11 Replies Latest reply on Feb 13, 2008 6:49 PM by Harry Walneck

    Forced login?

    Tony Mai Apprentice

      I would like users to login before they may view any pages on my application. I tried the following config in the pages.xml:

      <page view-id="*" login-required="true"/>


      Yet I was able to type the URL directly on the web browser and got to any pages I wanted.

      What should I have done differently?

      Thanks

        • 1. Re: Forced login?
          Gavin King Master

          that should work...

          • 2. Re: Forced login?
            Sean Burns Newbie

            If you used seam-gen to generate your project, that should work out the box.

            • 3. Re: Forced login?
              Tony Mai Apprentice

              OK I found an overlapped rule. Once I removed it, I now faced the following server redirecting problem:

              The page isn't redirecting properly
              Firefox has detected that the server is redirecting the request for this address in a way that will never complete.

              * This problem can sometimes be caused by disabling or refusing to accept cookies.


              There was no log entry indicating the redirection, I could not find what address the server is redirecting the browser to.

              I tried using seam-gen to create a new project. There's no forced login in it at all. I was able to go to /home.seam without logging in. After I modified the pages.xml to include
              <page view-id="*" login-required="true">
               <navigation>
               <rule if-outcome="home">
               <redirect view-id="/home.xhtml"/>
               </rule>
               </navigation>
               </page>


              I ran into the same redirecting problem.

              I need to know what address the server is redirecting the browser to. How do I find that out?

              Thanks




              • 4. Re: Forced login?
                Gavin King Master

                 

                <page view-id="*" login-required="true">


                Um ???!!!

                You need to define exactly which pages, *not* including the login page.

                There's no forced login in it at all.


                Yes there is, try editing something.

                • 5. Re: Forced login?
                  Tony Mai Apprentice

                  My bad. I thought we could use wild card for login requirements. Once I specified individual pages (quite tedious) , they seemed to work fine.

                  Thanks

                  • 6. Re: Forced login?
                    Eric van Lydegraf Newbie

                    you can use the wildcard but you have to specify a login page

                    <pages login-view-id="/login.xhtml">

                    <!-- Im not 100% sure if this is needed, but my paranoia led me to do it -->
                    <page view-id="/login.xhtml" login-required="false">
                    Login Page


                    <page view-id="*" login-required="true">




                    PS. Watchout for @Restrict beans on the login page - or you'll end up in a loop :D

                    • 7. Re: Forced login?
                      Eric van Lydegraf Newbie

                      Hmm my snipet didn't come out right.

                      One more try

                      <pages login-view-id="/login.xhtml">
                      
                      <!-- Im not 100% sure if this is needed, but my paranoia led me to do it -->
                      <page view-id="/login.xhtml" login-required="false">
                       <description>Login Page</description>
                      </page>
                      
                      <page view-id="*" login-required="true">
                      </page>
                      </pages>


                      • 8. Re: Forced login?
                        Gavin King Master

                        The code is:

                        private boolean isLoginRedirectRequired(String viewId, Page page)
                         {
                         return page.isLoginRequired() &&
                         !viewId.equals( getLoginViewId() ) &&
                         !Identity.instance().isLoggedIn();
                         }
                        
                        


                        So you don't have to add the "paranoid" bit ;-)

                        • 9. Re: Forced login?
                          Markus Wolf Newbie

                          I have a similar request for my page navigation. We have two login pages in our project.
                          There is a registration page which does not require login, but when the user registers successful, then no login should be required. Also there should be a login page for already registered users.
                          I've defined my pages.xml as follows:

                          <?xml version="1.0" encoding="UTF-8"?>
                          <!DOCTYPE pages PUBLIC
                           "-//JBoss/Seam Pages Configuration DTD 1.2//EN"
                           "http://jboss.com/products/seam/pages-1.2.dtd">
                          <pages login-view-id="/login.xhtml">
                          
                           <page view-id="/login.xhtml" login-required="false">
                           <param name="c" value="#{campaign.id}" />
                          
                           <action if="#{validation.succeeded}"
                           execute="#{identity.login()}" />
                          
                           <navigation>
                           <rule if="#{identity.loggedIn}">
                           <redirect view-id="/invite.xhtml" />
                           </rule>
                           </navigation>
                           </page>
                          
                           <page view-id="/register.xhtml" login-required="false">
                           <param name="c" value="#{campaign.id}" />
                          
                           <action if="#{validation.succeeded}"
                           execute="#{register.register(person)}" />
                           </page>
                          
                           <page view-id="*" login-required="true">
                           <navigation from-action="#{identity.logout()}">
                           <redirect view-id="/login.xhtml" />
                           </navigation>
                           </page>
                          
                           <exception class="org.jboss.seam.security.NotLoggedInException">
                           <redirect view-id="/login.xhtml">
                           <message severity="warn">Please login first.</message>
                           </redirect>
                           </exception>
                          
                          </pages>
                          


                          But the register.xhtml page does redirect to the login.xhtml page... Any ideas?

                          • 10. Re: Forced login?
                            Markus Wolf Newbie

                            Does nobody have an idea why setting login-required="false" does not work?

                            • 11. Re: Forced login?
                              Harry Walneck Newbie

                               

                              "paradigmza" wrote:
                              If you used seam-gen to generate your project, that should work out the box.



                              How does seam-gen do this out of the box?
                              What configuration changes does it do to enable this to faces-config.xml, pages.xml and components.xml?

                              Thanks....