• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Page restriction if not logged in

 
Greenhorn
Posts: 8
Tomcat Server
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hey :)

I have a little burning project problem >.>

First the user shall authenticate with a tan
--> if the tan is wrong: error page
--> if correct : show the form

and then a strict order --> show the form solved --> page with send form button --> page with confirmation, that the form was send

but currently you can jump over the authentication direct to the other pages

my bean is session scoped:


A quick and simple solution would be awesome.

Greetings
Rob

edit:
this looks pretty interesting:
http://brendangraetz.wordpress.com/2010/06/17/use-servlet-filters-for-user-authentication/
but I don't really understand what he means by:
"Subclass the `LoginFilter` as a concrete class, `MemberLoginFilter`, by implementing the `isAuth` method"

edit2:
another solution could be:
http://thierrywasyl.wordpress.com/2009/06/22/create-your-own-filter-in-jsf/
worked nearly perfect, but after login and filling out the firm, you return back to the login ._.
 
Saloon Keeper
Posts: 27762
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Jumping over authorizations is one of the most common forms of security exploits and is the Number 1 reason why I discourage people from creating their own security subsystems.

If you want a "simple" way to avoid this, don't write your own login or security code. Use the system that's part of the J2EE standard. It's based on URL patterns, and if a URL matches a secured pattern the server will immediately force a login and not even allow the URL to reach the web application unless they pass authentication and authorization.
 
Greenhorn
Posts: 9
Python Ruby Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Rob,

I've done this using Glassfish, a Life Cycle to check for roles, and a login bean. The life cycle looks like this:



The life cycle above is ran every time someone visits a page on your site. I used this to check if the user had roles to be on the page by having a database with the username and roles table assigned to them. This process is put in the afterPhase and you'll have to write code to check your database. You don't have to use this, but it's a good check if you like to prevent people from jumping pages that have certain roles or protect certain folders. Don't use this for logging in though. Tim is right when he says use the J2EE for logging in. I think more of what you are looking for is plan old logging in. In Glassfish, all you need to do is create users within the realm, mod the web.xml to throw the user to the login page, login controller, and a login bean.

LoginBean.java


LoginController.java (This is exposed so you can use it on your pages)

web.xml


In glassfish, if you want the login to be checked against the realm, make sure it matches in the web.xml where it says <realm-name>file</realm-name>.
 
You totally ruined the moon. You're gonna hafta pay for that you know. This tiny ad agrees:
a bit of art, as a gift, the permaculture playing cards
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic