where to handle session here?

hi all,
i have two jsf pages 1st login and 2nd a tree view page
when user directly invoke url for 2nd page then it shoud navigate to login
i have checked session and write navigate code but it gives error.
java.lang.IllegalStateException: Cannot create a session after the response has been committed at org.apache.catalina.connector.Request.doGetSession(Request.java:2301) at org.apache.catalina.connector.Request.getSession(Request.java:2075) at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:833) at com.sun.faces.context.ExternalContextImpl.getSession(ExternalContextImpl.java:151) at com.sun.faces.mgbean.BeanManager$ScopeManager$SessionScopeHandler.handle(BeanManager.java:571) at com.sun.faces.mgbean.BeanManager$ScopeManager.pushToScope(BeanManager.java:454) at com.sun.faces.mgbean.BeanManager.createAndPush(BeanManager.java:406) at com.sun.faces.mgbean.BeanManager.create(BeanManager.java:265) at com.sun.faces.el.ManagedBeanELResolver.resolveBean(ManagedBeanELResolver.java:191) at com.sun.faces.el.ManagedBeanELResolver.getValue(ManagedBeanELResolver.java:73) at javax.el.CompositeELResolver.getValue(CompositeELResolver.java:53) at com.sun.faces.el.FacesCompositeELResolver.getValue(FacesCompositeELResolver.java:71) at org.apache.el.parser.AstIdentifier.getValue(AstIdentifier.java:45) at org.apache.el.parser.AstValue.getValue(AstValue.java:86) at org.apache.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:186) at com.sun.faces.facelets.el.TagValueExpression.getValue(TagValueExpression.java:106) at javax.faces.component.ValueBindingValueExpressionAdapter.getValue(ValueBindingValueExpressionAdapter.java:109) at com.icesoft.faces.component.tree.TreeRenderer.encodeBegin(TreeRenderer.java:133) at javax.faces.component.UIComponentBase.encodeBegin(UIComponentBase.java:824) at com.icesoft.faces.component.tree.Tree.encodeBegin(Tree.java:225) at com.icesoft.faces.renderkit.dom_html_basic.DomBasicRenderer.encodeParentAndChildren(DomBasicRenderer.java:345) at com.icesoft.faces.renderkit.dom_html_basic.GroupRenderer.encodeChildren(GroupRenderer.java:85) at javax.faces.component.UIComponentBase.encodeChildren(UIComponentBase.java:849) at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1643) at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1646) at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1646) at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1646) at com.sun.faces.application.view.FaceletViewHandlingStrategy.renderView(FaceletViewHandlingStrategy.java:389) at com.sun.faces.application.view.MultiViewHandler.renderView(MultiViewHandler.java:127) at com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:117) at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:97) at com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:135) at javax.faces.webapp.FacesServlet.service(FacesServlet.java:309) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:263) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:584) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) at java.lang.Thread.run(Unknown Source) Oct 19, 2011 2:19:07 PM com.sun.faces.renderkit.RenderKitUtils renderHtmlErrorPage WARNING: JSF1087: Unable to generate Facelets error page as the response has already been committed. Oct 19, 2011 2:19:07 PM com.sun.faces.renderkit.RenderKitUtils renderHtmlErrorPage SEVERE: javax.faces.FacesException: Session has expired javax.faces.FacesException: Session has expired at com.sun.faces.context.ExceptionHandlerImpl.handle(ExceptionHandlerImpl.java:136) at org.icefaces.impl.application.ExtendedExceptionHandler.handle(ExtendedExceptionHandler.java:110) at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:115) at com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:135) at javax.faces.webapp.FacesServlet.service(FacesServlet.java:309) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:263) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:584) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) at java.lang.Thread.run(Unknown Source) Caused by: org.icefaces.application.SessionExpiredException: Session has expired at org.icefaces.impl.application.SessionExpiredListener.sessionDestroyed(SessionExpiredListener.java:61) at org.apache.catalina.session.StandardSession.expire(StandardSession.java:702) at org.apache.catalina.session.StandardSession.expire(StandardSession.java:660) at org.apache.catalina.session.StandardSession.invalidate(StandardSession.java:1111) at org.apache.catalina.session.StandardSessionFacade.invalidate(StandardSessionFacade.java:150) at TreeBean.<init>(TreeBean.java:65) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source) at java.lang.reflect.Constructor.newInstance(Unknown Source) at java.lang.Class.newInstance0(Unknown Source) at java.lang.Class.newInstance(Unknown Source) at com.sun.faces.mgbean.BeanBuilder.newBeanInstance(BeanBuilder.java:184) at com.sun.faces.mgbean.BeanBuilder.build(BeanBuilder.java:98) at com.sun.faces.mgbean.BeanManager.createAndPush(BeanManager.java:405) at com.sun.faces.mgbean.BeanManager.create(BeanManager.java:265) at com.sun.faces.el.ManagedBeanELResolver.resolveBean(ManagedBeanELResolver.java:191) at com.sun.faces.el.ManagedBeanELResolver.getValue(ManagedBeanELResolver.java:73) at javax.el.CompositeELResolver.getValue(CompositeELResolver.java:53) at com.sun.faces.el.FacesCompositeELResolver.getValue(FacesCompositeELResolver.java:71) at org.apache.el.parser.AstIdentifier.getValue(AstIdentifier.java:45) at org.apache.el.parser.AstValue.getValue(AstValue.java:86) at org.apache.