I am trying to implement a login solution with jsf. what needs to happen is that if the user requests a page other than the login page and is not logged in they will be redirected to another page. No problem, except in jsf ( apparently )
First I tried to implement it using a page backing bean and the beforeRestoreView method, but alas it or no other event methods seem to be getting called on the first load.
Next, I thought I could implement a phaseListener that would redirect, but that didn't work as the thread continued and caused a response committed error.
Finally, I tried to use a filter, no access to the session object though.
Is there anyway that I can do this, short of writing my own FacesServlet or anything crazy like that? I am using sun's jsf implementation, but would gladly switch to something else, if it allowed for a simple solution.
In some of my JSF applications, I have a login form which navigates to an unseen page if the authentication is successful. If the authentication is unsuccessful, the login page is reloaded.
This "unseen" page sets an attribute to "AUTHENTICATED" in the session using JSP scripting. After that attribute is set, it forwards the user into the actual application (a greeting page). All of the other pages in the application first check to ensure that this session attribute equals "AUTHENTICATED" prior to allowing access to the page...if it does not, then the user is forwarded directly to the login page. This prevents people from navigating to any page they wish without successfully authenticating.
It sounds like the scenario I have going above is even more than you need. I think all you need to do is set up different navigation cases in your faces-config depending upon if the user has logged into the application or not. In other words, in your backing bean, check to ensure that the user has authenticated somehow and send back an appropriate message to the faces-config. You could implement a solution as I have as well, it works for me.
I hope this helps!
Database Administrator/Application Developer
Joined: Oct 29, 2003
That sounds something like what I need. However, I have not been able to get a bean to check the login since none of the events are being called on the bean for the first request.
I know on the first request that jsf is supposed to call restoreView and then skip to renderResponse, so this leads me to believe that the beforeRestoreView should be called but it isn't. Where did you put your authentication checking logic?
Joined: Jun 16, 2004
My authentication logic is in a backing bean. When the user hits the "Login" button, my login method is performed within the backing bean. Upon success, the message "SUCCESS" is returned and the faces-config then navigates to my "unseen" page. As I said earlier, the unseen page is a place holder so that I can throw a session attribute denoting that the user is authenticated...this page forwards into another application page so the user never sees it.
In your application, what component are you using for user navigation? In other words, is there a link or button to the next form? When the user is not logged in (and does not wish to log in), do they use a link or button to get to the next page?
If you are using one of the components listed above, you could tie an ActionEvent to that component which could perform a backing bean method upon invokation (ie: onclick). This is just a thought.
Originally posted by Gregg Bolinger: I think you are wanting JSF to do more than it was designed to do. You mentioned you tried using a Servlet Filter, which is what I would do, but that the session wasn't available from the Filter?
Probably he tried to get the session in a "JSF Way" i.e. from the FacesContext instance, which won't work as Filter are called before FCtx instance is initialised by FacesServlet.
Joined: Oct 29, 2003
No, I realize that FacesContext is not available in a filter. What I did not realize was that a ServletRequest could be safely casted into a HttpServletRequest. I would like to know why the ServletResponse/Request are passed in instead of HttpServletRequest.
I believe the filter is the best way to implement this, since JSF should not be handling stuff like login and such.
Thanks, for the help
Joined: May 30, 2002
Originally posted by Kerry Wilson: I would like to know why the ServletResponse/Request are passed in instead of HttpServletRequest.
To allow future generations to use our filter in a non-HTTP servlet environment, in case they want so