12 Replies Latest reply on Sep 21, 2006 5:56 PM by Daniel Young

    how to stop unknown user from seeing a page

    David Bernstein Newbie

      What's the right way to stop a page from ever being created if a condition isn't met? (Is there a way?) In the booking example, there's the @LoggedIn interceptor, but that seems to me to just stop the submission of a page if the user isn't logged in, but not the initial creation (e.g. http://seam.demo.jboss.com/password.seam ). I imagine it should just be a matter of specifying another class for @Around, but I'm still on the learning path for Seam... I did try creating an attribute on a bean annotated with @LoggedIn and getting some text to display using that attribute, but to no avail, it just took the text without triggering the interceptor.

      Thanks in advance. As always, apologies if I've missed something already posted.

        • 1. Re: how to stop unknown user from seeing a page
          David Bernstein Newbie

          oh, and it would certainly be cool to be able to put something in faces messages about having redirected from the original URL...

          • 3. Re: how to stop unknown user from seeing a page
            David Bernstein Newbie

            Hmmm, I just tried this. How does one do it correctly? A simple implementation of that falls into an infinite loop between the browser and Seam/Faces:

            There's a "login.xhtml" page associated with a "login" action and a "groups.xhtml" page associated with a "groups" action. After a successful login, the application should take you to the groups page. The very first time the groups page is invoked, it detects that the user is not logged in and correctly redirects to the login page. However, after the successful login, it seems that the page action and the faces navigation just bounce back and forth with the browser.

            pages.xml:

            <pages>
             <page view-id="/groups.xhtml" action="#{groupManager.forceLogin}"/>
            </pages>
            


            faces-config.xml snippet:

             <navigation-case>
             <from-outcome>login</from-outcome>
             <to-view-id>/login.xhtml</to-view-id>
             <redirect />
             </navigation-case>
             <navigation-case>
             <from-outcome>groups</from-outcome>
             <to-view-id>/groups.xhtml</to-view-id>
             <redirect />
             </navigation-case>
            


            snippet of the group manager bean:

            @Stateful
            @Name("groupManager")
            @Scope(SESSION)
            @LoggedIn
            public class GroupManagerBean implements GroupManager, Serializable {
            ...
             public String forceLogin() {
             String forcedAction;
             if ( LoggedInInterceptor.isLoggedIn() ) {
             forcedAction = "groups";
             }
             else {
             forcedAction = "login";
             facesMessages.add("#{messages.infoLoginRequired}");
             }
             System.out.println("GroupManagerBean.forceLogin() returning "+forcedAction);
             return forcedAction;
             }
            ...
            }
            


            LoggedInInterceptor.java snippet

            @Around({BijectionInterceptor.class, ValidationInterceptor.class,
             ConversationInterceptor.class, BusinessProcessInterceptor.class})
            @Within(RemoveInterceptor.class)
            public class LoggedInInterceptor {
            
            ...
            
             public static boolean isLoggedIn() {
             boolean isLoggedInNow = Contexts.getSessionContext().get("loggedIn")!=null;
             System.out.println("LoggedInInterceptor.isLoggedIn() returning "+isLoggedInNow);
             return isLoggedInNow;
             }
            
            }
            


            console output:

