Reputation:
JSF Filter prevent direct access certain page
I created a filter to prevent the user by typing the url to access certain page. I have 3 page, the user supposed to access page2 or page3 only through page1. First page required the user enter username, den go to page2 and so on. I have a managed bean user scoped session.This is my filter method. The problem is that when i never enter the username this line (req.getAttribute("user") == null) wont give me null but something value like this bean.User@6ed322. Anyone can help correct me where goes wrong ?
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse resp = (HttpServletResponse) response;
HttpSession httpSession = req.getSession(false);
String pageRequested = req.getRequestURI().toString();
if (httpSession == null) {
httpSession = req.getSession(true);
resp.sendRedirect("Page1.faces");
} else if (httpSession.getAttribute("user") != null
&& ((User) httpSession.getAttribute("user")).getUsername() == null
&& !pageRequested.contains("Page1.faces")) {
resp.sendRedirect("Page1.faces");
} else {
chain.doFilter(request, response);
}
}
Upvotes: 1
Views: 3344
Answers (4)
Reputation: 636
req.getRemoteUser() can help You. It returns the login of the user making this request. You have to prevent filtering other resources such as CSS adding this pageRequested.contains(".faces") for example
else if (req.getRemoteUser() != null && (pageRequested.contains(".faces") && !pageRequested.contains("Page1.faces"))) {
resp.sendError(403);
Upvotes: 0
Reputation: 1108642
I have a managed bean user scoped session.
Is this declared in faces-config.xml? Is this referenced in any of the JSF pages?
If so, then JSF would create automatically one for you. You shouldn't intercept on that. Either remove the declaration from faces-config.xml or change the way you check the logged-in user.
If not, then your testing methodology is poor. To get a new session at the client side either restart the client application or do a HttpSession#invalidate() at the server side (which is in my opinion a bit too disastrous, just removing or nulling the user attribute from the session should suffice).
Upvotes: 0
Reputation: 597046
Close your browser / clear your sessions/cookies before any subsequent attempts. Also you can make a logout button that makes session.invalidate().
Spring security or JAAS may be a big overhead for you, but you can use a JSF PhaseListener, instead of a filter, and do your checks on the RENDER_RESPONSE phase, for example.
Upvotes: 0
Reputation: 14581
So, ... you want to prevent access to certain pages when the user has not logged in correctly? Then you should investigate Spring security or JAAS for catching page access and redirecting to login pages. You could as an alternative set an attribute in the session for good logins and check that in your filter.
Upvotes: 1
Related Questions
- Blocking direct URL access in JSF web application
- How to avoid user access to .xhtml page in JSF?
- JSF. Restrict direct access to template-client page
- JSF2 - Flexible way on restrict access on certain xhtml pages, apply simple logic on access
- jsf 2.0 filter alternative
- How to restrict access to certain pages with JSF 2 after user has logged in?
- JSF ServletFilter Restriction on Restricted pages when logged in
- JSF - implementing filter for restricted pages
- Prevent accessing restricted page without login in Jsf2
- How to restrict access to not logged users to certain pages? (JSF 2.0)