpServletRequest request)
throws ServletException {
return (UI) applicationContext.getBean(applicationBean);
}
protected Class<? extends UI> getApplicationClass()
throws ClassNotFoundException {
return applicationClass;
}
Please help me out with some sample code to get this working.
Regards
Abhilash

You didn't write what error you have.Anyway, I see one defect: servlet is register as: TestApp
but mapped as: Test

Rich Faces 4.0 With jsf2.0

I am making web app using JSF 2.0 and Rich Faces 4.0
I want to know what should be minimum- entry in Web.xml and faces config.xml so that application will run successfully . Is order of servlet declaration matters , I am saying because when i am running my app with custom security filter, rich faces component is not rendering sometime . Can you please give me example Web.xml file.
EDIT:
*Thanks BalusC * Problem is when i am adding security filter Rich faces component is not rendered ?? I am sensing you my web.xml entry and security filter. can you please tell me what is wrong i am doing here
</p><p> `<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
id="WebApp_ID" version="3.0">
<display-name>MyApp</display-name>
<context-param>
<param-name>org.richfaces.skin</param-name>
<param-value>classic</param-value>
</context-param>
<context-param>
<param-name>org.richfaces.enableControlSkinning</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>org.richfaces.enableControlSkinningClasses</param-name>
<param-value>false</param-value>
</context-param>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/faces/*</url-pattern>
</servlet-mapping>
<context-param>
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value>Development</param-value>
</context-param>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/faces/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.jsf</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.faces</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
<filter>
<filter-name>SecurityFilter</filter-name>
<filter-class>com.my.SecurityFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>SecurityFilter</filter-name>
<url-pattern>*.jsf</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
</web-app>` </p><p> Security Filter </p> <p> `import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import com.ils.core.util.IlsUtil;
/**
* #author --FILTER implementing class; Checks the authentication of every
* request
*/
public class SecurityFilter implements Filter {
public void init(FilterConfig config) throws ServletException {
}
public void doFilter(ServletRequest request, ServletResponse resp,
FilterChain chain) throws IOException, ServletException {
System.out.println("--------SecurityFilter.doFilter()--------");
boolean redirToLoginPage = false;
HttpServletRequest httpRequest = (HttpServletRequest) request;
InputParamDto parameter = null;
Object user = null;
try {
parameter = (InputParamDto) httpRequest.getSession().getAttribute(
"inputParameter");
} catch (Exception e) {
e.printStackTrace();
}
if (parameter == null || IlsUtil.ifEmpty(parameter.getConsumer_id())) {
redirToLoginPage = true;
}
if (httpRequest.getRequestURI().indexOf("login") == -1
&& redirToLoginPage) {
HttpServletResponse httpResponse = (HttpServletResponse) resp;
httpResponse.setContentType("text/plain");
httpResponse.setStatus(HttpServletResponse.SC_MOVED_TEMPORARILY);
String redirTo = httpRequest.getScheme() + "://"
+ httpRequest.getServerName() + ":"
+ httpRequest.getServerPort()
+ httpRequest.getContextPath() + "/";
httpResponse.setHeader("Location", redirTo);
} else {
chain.doFilter(request, resp);
}
}
public void destroy() {
}
}`</p>

I had the same issue in my project so I solved it by adding the path in the validation where the richfaces resources and jsf are being loaded.
Something like this:
String uri = hr.getRequestURI();
if (uri.endsWith(".view")
&& !uri.contains(ResourceHandler.RESOURCE_IDENTIFIER)
&& !uri.contains(ResourceHandlerImpl.RICHFACES_RESOURCE_IDENTIFIER)) {
//You put your code here
}

Just the usual FacesServlet mapping in web.xml is enough for JSF 2.0. The faces-config.xml can be left empty. RichFaces 4.0 doesn't require additional configuration in either file.
Update as per your update: you need to map your security filter on a different URL pattern. RichFaces will dynamically include CSS/JS files on the same mapping of the FacesServlet. However, your security filter is apparently blocking those requests (didn't you pay attention to those lot of system out prints in the log?). I'd suggest to put secured files in a folder and map the filter on there instead, e.g. /secured/*, /private/*, /app/*, etc.
Unrelated to the problem, you've got there a lot of FacesServlet mappings. Please keep it clean and stick to one. I'd personally recommend *.xhtml. This way the endusers won't be able to view the raw JSF source anymore by just editing the URL in browser address bar.