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:186) at com.sun.faces.facelets.el.TagValueExpression.getValue(TagValueExpression.java:106) at javax.faces.component.ValueBindingValueExpressionAdapter.getValue(ValueBindingValueExpressionAdapter.java:109) at com.icesoft.faces.component.tree.TreeRenderer.encodeBegin(TreeRenderer.java:133) at javax.faces.component.UIComponentBase.encodeBegin(UIComponentBase.java:824) at com.icesoft.faces.component.tree.Tree.encodeBegin(Tree.java:225) at com.icesoft.faces.renderkit.dom_html_basic.DomBasicRenderer.encodeParentAndChildren(DomBasicRenderer.java:345) at com.icesoft.faces.renderkit.dom_html_basic.GroupRenderer.encodeChildren(GroupRenderer.java:85) at javax.faces.component.UIComponentBase.encodeChildren(UIComponentBase.java:849) at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1643) at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1646) at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1646) at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1646) at com.sun.faces.application.view.FaceletViewHandlingStrategy.renderView(FaceletViewHandlingStrategy.java:389) at com.sun.faces.application.view.MultiViewHandler.renderView(MultiViewHandler.java:127) at com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:117) at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:97) ... 14 more Oct 19, 2011 2:19:07 PM com.sun.faces.renderkit.RenderKitUtils renderHtmlErrorPage WARNING: JSF1087: Unable to generate Facelets error page as the response has already been committed. Oct 19, 2011 2:19:07 PM com.sun.faces.renderkit.RenderKitUtils renderHtmlErrorPage SEVERE: javax.faces.FacesException: Cannot create a session after the response has been committed javax.faces.FacesException: Cannot create a session after the response has been committed at com.sun.faces.context.ExceptionHandlerImpl.handle(ExceptionHandlerImpl.java:136) at org.icefaces.impl.application.ExtendedExceptionHandler.handle(ExtendedExceptionHandler.java:110) at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:115) at com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:135) at javax.faces.webapp.FacesServlet.service(FacesServlet.java:309) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:263) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:584) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) at java.lang.Thread.run(Unknown Source) Caused by: java.lang.IllegalStateException: Cannot create a session after the response has been committed at org.apache.catalina.connector.Request.doGetSession(Request.java:2301) at org.apache.catalina.connector.Request.getSession(Request.java:2075) at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:833) at com.sun.faces.context.ExternalContextImpl.getSession(ExternalContextImpl.java:151) at com.sun.faces.mgbean.BeanManager$ScopeManager$SessionScopeHandler.handle(BeanManager.java:571) at com.sun.faces.mgbean.BeanManager$ScopeManager.pushToScope(BeanManager.java:454) at com.sun.faces.mgbean.BeanManager.createAndPush(BeanManager.java:406) at com.sun.faces.mgbean.BeanManager.create(BeanManager.java:265) at com.sun.faces.el.ManagedBeanELResolver.resolveBean(ManagedBeanELResolver.java:191) at com.sun.faces.el.ManagedBeanELResolver.getValue(ManagedBeanELResolver.java:73) at javax.el.CompositeELResolver.getValue(CompositeELResolver.java:53) at com.sun.faces.el.FacesCompositeELResolver.getValue(FacesCompositeELResolver.java:71) at org.apache.el.parser.AstIdentifier.getValue(AstIdentifier.java:45) at org.apache.el.parser.AstValue.getValue(AstValue.java:86) at org.apache.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:186) at com.sun.faces.facelets.el.TagValueExpression.getValue(TagValueExpression.java:106) at javax.faces.component.ValueBindingValueExpressionAdapter.getValue(ValueBindingValueExpressionAdapter.java:109) at com.icesoft.faces.component.tree.TreeRenderer.encodeBegin(TreeRenderer.java:133) at javax.faces.component.UIComponentBase.encodeBegin(UIComponentBase.java:824) at com.icesoft.faces.component.tree.Tree.encodeBegin(Tree.java:225) at com.icesoft.faces.renderkit.dom_html_basic.DomBasicRenderer.encodeParentAndChildren(DomBasicRenderer.java:345) at com.icesoft.faces.renderkit.dom_html_basic.GroupRenderer.encodeChildren(GroupRenderer.java:85) at javax.faces.component.UIComponentBase.encodeChildren(UIComponentBase.java:849) at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1643) at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1646) at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1646) at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1646) at com.sun.faces.application.view.FaceletViewHandlingStrategy.renderView(FaceletViewHandlingStrategy.java:389) at com.sun.faces.application.view.MultiViewHandler.renderView(MultiViewHandler.java:127) at com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:117) at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:97) ... 14 more

