Meaningless Drivel is fun!*
The moose likes JSF and the fly likes Securing JSF pages Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Java » JSF
Bookmark "Securing JSF pages" Watch "Securing JSF pages" New topic

Securing JSF pages

Kevin P Smith
Ranch Hand

Joined: Feb 18, 2005
Posts: 362
Hi guys

Could enyone help with some advice on how to protect secure pages in a JSF2.0 webapp?

My basic page structure is

/pages/ - standard pages
/pages/secure - secure pages

I have implemented a Filter which uses the url-pattern "/secure/*", this Filter checks to see if the HttpSession has a value called 'isAuthenticated', if not it redirects to the login page.

My welcome-page is [http://localhost/pages/index.jsf]

This Filter works if you type in the URL manually, say:
- http://localhost/pages/secure/myaccount.jsf

The will pass into the Filter and redirects as expected, the problem comes when I use a commandLink. Even though it has this action [action="/pages/secure/myaccount.jsf"] it loads the secure page, bypassing the Filter. I believe this is because the URL still has the following:

- http://localhost/pages/index.jsf

How can I get the JSF page to go through the Filter when called from a commandLink (or similar)?

Cheers in advance

Nick Potter
Ranch Hand

Joined: May 07, 2008
Posts: 126
try with a <redirect/> in the faces-config, where you specify what the outcome for your command link action goes.

<from-outcome>your outcome</from-outcome>
Kevin P Smith
Ranch Hand

Joined: Feb 18, 2005
Posts: 362
Thanks for that, I am using JSF2.0 so I have avoided the XML thing.

Would the same thing work if I had a class called something like NavigationController which has a method for this redirect and called that method in the commandLink?


Or something.
Nick Potter
Ranch Hand

Joined: May 07, 2008
Posts: 126
The redirect thingy performs an additional request to the server, so when you click the link it actually hits the server twice. I haven't touched JSF 2, so i don't know how you can achieve this.
I agree. Here's the link:
subject: Securing JSF pages
Similar Threads
Filter URL mappings
exclude url-pattern in filter-mapping
JSF configuration
modifying URL query string
integration of struts- jsf Problem related t url