Error generated when authenticating with Primefaces modal dialog and spring security

I wanted to add authentication using Primefaces modal dialog and spring security to a web project but it generates an error when clicking on the login button. here is the code used:

Modal dialog:

<p:dialog header="User Details" showEffect="fade" modal="true"                 widgetVar="loginDialog" responsive="true" width="300" height="200">  <h:form id="frmLogin" prependId="false">            <p:messages id="msgs1"/>      <h:panelGrid columns="3" cellpadding="7" styleClass="p-mb-3">          <p:outputLabel for="j_username" value="username"/>           <p:inputText  type="text" name="j_username" class="form-control" id="j_username" placeholder="Username" required="true"/>          <p:message for="j_username" display="icon"/>          <p:outputLabel for="j_password" value="password"/>          <p:inputText  type="password" class="form-control" name="j_password" id="j_password" placeholder="Password" required="true"/>                    <p:message for="j_password" id="msgpassword" display="icon"/>      </h:panelGrid>  <p:commandButton type="submit" update="@form" id="login" action="#{homeMB.doLogin}" value="Login"  />      <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>   </h:form> </p:dialog>

The function doLogin:

public String doLogin() throws IOException, ServletException {    ExternalContext context = FacesContext.getCurrentInstance().getExternalContext();    RequestDispatcher dispatcher = ((ServletRequest) context.getRequest()).getRequestDispatcher("/j_spring_security_check");    dispatcher.forward((ServletRequest) context.getRequest(), (ServletResponse) context.getResponse());    FacesContext.getCurrentInstance().responseComplete();    return null; }

POST http://localhost:8080/MywebProject/index.xhtml 404 (Not Found)

When viewing the generated source code, I noticed that the action attribute of the generated form h:form  is filled with a link to the current page which is index.xhtml so the error generated comes back to this modification.

Does anyone have an idea about this error
Thanks

Well, JSF Rule #1 is that whenever you have lots of JSF-specific code, you're probably doing it wrong. JSF was designed to mostly use POJOs and work in the background, so grabbing the FacesContext and messing around with JEE and JSF internals is generally a red flag.

I'm sorry to say that I still haven't read very far into the Spring Security book I won on the Ranch a while back. Mostly I just use the basic JEE standard container security, which doesn't require any user-written login code at all.

I can tell you that in JEE basic security that explicitly invoking the URL for j_security_check doesn't work, since the necessary context in the server isn't there. The server sets up the security context for j_security_check when it detects an incoming secured URL request (as defined in web.xml) for a user who isn't currently logged in and automatically presents the login/loginfail page and processes the form data from those pages wihout any application intervention (or even knowledge - there is no JEE event for "user has logged in").

Two things to always bear in mind:

If a JSF action method returns NULL, that means that the current JSF View is to be re-presented instead of navigating to a new View. DO NOT attempt to manually dispatch, as you'll lose the JSF internal context! Secondly — and most importantly — the View name in the URL is not always going to be the the View that will be presented. In JSF, the URL is more of a session anchor than an absolute indicator of what page will display and the URL view name will often lag behind.

That last part is very important, since JEE container security keys off the incoming URL and NOT on the page to be displayed, so when they don't match, a potential security hazard exists. This is avoided by using the "redirect" option on internal View navigations.

If you take a look at the generated code, you can see that there is an incorrect link that corresponds to the current page.
<form id="frmLogin" name="frmLogin" method="post" action="/MywebProject/index.xhtml" enctype="application/x-www-form-urlencoded">
The question is why this link is added and how to fix it to point to the authentication function

No, that's not how it works.

As I said, in JSF, the URL acts more as a "session anchor" than as an absolute page request.

If you look at the full form details, you'll see that there's quite a bit of cryptic data that was also added to that form. It's used as part of the JSF state maintenance functionality and it's why you can't just brute-force redispatch JSF URLs.

There's nothing wrong with that form's URL.

I can tell you this. I only have one app running Spring Security and it's a Spring Boot app. And I did not have to tie myself in JSF-specific knots to make it handle the login process.

See this project: https://gogs.mousetech.com/mtsinc7/GourmetJ-Springboot All of the URL security is handled in src/main/java/com/mousetech/gourmetj/SpringSecurityConfig.java and there's not a single JSF header file in there. In fact, the only JSF references at all are to permit the JSF resources to be accessible to non-logged in users (the recipe display and print pages do not require a logged in user — the comments are out of sync with the code).