3 Replies Latest reply on Sep 11, 2008 10:44 AM by baobaotuo

    How to Secure pages with request parameters?

    baobaotuo

      I just want to secure some page with request parameters.
      That means the userHome.xhtml page cannot been accessed without privide the userId request parameters.
      What I have tried to do is place the el


      <restrict>#{userHome.userId gt 0}</restrict>




      in the pages.xml for userHome.xhtml.The userId request parameters is binded  to userHome.userId.


      The problem is that when there is a form in userHome.xhtml such as searchUserForm, a secure exception is throwen once the form is submited in userHome.xhtml.
      The cause is that once I submit the form, the userHome.xhtml page will be rerendered first(!!!!) even the form's destination is searchResult.xhtml.
      So I got the secure exception.


      Is this the jsf life cycle's question to rerender the userHome.xhtml first for submit a form?


      Than how can I secure pages with request parameters?


      Thanks for any help.

        • 1. Re: How to Secure pages with request parameters?
          baobaotuo

          I thought about filter, but face the same problem.


          The problem rerender first after submit really force me crazy.


          Help!!!!!!!!!

          • 2. Re: How to Secure pages with request parameters?
            baobaotuo
            I just write a filter to trace the request state;

            When entering the "member/home.xhtml" page.
            I got
            httpRequest.getRequestURI() /jeehe/member/home.seam
            httpRequest.getRequestURL() http://localhost:8080/jeehe/member/home.seam
            httpRequest.getContextPath() /jeehe
            httpRequest.getLocalAddr() 0.0.0.0
            httpRequest.getLocalName() 0.0.0.0
            httpRequest.getLocalPort() 8080
            httpRequest.getMethod() GET
            httpRequest.getPathInfo() null
            httpRequest.getPathTranslated() null
            httpRequest.getProtocol() HTTP/1.1
            httpRequest.getQueryString() memberId=1&cid=1
            httpRequest.getRemoteAddr() 0:0:0:0:0:0:0:1
            httpRequest.getRemoteHost() 0:0:0:0:0:0:0:1
            httpRequest.getRemotePort() 2048
            httpRequest.getRemoteUser() null
            httpRequest.getRequestedSessionId() 0B37071E4808F260069E4ABAE1A9CC46
            httpRequest.getScheme() http
            httpRequest.getServerName() localhost
            httpRequest.getServerPort() 8080
            httpRequest.getServletPath() /member/home.seam

            Than I submit the form
            I got
            httpRequest.getRequestURI() /jeehe/member/home.seam
            httpRequest.getRequestURL() http://localhost:8080/jeehe/member/home.seam
            httpRequest.getContextPath() /jeehe
            httpRequest.getLocalAddr() 0.0.0.0
            httpRequest.getLocalName() 0.0.0.0
            httpRequest.getLocalPort() 8080
            httpRequest.getMethod() POST
            httpRequest.getPathInfo() null
            httpRequest.getPathTranslated() null
            httpRequest.getProtocol() HTTP/1.1
            httpRequest.getQueryString() null
            httpRequest.getRemoteAddr() 0:0:0:0:0:0:0:1
            httpRequest.getRemoteHost() 0:0:0:0:0:0:0:1
            httpRequest.getRemotePort() 2048
            httpRequest.getRemoteUser() null
            httpRequest.getRequestedSessionId() 0B37071E4808F260069E4ABAE1A9CC46
            httpRequest.getScheme() http
            httpRequest.getServerName() localhost
            httpRequest.getServerPort() 8080
            httpRequest.getServletPath() /member/home.seam
            httpRequest.getRequestURI() /jeehe/search/index.seam
            httpRequest.getRequestURL() http://localhost:8080/jeehe/search/index.seam
            httpRequest.getContextPath() /jeehe
            httpRequest.getLocalAddr() 0.0.0.0
            httpRequest.getLocalName() 0.0.0.0
            httpRequest.getLocalPort() 8080
            httpRequest.getMethod() GET
            httpRequest.getPathInfo() null
            httpRequest.getPathTranslated() null
            httpRequest.getProtocol() HTTP/1.1
            httpRequest.getQueryString() searchQuery=%E6%B5%8B%E8%AF%95&searchType=all&cid=5
            httpRequest.getRemoteAddr() 0:0:0:0:0:0:0:1
            httpRequest.getRemoteHost() 0:0:0:0:0:0:0:1
            httpRequest.getRemotePort() 2048
            httpRequest.getRemoteUser() null
            httpRequest.getRequestedSessionId() 0B37071E4808F260069E4ABAE1A9CC46
            httpRequest.getScheme() http
            httpRequest.getServerName() localhost
            httpRequest.getServerPort() 8080
            httpRequest.getServletPath() /search/index.seam

            obviously.
            It rerender the /member/home.xhtml,and lost the parameter.(httpRequest.getQueryString() null)
            • 3. Re: How to Secure pages with request parameters?
              baobaotuo
              I figure out that the below code is the cause for this question.

              package org.jboss.seam.navigation;

              public final class Page
              /**
                  * Check the restore permission.
                  */
                 public void postRestore(FacesContext facesContext)
                 {
                    checkPermission(facesContext, "restore");
                 }

              Once I delete the

              checkPermission(facesContext, "restore");

              No secure exceptiuon is throwen.
              I think this is just a simple bu not safe approach for this problem.

              Can seam team tell me:
              once I delete the line above ,is there any fatal bug coming?