            17:59:44,976 INFO [STDOUT] LoggedInInterceptor.isLoggedIn() returning false
            18:00:07,210 INFO [STDOUT] LoginAction.login() returning groups
            18:00:07,226 INFO [STDOUT] LoggedInInterceptor.isLoggedIn() returning true
            18:00:07,226 INFO [STDOUT] LoggedInInterceptor.isLoggedIn() returning true
            18:00:07,226 INFO [STDOUT] GroupManagerBean.forceLogin() returning groups
            18:00:07,242 INFO [STDOUT] LoggedInInterceptor.isLoggedIn() returning true
            18:00:07,242 INFO [STDOUT] LoggedInInterceptor.isLoggedIn() returning true
            18:00:07,242 INFO [STDOUT] GroupManagerBean.forceLogin() returning groups
            18:00:07,257 INFO [STDOUT] LoggedInInterceptor.isLoggedIn() returning true
            18:00:07,257 INFO [STDOUT] LoggedInInterceptor.isLoggedIn() returning true
            18:00:07,257 INFO [STDOUT] GroupManagerBean.forceLogin() returning groups
            18:00:07,273 INFO [STDOUT] LoggedInInterceptor.isLoggedIn() returning true
            18:00:07,288 INFO [STDOUT] LoggedInInterceptor.isLoggedIn() returning true
            18:00:07,288 INFO [STDOUT] GroupManagerBean.forceLogin() returning groups
            18:00:07,304 INFO [STDOUT] LoggedInInterceptor.isLoggedIn() returning true
            18:00:07,304 INFO [STDOUT] LoggedInInterceptor.isLoggedIn() returning true
            18:00:07,304 INFO [STDOUT] GroupManagerBean.forceLogin() returning groups
            .
            .
            .
            


            • 4. Re: how to stop unknown user from seeing a page
              Jim Hazen Expert

              This looks right to me. Right before groups.xhtml is rendered the page action is triggered, the result of the page action sends you back to groups.xhtml and triggers the page action, which sends you back...

              Try having your page action return "login" if you need a login and null if not. I think that'll work better.

              • 5. Re: how to stop unknown user from seeing a page
                Denis Karpov Newbie

                 

                there's the @LoggedIn interceptor, but that seems to me to just stop the submission of a page if the user isn't logged in


                No. @LoggedIn prevents execution of any method on your bean through JSF and redirects you to login page, if you are not logged in.

                Just clean up your forceLogin() method. For instance, make it empty.



                • 6. Re: how to stop unknown user from seeing a page
                  David Bernstein Newbie

                  Having the forceLogin method return null if no redirection was required fixed the problem. Thanks, Captain!

                  • 7. Re: how to stop unknown user from seeing a page
                    Daniel Young Novice

                    How do you do this with a view-id="*"?


                    <page view-id="*" action="#{groupManager.forceLogin}"/>


                    How do you put logic in the "forceLogin" action to return null if the user is not logged in but they are accessing your login page?

                    ie- the pattern really should be "all pages except login.xhtml" rather than "*"

                    • 8. Re: how to stop unknown user from seeing a page
                      Daniel Young Novice


                      Is it using the FacesContext?

                      ie- getViewRoot().getViewId()

                      • 9. Re: how to stop unknown user from seeing a page
                        Raja Master

                         

                        "jazir1979" wrote:

                        ie- the pattern really should be "all pages except login.xhtml" rather than "*"


                        I dont think there is a way to do this currently except mentioning the pages individually. But there is an enhancement request for this
                        http://jira.jboss.com/jira/browse/JBSEAM-341


                        • 10. Re: how to stop unknown user from seeing a page
                          Jim Hazen Expert

                          You could also look into using a dedicated security framework like Acegi that would have richer options.

                          http://acegisecurity.org/

                          • 11. Re: how to stop unknown user from seeing a page
                            Gavin King Master

                             

                            "jazir1979" wrote:

                            Is it using the FacesContext?

                            ie- getViewRoot().getViewId()


                            Right, this is one way - the action can check the view-id.


                            The other way is to use a view-id like "/protected/*"

                            • 12. Re: how to stop unknown user from seeing a page
                              Daniel Young Novice

                              Thanks guys.

                              I've voted for the Jira issue and will keep an eye out for that RegExp support, I think it would be great.

                              For now, I got it working fine by not redirecting back to my login page for a certain view-id.
                              Eg: "/home.xhtml".equals(facesContext.getViewRoot().getViewId())

                              At some point we may put protected pages under an /admin area as suggested by Gavin, but we're not too sure yet.