i have wriiten code to check whether session is active or not in constructor.
Is it right place
public TreeBean() { FacesContext context = FacesContext.getCurrentInstance(); HttpSession httpSession = FacesUtils.getHttpSession(false); String user=(String)httpSession.getAttribute("user"); if(user==null) { ExternalContext ec = context.getExternalContext(); try { ec.redirect("./login.jsf"); final HttpServletRequest request = (HttpServletRequest) ec.getRequest(); request.getSession(false).invalidate(); } catch (IOException e) { e.printStackTrace(); } }

I realize that almost every J2EE book ever written has some example that manages a login screen, but I wish they didn't.

I've worked with a lot of apps since J2EE first came out and every last one of the ones that did their own login code had security holes.

The J2EE standard has a built-in security system that can do exactly what you're saying, requires absolutely no java code to do it and has never as far as I know been successfully "hacked".

This is known as Container-Based Authentication and Authorization. You define a logon JSP and a login fail JSP and define them to web.xml. You also supply URL mappings to the security section of the web.xml file so that the URLs you want only accessible to logged-in users are designated as such to the security system.

Most decent J2EE books that cover servlets and JSPs cover this system as part of the introduction to secure transport.

JSF works quite well with the standard system, although since it protects URLs and not resources, any JSF action that navigates to a protected View should include a "redirect" element so that the proper URL will be set up.

Doing some research on login pages...(before I post my issue, aren't you proud of me? )

@Tim: So I will look into CBA/A...but say I wanted a user to be able to create and update records, but to delete, they needed a separate authorization level? I really don't want to do Deletes on a separate page...how does CBA/A handle something like that?

The primary function of CBA is to protect URLs. That's important, because if you can't get to something, you cannot abuse it, and CBA ensures that unauthorized users are blocked even before getting to the application itself.

However, sometimes you want finer-grained control. A variation of what you're asking about that I've been known to do is present pages where some users can view (auditors) and some users can update (editors).

There are generally 2 parts to this sort of control. One is presentation, If you simply switch the input controls to readonly mode, you can physically inhibit auditors from being able to submit updates. But to be truly secure, you also need a second part, since a hacker can simply alter the page to re-enable the controls.

For that you need code in the backing bean. The good news is that it's pretty simple to do. The bad news is that JSF doesn't help much. In order to check the user's security roles, you have to obtain the HttpServletRequest, and since JSF is externally independent of such things, that means that you have to get the FacesContext and chase through it to get the request object.

To do that requires some fairly gnarly code and it potentially injects framework dependencies into what should otherwise be a POJO. To get around this, I usually implement a "JSFUtils" class that I use when I need access to the Servlet infrastructure. Also for general JSF utilitity, such as stuffing user-generated error messages into the JSF messages obbject. I can then replace this object with a mock object for testing purposes. So that leaves me with stuff like this:
/** * Update the General Ledger - if you're authorized! * @return "success" of OK, "forbidden", if not authorized, "fail" if update failed. */ public String doUpdateGL() { // Filter for authorized users only if ( ! JSFUtils.isUserInRole(Roles.ROLE_GL_EDITOR) ) { JSFUtils.addErrorMessage(new ResourceErrorMessage("gl,unauthorized")); return FORBIDDEN; } try { glBean.applyUpdate(); return SUCCESS; } catch ( Exception ex ) { JSFUtils.addErrorMessage(new LiteralErrorMessage(ex.getMessage()); } return FAIL; }

Very interesting and I appreciate the info. You may already know stuff like that is probably a little advanced for me at this point, but I'll hang on to it. I finally got my "login" page to work; it will be used internally for now so I'm not as concerned about security (concerned, just not as concerned - right now :-)