When logging into my Java web app, I'm directed to the CSS used by the login form, how to fix this?

Question

I have a Java web app which consists of a variety of a servlets and JSPs -- examples: controller servlet /controller?abc=123&xyz=567, some other servlets /showDocument?docid=55, and some direct access to JSPs, /userDetails.jsp.

I have enabled web security to prevent access to all (shown below) and I have a login.jsp page that links to a css file /styles.css.

When I access any URL, I am redirected to the login.jsp page.

The problems are:

(1) no CSS stylings are used on the login page, probably because the styles.css is considered a protected resource and I'm not logged in yet.

(2) After successfully logging in with username and password, I am directed to the style.css file (which displays in the browser as plain text). I'm guessing this is because the LINK to the css file is considered to be the most recently protected resource requested, so it assumes that's where I want to go.

If I copy and paste the CSS content in my JSP, both problems go away but then I have the CSS in two places, the style.css and also in the login.jsp.

How do I fix this? Is there a way for me to 'white list' *.css files so they are not protected. Do I have to define a different security constraint for the specific types I want to protect?

Here's my current security constraints from my web.xml:

<security-constraint>
  <display-name>name</display-name>
  <web-resource-collection>  
    <web-resource-name>Restricted</web-resource-name>
    <url-pattern>/*</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
    <role-name>APP_USER</role-name>
  </auth-constraint>
  <user-data-constraint>
    <transport-guarantee>NONE</transport-guarantee>
  </user-data-constraint>
</security-constraint>

This is how I'm linking to the CSS in my JSPs:

<head>
  <LINK REL=StyleSheet HREF="styles.css" TYPE="text/css" MEDIA="screen" />
</head>

Any help is greatly appreciated!

Rob

Answer 1

You can disable security for css and images after you have secured everything

<security-constraint>
  <display-name>name</display-name>
  <web-resource-collection>  
    <web-resource-name>Restricted</web-resource-name>
    <url-pattern>/*</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
    <role-name>APP_USER</role-name>
  </auth-constraint>
  <user-data-constraint>
    <transport-guarantee>NONE</transport-guarantee>
  </user-data-constraint>
</security-constraint>
<security-constraint><!--Exclude css and images here -->
   <web-resource-collection>
      <web-resource-name>Exclude from Security</web-resource-name>
      <url-pattern>/images/*</url-pattern><!-- No security for images -->
      <url-pattern>/css/*</url-pattern><!-- No security for css -->
   </web-resource-collection>
</security-constraint>