Container initiated authentication

Technical Discussion
1

I’m trieing to implement a very basic example of container initiated authentication.

I defined the roles and constraints in web.xml:

    <security-role>
        <role-name>VIEW_USER_PAGES</role-name>
    </security-role>

    <security-role>
        <role-name>VIEW_ADMIN_PAGES</role-name>
    </security-role>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>User pages</web-resource-name>
            <url-pattern>/user/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>VIEW_USER_PAGES</role-name>
        </auth-constraint>
    </security-constraint>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Admin pages</web-resource-name>
            <url-pattern>/admin/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>VIEW_ADMIN_PAGES</role-name>
        </auth-constraint>
    </security-constraint>

I set up the authentication methode and a basic identity store (I’m going to change this later on):

@CustomFormAuthenticationMechanismDefinition(
        loginToContinue = @LoginToContinue(
                loginPage = "/login.xhtml",
                errorPage = "",
                useForwardToLogin = false
        )
)
@FacesConfig
@ApplicationScoped
@InMemoryIdentityStoreDefinition({
        @InMemoryIdentityStoreDefinition.Credentials(
                callerName = "admin@example.com",
                password = "adminSecret",
                groups = { "VIEW_USER_PAGES", "VIEW_ADMIN_PAGES"}
        ),
        @InMemoryIdentityStoreDefinition.Credentials(
                callerName = "user@example.com",
                password = "userSecret",
                groups = {"VIEW_USER_PAGES"}
        )
})
public class ApplicationConfig {
     
}

and finally authentication code:

@RequestScoped
@Named("loginController")
public class LoginController {
    
    @NotNull
    @Email
    private String email;

    @NotNull
    @Size(min = 5, max = 100, message = "Password ...")
    private String passwd;

    @Inject
    SecurityContext securityContext;

    @Inject
    ExternalContext externalContext;

    @Inject
    FacesContext facesContext;

    public void execute() {
        
        switch (processAuthentication()) {
            case SEND_CONTINUE:
                facesContext.responseComplete();
                break;
            case SEND_FAILURE:
                break;
            case SUCCESS:
                logger.info("[execute: SUCCESS]");
                break;
        }
    }
    
    public AuthenticationStatus processAuthentication() {
        ExternalContext ec = getExternalContext();
        
        return securityContext.authenticate(
                (HttpServletRequest) ec.getRequest(),
                (HttpServletResponse) ec.getResponse(),
                AuthenticationParameters.withParams().credential(new UsernamePasswordCredential(email, passwd)));
    }

    ...
}

When I try to access, for example, /user/user_index.xhtml, my login form is displayed, authentication works fine, and I end up in the SUCCESS branch, but I am not redirected to the desired resource and remain on the login page. I am obviously overlooking something important, but I cannot figure out what it is.

Thanks in advance.

Kind regards

Thomas