This week's book giveaway is in the OCAJP 8 forum. We're giving away four copies of OCA Java SE 8 Programmer I Study Guide and have Edward Finegan & Robert Liguori on-line! See this thread for details.
In my code below, if the validatedUser == true then I get stuck in a loop in that the method completes but then I come right back into the method yet again and again... The page is never redirected to the index.jsp page.
If the user is NOT validated the sendRedirect to the validationFailed.jsp page works GREAT, thanks to Nirvan's help. But if the user IS validated then again I'm just stuck in that the doFilter() is just executed repetitively.
The only thing that I can think of is that the REDIRECT for a validated user is the SAME as the URI. Is that the issue? If so, how can I correct it so as to redirect the user and get out of the doFIlter()?
I do not understand what am I doing wrong? If the user IS validated how can I just redirect this user to the "/CSC-ARXfer/faces/index.jsp" page? That is all I'm needing to do.
Any help/direction/suggestion would be greatly appreciated. Here is the code:
You know, you're really making a good case for my contention that in addition to being insecure, Do-It-Yourself security systems are really expensive to implement compared to using the pre-debugged alternatives.
I think that your problem is that you're not checking to see if the initial target of the request isn't already your redirect page. Since you're authenticated, that just means you'd end up redirecting to the same page you're already coming to.
Try putting in a test for the target URL and if it's the same as the redirect URL, don't redirect.
An IDE is no substitute for an Intelligent Developer.
Seriously, the biggest help I can give is the advice to choose your battles. Time spent re-inventing security functions is time (and money) that could have been spent on tasks that are unique to your business. If you have time to burn, a lot of people out here want to know where to send their résumés!
However, from a purely technical point, the usual thing to do if you're already at your destination is nothing at all.
More specifically, since you're dealing with servlet filters, and they're chained together, just pass the request to the next filter in the chain using the FilterChain doFilter method and don't redirect the URL.
Tim, thanks. Yes. I've already tried doing the following and I think that is what you are suggesting:
And when I do that I just go into a perpetual loop. Meaning the doFilter method gets executed again and again and again... Exactly what am I doing wrong here?
From a purely technical stand point, and I don't even pretend to know about the FilterChain, much less JSF, it would appear that I'm using the FilterChain incorrectly because it does NOT work in the scenario above.
Any other suggestions/direction would again be appreciated. Thanks.
That definitely ended the loop and I was able to get to my web page without issue. Thank you so much for your quick reply.
I would be interested to know your thoughts on what the right way is to resolve validation of a user before any pages are rendered or started to render if not by way of a servlet filter. I did understand that a PhaseListener was also an option but that looked a lot more complicated than using a servlet filter. What I thought, mistakenly, that the servlet filter would be a lot easier but it turned out, for me at least, to be quite a challenge. I am a newbie to JSF and using this framework has proved to me that it is more complicated and complex than I would have thought.
Again your help was very much appreciated. Thank you so much.
Joined: Apr 15, 2008
Well if it has to be before anything else has started to happen then using the filter is a good answer yes
But it seems like so much work has been done just to prevent the user to get on the site. I hope that you have use for the filter later on. I mean do you use it as a filter that checks on every page load that the user is "logged in"? Cause it fits to that use well.
And servlet filters are not part of the JSF but part of the basic Java servlet structure so the filter solution would have worked in any other Java web framework. And therefore your question was actually in the wrong section.
A common way to do that is to have a login page where the user provides his/her password, and if that checks out, the user ID is stored in the session as the "user" attribute.
Then the servlet filter looks at the session; if there is a session, and if it has a "user" attribute, then the user is authenticated and it continues to process the request. If not, then it redirects to the login page.
Trying to store the user ID in hidden fields in every single form (if that's really your solution) seems like a rather clumsy way to deal with authentication.
Ilari - Thanks. It is supposed to be used to check the logged in user.
However, after the user is validated, and I've gotten to the index.jsp page successfully the URL is as follows:
I complete the fields in the index page and click on the submit button it executes the backing bean which is defined in the action which is described as createTransaction(). In that backing bean I return null so that the index.jsp web page reloads but now I am NOT getting the user=SavoyM parameter or its value. Here is the URL that is at the top of my page when the web page reloads with an error.
Is there a way to correct this?
Joined: Apr 15, 2008
As Paul Clapman (and myself) implied in the previous posts the filter gets executed on every page load. So if you do not for example save the userId in session and add check in the aforementiened filter that the userId is either in the request (as it is the first time) or in the session then every consequent page load just forwards to validationFailed.jsp.
But I gathered that you undesrtood this? At least so did everyone else that suggested to you this filter solution. Unless you make the filter filter only calls to index.jsp but then it works only for if the user uses the link you provided. Much better solution would be the login page (and after that the session) that was suggested here and was suggested in the previous threads as well.
But I do not know why you get the Nullpointer there. Maybe you have a program logic that does not take into account the fact that userId is present only on first page load (i.e in the request the first time the user click the link).
Anyway, do not get me wrong but it seems to me that you way over your head here. It seems that you know so little about Servlets that you should start with the very basics first before you dive into more complicated code like JSF. It is very easy to use JSF (in my opinion, compared to Struts, or even basic servlets or jsp) but if you have little or no clue what happens behind the scene then nothing we say really helps you in any way. If you are forced to do this altough you do not understand what you are doing then I have to wish you good luck and hope for the best...