[solved] authorization with phaselistener problem

hi all,

i am trying to use a phase listener for authorization in my jsf web application. the phase listener works fine that he redirect to the login page if the user visit a protected side or let the user go for a public side. but that's all, he just redirect or not.
my actual problem is that i don't know how to let the phase listener recognize that the user is signed in and which name or which role he has. i need a "isLoggedIn" method in my phase listener, but i don't know how to get these information of username and role. i have a loginBean which is used by my login.jsp. the login method of this bean checks if it can find the given username in a database and checks the given password, if that all works fine the method return "succes" for the navigation-role.
how can i get the phase listener to know that the user just signed in? what's there to do in my LoginBean?

here is my code.

the phaselistener
public class LoggedInCheck implements PhaseListener { public PhaseId getPhaseId() { return PhaseId.RESTORE_VIEW; } public void beforePhase(PhaseEvent event) { } public void afterPhase(PhaseEvent event) { FacesContext fc = event.getFacesContext(); boolean loginPage; boolean onFreeSite = false; Set<String> freeSites = new HashSet<String>(); freeSites.add("loginSite.jsp"); freeSites.add("registrationSite.jsp"); freeSites.add("welcomeSite.jsp"); freeSites.add("index.jsp"); for(String site : freeSites) { if(fc.getViewRoot().getViewId().endsWith(site)){ onFreeSite = true; } } if(onFreeSite) { loginPage = true; } else { loginPage = false; } if (!loginPage && !loggedIn()) { NavigationHandler nh = fc.getApplication().getNavigationHandler(); nh.handleNavigation(fc, null, "logout"); } } private boolean loggedIn() { return false; } }
return of loggedIn is false for testing the redirect.

that's my LoginBean:
public class LoginBean { String userName; String password; public String login() { String result = "failure"; UserPersistenceFacade userPersistenceFacade = new UserPersistenceFacade(); User user = new User(); try { user = userPersistenceFacade.findUserByName(userName); this.password = user.getPassword(); this.userName = user.getUserName(); if (user.getPassword().equals(password)) { result = "success"; } } catch (HibernateException ex) { } return result; } public String getPassword() { return password; } public void setPassword(String password) { this.password = password; } public String getUserName() { return userName; } public void setUserName(String userName) { this.userName = userName; } }

how can i put these things together? hope someone can help me!
regards, benjamin

You shouldn't couple authorization that tight with JSF. Better make use of container managed authentication and/or a simple filter acting on an url-pattern covering the protected pages.

yeah thanks for the hint, i solved it with container managed authentication.

This how to helped me with it.

regards,
benjamin

Benjamin Dittwald wrote:yeah thanks for the hint, i solved it with container managed authentication.

This how to helped me with it.

regards,
benjamin

You could also go on with what you started, doing the following:
- when the user logs in, you keep his/her credentials (e.g. an instance of the LoginBean) in the session
- in the filter you check if the LoginBean instance is present in the session and depending on that, you forward to the right page

I hope this helps.
(example: http://forums.sun.com/thread.jspa?forumID=881&threadID=5050520)

Greetings,
Sorin

thanks for your reply, i'll keep that in mind, but i already solved it with the solution above. its for my bachelor and there is no more time for changes.

greetings,
benjamin