I'm using JAAS to secure my web-application. As the title says, the problem is that i get the home page which is in the protected folder instead of the login page. Actually the home page is my welcome page. By the way, it works fine when i write the URL (/myappJaas/protected/admin/homeadmin.xhtml) in the web browser. This is the web.xml file:
<welcome-file-list>
<welcome-file>/protected/admin/homeadmin.xhtml</welcome-file>
</welcome-file-list>
<security-constraint>
<web-resource-collection>
<web-resource-name>admins</web-resource-name>
<url-pattern>/protected/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/public/login.xhtml</form-login-page>
<form-error-page>/public/errorlogin.xhtml</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
You misunderstood the purpose of <welcome-file>. It should represent the sole filename of the default index file of the directory. This file will be presented to the enduser when the enduser requests a directory. The container will then transparently dispatch the configured welcome file to the enduser without sending a redirect. However, the current URL is still in public domain.
You want to send a fullworthy redirect instead. You could do that in a filter, or by a <meta http-equiv="refresh"> in the index.xhtml welcome file, or in the constructor of the managed bean associated with the fictive index.xhtml welcome file.