File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes JSF and the fly likes Navigate to login page in case of invalid session Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Java » JSF
Bookmark "Navigate to login page in case of invalid session " Watch "Navigate to login page in case of invalid session " New topic

Navigate to login page in case of invalid session

Rajeshwar Tripathi

Joined: Jan 12, 2012
Posts: 7

Hi all,

I'm having a problem,
I created a class"" which implements PhaseListener interface.I set value for session timeout in web.xml & registered the class in
faces-config.xml. when i use it and try to login, my page is getting refreshed by resetting all fields & not allowing me to login but its working for preventing direct access to page URL which was my one of the need.

can anyone suggest me where could be the problem & help me for"How to navigate to login page in case of invalid session?"

give the general code if possible.

thanks & regards.
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 15952

Welcome to the JavaRanch, Rajeshwar!

If you are using the J2EE standard security framework, the answer to your question about what to code is: Nothing.

That's because the standard container security framework will monitor all incoming URL requests, and if any attempt is made to access a secured URL, the server itself checks to see if the user is authenticated (logged in), and presents the login page, if he/she is not logged in. That is, in fact, one of the major strengths of the standard security framework. Most "Do It Yourself" security systems can be compromised by merely sidestepping the proper URL sequences.

Technically, the container doesn't "navigate to the login page". Instead, the login page is presented by the container (not the application) in place of the resource requested in the secured URL, and once the user is logged in, the original URL request proceeds transparently. Because the login page has no true URL of its own and is not handled by the application, but by the server, it must be a simple HTML or JSP page. Servlet-controlled pages (JSF, Struts, and so forth) cannot be used as login pages.

If you're attempting to invent your own login/security system, all bets are off. That's one of the disadvantages of DIY. There's no standard documented, debugged framework.

Another disadvantage of DIY security is that in something like 10 years of J2EE, I've yet to encounter one that's actually secure. Most, in fact, can be cracked by amateur hackers and kids in 5 minutes or less. The J2EE standard system, on the other hand, was designed and implemented by full-time security professionals and has had 10 years to be hardened.

Customer surveys are for companies who didn't pay proper attention to begin with.
Rajeshwar Tripathi

Joined: Jan 12, 2012
Posts: 7
Thanks for reply Tim,

At every request from user, we are trying to validate whether user is logged or not by checking the user id in session (which we are setting when user is successfully authenticated). Is there a way where hackers can put the value in the session.

Also, can you please let me know why login pages should not be servlet controlled pages?

Please correct me if I am wrong

thanks & regards
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 15952

Hackers can do anything if you have loopholes. That's one of the reasons why I'm so much a proponent of not inventing one's own login/security system. Unless you're a full-time security expert, you'll fail to close all the loopholes.

Actually, full-time security experts fail, too, but since they aren't distracted by things like actual application functionality, and since they're trained to know what to look for, they fail less often.

You cannot make a J2Ee container-managed login page be servlet-driven for the reason I just outlined. The login page has no URL. It's simply a template file that's presented by the server itself, and the server's login process has just enough intelligence to process basic JSP functions. The login process is not part of the application, it's part of the server, so you can't use application logic in the login process.
wood burning stoves
subject: Navigate to login page in case of invalid session
Similar Threads
session validate is not working in internet explorer
How to do logout in struts application
Best practice for secure login authorisation
Unable to move to invalid login page from within the home page
Session Management with Ajax