Here's mine:
<context-param>
<description>Pages that are exempt from the authFilter.</description>
<param-name>mil.dla.daps.web.FILTER_EXEMPTIONS</param-name>
<param-value>/logon.jsf,/registration.jsf,/passwordRecovery.jsf,/userIdRecovery.jsf</param-value>
</context-param>
<filter>
<description>Filters all incoming requests for an existing session. If requested file is not in the list FILTER_EXEMPTIONS,
the request is forwarded to the logon.jsf</description>
<display-name>authFilter</display-name>
<filter-name>authFilter</filter-name>
<filter-class>#######AuthorizationFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>authFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
package #####;
import java.io.IOException;
import java.util.*;
import javax.servlet.*;
import javax.servlet.http.*;
import ######.Visit;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
/**
* Filters every request to verify that the user is logged in. If the user has not logged in and tries requests
* a page that is not exempt from the filter, the server redirects to the login page.
* <br><br>Exempt pages are listed as a comma-delimted context parameter in the web.xml under the key <b>FILTER_EXEMPTIONS</b>.
* @author qkerby
*
*/
public class AuthorizationFilter implements Filter {
protected final Log log = LogFactory.getLog(this.getClass());
private FilterConfig config = null;
private ServletContext context = null;
private static Map exemptions = null;
private static int contextPathLength = 0;
/* (non-Javadoc)
* @see javax.servlet.Filter#init(javax.servlet.FilterConfig)
*/
public void init(FilterConfig filterConfig) throws ServletException {
config = filterConfig;
context = config.getServletContext();
StringTokenizer tok = new StringTokenizer(context.getInitParameter("FILTER_EXEMPTIONS"),",");
exemptions = new HashMap();
while(tok.hasMoreTokens()){
String exempt = (String) tok.nextElement();
if(log.isInfoEnabled()){
log.info("Exempt from authFilter: "+exempt);
}
exemptions.put(exempt,null);
}
}
/* (non-Javadoc)
* @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain)
*/
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest)req;
HttpServletResponse response = (HttpServletResponse)res;
HttpSession session = request.getSession();
Visit visit = (Visit)session.getAttribute(Constants.VISIT_KEY);
if(log.isDebugEnabled()){
log.debug(request.getRequestURI());
}
if(contextPathLength == 0){
contextPathLength = request.getContextPath().length();
}
if(!exemptions.containsKey(request.getRequestURI().substring(contextPathLength)) && visit == null){
response.sendRedirect(request.getContextPath()+Constants.LOGIN_VIEW);
}
else{
chain.doFilter(req, res);
}
}
/* (non-Javadoc)
* @see javax.servlet.Filter#destroy()
*/
public void destroy() {
exemptions.clear();
}
}
Quintin Kerby
CACI, Inc.
| 101questionjsf <[EMAIL PROTECTED]>
04/07/2006 03:46
|
|
hi,
I changed the filter pattern in web.xml from /user/* to /*.jsf, then it goes
into infinite loop, keep calling login.jsf.
I tried checking the uri with endWith login.jsf and login.jsp, then stop
looping, but images and css files cannot come thru.
Anyone has a filter to spare?
<filter-mapping>
<filter-name>UserSecurity</filter-name>
<url-pattern>/*.jsf</url-pattern>
</filter-mapping>
Anyone can help?
Patrick Haggood wrote:
>
> Here's a security filter I adapted from a sample on the Java Studio
> Creator forum:
>
> First the web.xml part:
> <filter>
> <filter-name>UserSecurity</filter-name>
> <filter-class>tolls.tools.UserSecurityCheckFilter</filter-class>
> </filter>
>
>
>
> <filter-mapping>
> <filter-name>UserSecurity</filter-name>
> <url-pattern>/user/*</url-pattern>
> </filter-mapping>
>
> Now the filter:
>
> /*
> * UserSecurityCheckFilter.java
> *
> * Created on 30 December 2004, 23:36
> */
>
> package tolls.tools;
>
> import java.io.IOException;
>
> import javax.servlet.Filter;
> import javax.servlet.FilterChain;
> import javax.servlet.FilterConfig;
> import javax.servlet.ServletException;
> import javax.servlet.ServletRequest;
> import javax.servlet.ServletResponse;
> import javax.servlet.http.HttpServletRequest;
> import javax.servlet.http.HttpServletResponse;
> import javax.servlet.http.HttpSession;
>
> import net.codezilla.trinity.service.LoginBean;
>
>
> /**
> *
> * @author Jonathan Buckland
> * JSC Forums
> * http://swforum.sun.com/jive/thread.jspa?messageID=185654
> */
> public class UserSecurityCheckFilter implements Filter {
>
> private FilterConfig config = null;
> private final static String FILTER_APPLIED =
> "_security_filter_applied";
> public UserSecurityCheckFilter() { //called once. no method
> arguments allowed here!
> }
>
> public void init(FilterConfig conf) throws ServletException {
>
> }
>
> public void destroy() {
> }
>
> /** Creates a new instance of SecurityCheckFilter */
> public void doFilter(ServletRequest request, ServletResponse
> response, FilterChain chain)
> throws IOException, ServletException {
>
> HttpServletRequest hreq = (HttpServletRequest)request;
> HttpServletResponse hres = (HttpServletResponse)response;
> HttpSession session = hreq.getSession();
>
> String checkforloginpage = hreq.getPathTranslated();
>
> //System.out.println("ctext path " + hreq.getContextPath());
> //System.out.println("uri " + hreq.getRequestURI());
> //System.out.println("url " + hreq.getRequestURL());
> //System.out.println("srv path " + hreq.getServletPath());
> //dont filter login.jsp because otherwise an endless loop.
> //& only filter .jsp otherwise it will filter all images etc as
> well.
> if ((request.getAttribute(FILTER_APPLIED) ==
> null)) //&&(checkforloginpage.endsWith(".jsp")))
> {
> request.setAttribute(FILTER_APPLIED, Boolean.TRUE);
>
> // if all else fails, goto main page
> String loginPage="/MateoWeb/MainPage.faces";
> boolean loginStatus=false;
> //If the session bean is not null get the login status
> LoginBean lbean =
> (LoginBean)session.getAttribute("loginbean");
>
> // if you can find session, check logins
> if(lbean!=null) {
> //System.out.println("Checking user login");
> loginStatus=(lbean.isUserLoginStatus());
> }
> // System.out.println("Login status " + loginStatus);
> // if loginStatus is false for any of these filtered pages,
> goto relevant loginform
> if(!loginStatus) {
> // System.out.println("Redirecting to main page " +
> loginPage);
> hres.sendRedirect(loginPage);
> return;
> }
> }
> //deliver request to next filter
> chain.doFilter(request, response);
> }
> }
>
> On Wed, 2005-05-11 at 09:30 +0200, [EMAIL PROTECTED] wrote:
>> Hi
>>
>> Sorry for not answering this before - Been out sailing for some days.
>>
>> SecurityFilter is SF project. I have been using it in a couple of Struts
>> applications, and have now incorporated it into the MyFaces version of
>> one of them that I am currently migrating.
>>
>> Hermod
>
>
>
>
>
>
--
View this message in context: http://www.nabble.com/RE%3A-Servlet-Filter--t8978.html#a3799147
Sent from the MyFaces - Users forum at Nabble.com.
