JSF redirect doesn't stop page rendering

Question

We're using JSF in a very simple way. All we're doing is implementing tags that contain a little Java code.

I have implemented a "security" tag that sends a 302 redirect back to the login page whenever the user isn't logged in:

// make them log in
ctx.getExternalContext().redirect("login.xhtml");
ctx.responseComplete();

The trouble is that the redirect() method doesn't stop the rest of the page being rendered. Tags that are further down the page are getting executed. This is a problem because non-logged-in users could see things they shouldn't if they had their browser ignore redirects.

How do I get responseComplete() to do what I thought it was supposed to do?

Answer 1

Try it!

ctx.getExternalContext().dispatch("login.xhtml");
ctx.responseComplete();

Answer 2

Its always better to implement the login related logic in a servlet filter, like below:

1. Implement a filter for the URL patterns that you want to secure
2. In the filter, check if the user is logged in (may be by just checking if Username/UserId is present in user session)
3. If the user is not logged in, redirect the user to a HTML based login page.
4. If the user is logged in, let the user access the resources.

There are a lot of ways (may be better than this) to implement this, but this is the most basic one.

Answer 3

Maybe you could use a flag to verify if the user is logged in.
Then, you can use the render=#{managedBean.logged} property in the tags you don't want to render.
This is just a workaround... can't really help too much with that amount of information you gave.