-
1. Re: how to stop unknown user from seeing a page
dbatcn Jul 19, 2006 4:41 PM (in response to dbatcn)oh, and it would certainly be cool to be able to put something in faces messages about having redirected from the original URL...
-
2. Re: how to stop unknown user from seeing a page
gavin.king Jul 19, 2006 5:45 PM (in response to dbatcn)Use a page action.
-
3. Re: how to stop unknown user from seeing a page
dbatcn Jul 19, 2006 9:22 PM (in response to dbatcn)Hmmm, I just tried this. How does one do it correctly? A simple implementation of that falls into an infinite loop between the browser and Seam/Faces:
There's a "login.xhtml" page associated with a "login" action and a "groups.xhtml" page associated with a "groups" action. After a successful login, the application should take you to the groups page. The very first time the groups page is invoked, it detects that the user is not logged in and correctly redirects to the login page. However, after the successful login, it seems that the page action and the faces navigation just bounce back and forth with the browser.
pages.xml:<pages> <page view-id="/groups.xhtml" action="#{groupManager.forceLogin}"/> </pages>
faces-config.xml snippet:<navigation-case> <from-outcome>login</from-outcome> <to-view-id>/login.xhtml</to-view-id> <redirect /> </navigation-case> <navigation-case> <from-outcome>groups</from-outcome> <to-view-id>/groups.xhtml</to-view-id> <redirect /> </navigation-case>
snippet of the group manager bean:@Stateful @Name("groupManager") @Scope(SESSION) @LoggedIn public class GroupManagerBean implements GroupManager, Serializable { ... public String forceLogin() { String forcedAction; if ( LoggedInInterceptor.isLoggedIn() ) { forcedAction = "groups"; } else { forcedAction = "login"; facesMessages.add("#{messages.infoLoginRequired}"); } System.out.println("GroupManagerBean.forceLogin() returning "+forcedAction); return forcedAction; } ... }
LoggedInInterceptor.java snippet@Around({BijectionInterceptor.class, ValidationInterceptor.class, ConversationInterceptor.class, BusinessProcessInterceptor.class}) @Within(RemoveInterceptor.class) public class LoggedInInterceptor { ... public static boolean isLoggedIn() { boolean isLoggedInNow = Contexts.getSessionContext().get("loggedIn")!=null; System.out.println("LoggedInInterceptor.isLoggedIn() returning "+isLoggedInNow); return isLoggedInNow; } }
console output:17:59:44,976 INFO [STDOUT] LoggedInInterceptor.isLoggedIn() returning false 18:00:07,210 INFO [STDOUT] LoginAction.login() returning groups 18:00:07,226 INFO [STDOUT] LoggedInInterceptor.isLoggedIn() returning true 18:00:07,226 INFO [STDOUT] LoggedInInterceptor.isLoggedIn() returning true 18:00:07,226 INFO [STDOUT] GroupManagerBean.forceLogin() returning groups 18:00:07,242 INFO [STDOUT] LoggedInInterceptor.isLoggedIn() returning true 18:00:07,242 INFO [STDOUT] LoggedInInterceptor.isLoggedIn() returning true 18:00:07,242 INFO [STDOUT] GroupManagerBean.forceLogin() returning groups 18:00:07,257 INFO [STDOUT] LoggedInInterceptor.isLoggedIn() returning true 18:00:07,257 INFO [STDOUT] LoggedInInterceptor.isLoggedIn() returning true 18:00:07,257 INFO [STDOUT] GroupManagerBean.forceLogin() returning groups 18:00:07,273 INFO [STDOUT] LoggedInInterceptor.isLoggedIn() returning true 18:00:07,288 INFO [STDOUT] LoggedInInterceptor.isLoggedIn() returning true 18:00:07,288 INFO [STDOUT] GroupManagerBean.forceLogin() returning groups 18:00:07,304 INFO [STDOUT] LoggedInInterceptor.isLoggedIn() returning true 18:00:07,304 INFO [STDOUT] LoggedInInterceptor.isLoggedIn() returning true 18:00:07,304 INFO [STDOUT] GroupManagerBean.forceLogin() returning groups . . .
-
4. Re: how to stop unknown user from seeing a page
cptnkirk Jul 20, 2006 1:53 AM (in response to dbatcn)This looks right to me. Right before groups.xhtml is rendered the page action is triggered, the result of the page action sends you back to groups.xhtml and triggers the page action, which sends you back...
Try having your page action return "login" if you need a login and null if not. I think that'll work better. -
5. Re: how to stop unknown user from seeing a page
denis-karpov Jul 20, 2006 5:46 AM (in response to dbatcn)there's the @LoggedIn interceptor, but that seems to me to just stop the submission of a page if the user isn't logged in
No. @LoggedIn prevents execution of any method on your bean through JSF and redirects you to login page, if you are not logged in.
Just clean up your forceLogin() method. For instance, make it empty. -
6. Re: how to stop unknown user from seeing a page
dbatcn Jul 20, 2006 4:38 PM (in response to dbatcn)Having the forceLogin method return null if no redirection was required fixed the problem. Thanks, Captain!
-
7. Re: how to stop unknown user from seeing a page
jazir1979 Sep 20, 2006 9:28 PM (in response to dbatcn)How do you do this with a view-id="*"?
<page view-id="*" action="#{groupManager.forceLogin}"/>
How do you put logic in the "forceLogin" action to return null if the user is not logged in but they are accessing your login page?
ie- the pattern really should be "all pages except login.xhtml" rather than "*" -
8. Re: how to stop unknown user from seeing a page
jazir1979 Sep 20, 2006 9:36 PM (in response to dbatcn)
Is it using the FacesContext?
ie- getViewRoot().getViewId() -
9. Re: how to stop unknown user from seeing a page
raja05 Sep 20, 2006 11:17 PM (in response to dbatcn)"jazir1979" wrote:
ie- the pattern really should be "all pages except login.xhtml" rather than "*"
I dont think there is a way to do this currently except mentioning the pages individually. But there is an enhancement request for this
http://jira.jboss.com/jira/browse/JBSEAM-341 -
10. Re: how to stop unknown user from seeing a page
cptnkirk Sep 21, 2006 1:58 AM (in response to dbatcn)You could also look into using a dedicated security framework like Acegi that would have richer options.
http://acegisecurity.org/ -
11. Re: how to stop unknown user from seeing a page
gavin.king Sep 21, 2006 2:59 AM (in response to dbatcn)"jazir1979" wrote:
Is it using the FacesContext?
ie- getViewRoot().getViewId()
Right, this is one way - the action can check the view-id.
The other way is to use a view-id like "/protected/*" -
12. Re: how to stop unknown user from seeing a page
jazir1979 Sep 21, 2006 5:56 PM (in response to dbatcn)Thanks guys.
I've voted for the Jira issue and will keep an eye out for that RegExp support, I think it would be great.
For now, I got it working fine by not redirecting back to my login page for a certain view-id.
Eg: "/home.xhtml".equals(facesContext.getViewRoot().getViewId())
At some point we may put protected pages under an /admin area as suggested by Gavin, but we're not too sure yet.