12 Replies Latest reply on Sep 21, 2006 5:56 PM by jazir1979

    how to stop unknown user from seeing a page

      What's the right way to stop a page from ever being created if a condition isn't met? (Is there a way?) In the booking example, there's the @LoggedIn interceptor, but that seems to me to just stop the submission of a page if the user isn't logged in, but not the initial creation (e.g. http://seam.demo.jboss.com/password.seam ). I imagine it should just be a matter of specifying another class for @Around, but I'm still on the learning path for Seam... I did try creating an attribute on a bean annotated with @LoggedIn and getting some text to display using that attribute, but to no avail, it just took the text without triggering the interceptor.

      Thanks in advance. As always, apologies if I've missed something already posted.

        • 1. Re: how to stop unknown user from seeing a page

          oh, and it would certainly be cool to be able to put something in faces messages about having redirected from the original URL...

          • 2. Re: how to stop unknown user from seeing a page
            gavin.king

            Use a page action.

            • 3. Re: how to stop unknown user from seeing a page

              Hmmm, I just tried this. How does one do it correctly? A simple implementation of that falls into an infinite loop between the browser and Seam/Faces:

              There's a "login.xhtml" page associated with a "login" action and a "groups.xhtml" page associated with a "groups" action. After a successful login, the application should take you to the groups page. The very first time the groups page is invoked, it detects that the user is not logged in and correctly redirects to the login page. However, after the successful login, it seems that the page action and the faces navigation just bounce back and forth with the browser.

              pages.xml:

              <pages>
               <page view-id="/groups.xhtml" action="#{groupManager.forceLogin}"/>
              </pages>
              


              faces-config.xml snippet:

               <navigation-case>
               <from-outcome>login</from-outcome>
               <to-view-id>/login.xhtml</to-view-id>
               <redirect />
               </navigation-case>
               <navigation-case>
               <from-outcome>groups</from-outcome>
               <to-view-id>/groups.xhtml</to-view-id>
               <redirect />
               </navigation-case>
              


              snippet of the group manager bean:

              @Stateful
              @Name("groupManager")
              @Scope(SESSION)
              @LoggedIn
              public class GroupManagerBean implements GroupManager, Serializable {
              ...
               public String forceLogin() {
               String forcedAction;
               if ( LoggedInInterceptor.isLoggedIn() ) {
               forcedAction = "groups";
               }
               else {
               forcedAction = "login";
               facesMessages.add("#{messages.infoLoginRequired}");
               }
               System.out.println("GroupManagerBean.forceLogin() returning "+forcedAction);
               return forcedAction;
               }
              ...
              }
              


              LoggedInInterceptor.java snippet

              @Around({BijectionInterceptor.class, ValidationInterceptor.class,
               ConversationInterceptor.class, BusinessProcessInterceptor.class})
              @Within(RemoveInterceptor.class)
              public class LoggedInInterceptor {
              
              ...
              
               public static boolean isLoggedIn() {
               boolean isLoggedInNow = Contexts.getSessionContext().get("loggedIn")!=null;
               System.out.println("LoggedInInterceptor.isLoggedIn() returning "+isLoggedInNow);
               return isLoggedInNow;
               }
              
              }
              


              console output:

              17:59:44,976 INFO [STDOUT] LoggedInInterceptor.isLoggedIn() returning false
              18:00:07,210 INFO [STDOUT] LoginAction.login() returning groups
              18:00:07,226 INFO [STDOUT] LoggedInInterceptor.isLoggedIn() returning true
              18:00:07,226 INFO [STDOUT] LoggedInInterceptor.isLoggedIn() returning true
              18:00:07,226 INFO [STDOUT] GroupManagerBean.forceLogin() returning groups
              18:00:07,242 INFO [STDOUT] LoggedInInterceptor.isLoggedIn() returning true
              18:00:07,242 INFO [STDOUT] LoggedInInterceptor.isLoggedIn() returning true
              18:00:07,242 INFO [STDOUT] GroupManagerBean.forceLogin() returning groups
              18:00:07,257 INFO [STDOUT] LoggedInInterceptor.isLoggedIn() returning true
              18:00:07,257 INFO [STDOUT] LoggedInInterceptor.isLoggedIn() returning true
              18:00:07,257 INFO [STDOUT] GroupManagerBean.forceLogin() returning groups
              18:00:07,273 INFO [STDOUT] LoggedInInterceptor.isLoggedIn() returning true
              18:00:07,288 INFO [STDOUT] LoggedInInterceptor.isLoggedIn() returning true
              18:00:07,288 INFO [STDOUT] GroupManagerBean.forceLogin() returning groups
              18:00:07,304 INFO [STDOUT] LoggedInInterceptor.isLoggedIn() returning true
              18:00:07,304 INFO [STDOUT] LoggedInInterceptor.isLoggedIn() returning true
              18:00:07,304 INFO [STDOUT] GroupManagerBean.forceLogin() returning groups
              .
              .
              .
              


              • 4. Re: how to stop unknown user from seeing a page

                This looks right to me. Right before groups.xhtml is rendered the page action is triggered, the result of the page action sends you back to groups.xhtml and triggers the page action, which sends you back...

                Try having your page action return "login" if you need a login and null if not. I think that'll work better.

                • 5. Re: how to stop unknown user from seeing a page
                  denis-karpov

                   

                  there's the @LoggedIn interceptor, but that seems to me to just stop the submission of a page if the user isn't logged in


                  No. @LoggedIn prevents execution of any method on your bean through JSF and redirects you to login page, if you are not logged in.

                  Just clean up your forceLogin() method. For instance, make it empty.



                  • 6. Re: how to stop unknown user from seeing a page

                    Having the forceLogin method return null if no redirection was required fixed the problem. Thanks, Captain!

                    • 7. Re: how to stop unknown user from seeing a page
                      jazir1979

                      How do you do this with a view-id="*"?


                      <page view-id="*" action="#{groupManager.forceLogin}"/>


                      How do you put logic in the "forceLogin" action to return null if the user is not logged in but they are accessing your login page?

                      ie- the pattern really should be "all pages except login.xhtml" rather than "*"

                      • 8. Re: how to stop unknown user from seeing a page
                        jazir1979


                        Is it using the FacesContext?

                        ie- getViewRoot().getViewId()

                        • 9. Re: how to stop unknown user from seeing a page
                          raja05

                           

                          "jazir1979" wrote:

                          ie- the pattern really should be "all pages except login.xhtml" rather than "*"


                          I dont think there is a way to do this currently except mentioning the pages individually. But there is an enhancement request for this
                          http://jira.jboss.com/jira/browse/JBSEAM-341


                          • 10. Re: how to stop unknown user from seeing a page

                            You could also look into using a dedicated security framework like Acegi that would have richer options.

                            http://acegisecurity.org/

                            • 11. Re: how to stop unknown user from seeing a page
                              gavin.king

                               

                              "jazir1979" wrote:

                              Is it using the FacesContext?

                              ie- getViewRoot().getViewId()


                              Right, this is one way - the action can check the view-id.


                              The other way is to use a view-id like "/protected/*"

                              • 12. Re: how to stop unknown user from seeing a page
                                jazir1979

                                Thanks guys.

                                I've voted for the Jira issue and will keep an eye out for that RegExp support, I think it would be great.

                                For now, I got it working fine by not redirecting back to my login page for a certain view-id.
                                Eg: "/home.xhtml".equals(facesContext.getViewRoot().getViewId())

                                At some point we may put protected pages under an /admin area as suggested by Gavin, but we're not too sure yet.