File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes JSF and the fly likes Securing JSF pages Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » JSF
Bookmark "Securing JSF pages" Watch "Securing JSF pages" New topic

Securing JSF pages

Kevin P Smith
Ranch Hand

Joined: Feb 18, 2005
Posts: 362
Hi guys

Could enyone help with some advice on how to protect secure pages in a JSF2.0 webapp?

My basic page structure is

/pages/ - standard pages
/pages/secure - secure pages

I have implemented a Filter which uses the url-pattern "/secure/*", this Filter checks to see if the HttpSession has a value called 'isAuthenticated', if not it redirects to the login page.

My welcome-page is [http://localhost/pages/index.jsf]

This Filter works if you type in the URL manually, say:
- http://localhost/pages/secure/myaccount.jsf

The will pass into the Filter and redirects as expected, the problem comes when I use a commandLink. Even though it has this action [action="/pages/secure/myaccount.jsf"] it loads the secure page, bypassing the Filter. I believe this is because the URL still has the following:

- http://localhost/pages/index.jsf

How can I get the JSF page to go through the Filter when called from a commandLink (or similar)?

Cheers in advance

Nick Potter
Ranch Hand

Joined: May 07, 2008
Posts: 126
try with a <redirect/> in the faces-config, where you specify what the outcome for your command link action goes.

<from-outcome>your outcome</from-outcome>
Kevin P Smith
Ranch Hand

Joined: Feb 18, 2005
Posts: 362
Thanks for that, I am using JSF2.0 so I have avoided the XML thing.

Would the same thing work if I had a class called something like NavigationController which has a method for this redirect and called that method in the commandLink?


Or something.
Nick Potter
Ranch Hand

Joined: May 07, 2008
Posts: 126
The redirect thingy performs an additional request to the server, so when you click the link it actually hits the server twice. I haven't touched JSF 2, so i don't know how you can achieve this.
I agree. Here's the link:
subject: Securing JSF pages
Similar Threads
modifying URL query string
exclude url-pattern in filter-mapping
Filter URL mappings
JSF configuration
integration of struts- jsf Problem related t url