It should protect against any server-sode processing but
not against client-side actions such as _javascript_ etc.
From: John [mailto:[EMAIL PROTECTED]
Sent: Sunday, June 25, 2006 8:42 PM
To: MyFaces Discussion
Subject: RE: Protecting pages from expired sessions
Thanks Julian,
Will this approach protect from a user clicking on an
action within an orphaned page where the session has expired, or will
it only function if the user does a refresh (reloading the
page)?
John
From: Julian Ray [mailto:[EMAIL PROTECTED]
Sent: Sunday, June 25, 2006 2:00 PM
To: 'MyFaces Discussion'
Subject: RE: Protecting pages from expired sessions
Hi John,
How about creating a filter which performs a redirect to a
logon page if the session has expired.
Here is some code
which outlines the basic idea. You need to deal with pages such as logon and
password retrieval pages (isAllowedPage() performs this function and figure out
the best way to test if your session is
expired.
/** Creates a new instance of SecurityCheckFilter */
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletRequest hreq =
(HttpServletRequest) request;
HttpServletResponse hres = (HttpServletResponse) response;
String url = "">boolean isJsp = url.endsWith(".jsf");
/**
* Dont filter login.jsp because otherwise an endless loop.
& only
* filter .jsp
otherwise it will filter all images etc as well.
*
*/
if (! isAllowedPage(url) && isJsp) {
/* Perform session tests here....*/
hres.sendRedirect(getNextPage());
return;
}
/* deliver request to next filter */
chain.doFilter(request, response);
}
From: John [mailto:[EMAIL PROTECTED]
Sent: Sunday, June 25, 2006 4:16 PM
To: MyFaces Discussion
Subject: Protecting pages from expired sessions
How does one prevent
all the (method/variable not found) errors generated to STDERR, when a user
leaves a page open (the session expires), and then the user comes back and trys
to refresh the page or click on some action?
John
