I am struggling with this issue for 5 days now and I don't see where to look for a solution. I upgraded a JSF application from 2.1 to 2.2 with Mojara 2.1.17 to 2.2.14, including Icefaces from 3.2.0 to 4.2.0.
I also upgraded Spring 3.2 to 5.1.2 and Spring Web Flow from 2.3.2.RELEASE to 2.5.1.RELEASE. The problem is, after the migration all Spring Web Flow are no longer invoked. When I click a button nothing happens. I take a look at the web console and every time I click on a button which should trigger the web-flow, I keep getting an http 403 error.
This is a snipet of my configuration:
<webflow:flow-executor id="flowExecutor">
<webflow:flow-execution-listeners>
<webflow:listener ref="facesContextListener"/>
<webflow:listener ref="icefacesFlowListener" />
</webflow:flow-execution-listeners>
</webflow:flow-executor>
<bean class="org.springframework.webflow.mvc.servlet.FlowHandlerMapping">
<property name="flowRegistry" ref="flowRegistry"/>
<property name="order" value="0"/>
</bean>
<bean id="facesContextListener"
class="org.springframework.faces.webflow.FlowFacesContextLifecycleListener" />
<faces:flow-builder-services id="flowBuilderServices" development="true" />
<webflow:flow-registry id="flowRegistry" flow-builder-services="flowBuilderServices" base-path="/WEB-INF/flows">
<webflow:flow-location-pattern value="**/*-flow.xml" />
</webflow:flow-registry>
The faces-config.xml is simple with only:
<application>
<el-resolver>
org.springframework.web.jsf.el.SpringBeanFacesELResolver
</el-resolver>
</application>
And the web.xml
<welcome-file-list>
<welcome-file>flow/welcome</welcome-file>
</welcome-file-list>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>flowDispatchServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value></param-value>
</init-param>
<load-on-startup>1</load-on-startup>
<multipart-config />
</servlet>
<servlet-mapping>
<servlet-name>flowDispatchServlet</servlet-name>
<url-pattern>/flow/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>flowDispatchServlet</servlet-name>
<url-pattern>/services/*</url-pattern>
</servlet-mapping>
<resource-env-ref>
<resource-env-ref-name>BeanManager</resource-env-ref-name>
<resource-env-ref-type>
javax.enterprise.inject.spi.BeanManager
</resource-env-ref-type>
</resource-env-ref>
The main dependencies:
<spring-integration.version>5.1.0.RELEASE</spring-integration.version>
<spring-orm.version>5.1.2.RELEASE</spring-orm.version>
<spring-security-cas-client.version>3.0.8.RELEASE</spring-security-cas-client.version>
<spring-security.version>5.1.2.RELEASE</spring-security.version>
<spring.version>5.1.2.RELEASE</spring.version>
<spring.webflow.version>2.5.1.RELEASE</spring.webflow.version>
<spring-ws-core.version>3.0.4.RELEASE</spring-ws-core.version>
<javax.faces.version>2.2.14</javax.faces.version>
<icefaces-ace.version>4.2.0</icefaces-ace.version>
<validation-api.version>2.0.1.Final</validation-api.version>
I use Tomcat 8.5. And a simple flow for tests:
<view-state id="start" view="welcome.xhtml">
<transition on="test" to="testView" />
</<view-state>
<view-state id="testView" view="test.xhtml"/>
The button in welcome.xhtml:
<h:form id="testForm">
....
<h:commandButton id="btnTest" class="button" value="Test" action="test"/>
</h:form>
welcome.xhtml is well rendered but clicking on the button, I get the 403 error.
Thanks for your help.
I finaly found the reason. Spring Security enables CSRF by default, which blocks POST request on my form. Disabled it solve the issue. I lost 5 days!!!!