Is it possible to resolve navigation outcome in order to validate it?

Question

I've got a WebFilter that redirects to the login page in my application. In order to redirect back to the referring page I've also added a view parameter called redirectOnLogin which is then used on successful logins in order to perform the final navigation.

If one were to manipulate this query parameter, one could easily provoke JSF navigation errors. I would therefore like to pre-empt this by checking that the outcome is valid but I've not been able to uncover a mechanism for pre-validating a JSF outcome.

Answer 1

Easiest and best is to make sure the redirectToLogin parameter cannot be manipulated. Or that manipulation is detected.

You could solve this in (at least) two ways

1. Taking the original page name, adding a 'salt' to it and creating a hash.
2. Addin this has that in the request to the login server
3. Make sure it is returned by the login server (maybe adding it as # to the return page or as a param.
4. On receiving it on the 'redirectOnLogin' page, use the page name, the same salt and create a hash in the same way. Compare these and if they match you are fine, if they don't throw an error.

Or you could

1. Store the 'redirectOnLogin' page in a session to
2. Check on returning from the login server if it matches with the page you end-up on.