Hello Varma,
search for 'PhaseListener jsf security' with your search engine, please.
Regards
Bernd
Varma Dendukuri wrote:
Hi,
I'm using the following SecurityFilter for my Application. But when the
user
clicked logout link it is running to infinite loop.
Any guesses why this is running into infinite loop ?? Glad if someone can
provide some sample security filter implemented for tobago.
---- faces-config.xml
<navigation-case>
<from-outcome>logout</from-outcome>
<to-view-id>/jsp/login.jsp</to-view-id>
<redirect/>
</navigation-case>
----- Logout Code in Backing Bean
public String logout()
{
FacesContext facesContext = FacesContext.getCurrentInstance();
HttpSession session = (HttpSession)
facesContext.getExternalContext().getSession(false);
if(session != null){
session.invalidate();
}
return "logout";
}
------ SecurityFilter
public class SessionFilter implements Filter
{
Logger logger = Logger.getLogger(SessionFilter.class);
/**
* Holds all the Page Names that does not require Authentication.
*/
private static List<String> NON_SECURED_PAGES = new ArrayList<String>();
static{
NON_SECURED_PAGES.add("login.faces");
}
/**
* Creates Instance of Session Filter
*/
public SessionFilter()
{
logger.debug("SessionFilter Instance Created");
}
/**
*
* @param filterConfig
* @throws javax.servlet.ServletException
*/
public void init( FilterConfig filterConfig ) throws ServletException
{
this.filterConfig = filterConfig;
}
/**
* Filter the Request
*/
public void doFilter(ServletRequest servletRequest,
ServletResponse servletResponse,
FilterChain filterChain )
throws IOException, ServletException
{
if(filterConfig == null) {
return;
}
HttpServletRequest request = (HttpServletRequest) servletRequest;
HttpServletResponse response = (HttpServletResponse)
servletResponse;
boolean sessionExpired = false;
HttpSession session = request.getSession(false);
if(session == null) {
// TODO ** Add a message saying Session is expired
sessionExpired = true;
}
if(!sessionExpired) {
User user = (User)session.getAttribute("user");
boolean isSecuredPage = isAccessingSecuredPage(request);
if(logger.isDebugEnabled()){
logger.debug
("--------------------------------------------------------");
logger.debug("Page Information :");
logger.debug("Request URL :" + request.getRequestURL());
logger.debug("Sevlet Path :" + request.getServletPath());
logger.debug
("---------------------------------------------------------");
}
if(isSecuredPage && (user == null)) {
// TODO ** Add a message saying Authentication is Required
// to Access the Page
sessionExpired = true;
}
}
if(sessionExpired) {
logger.debug("Session Expired !! Redirecting to login.jsp ");
response.sendRedirect(request.getContextPath() +
"/login.faces");
}
else {
filterChain.doFilter( servletRequest, servletResponse );
}
}
/**
* Helper API to check whether the user is Accessing the Secured
* Page or Not, If Accessing the SecuredPage returns <code>true</code>
* otherwise returns <code>false</code>
*
* @param request The HttpServletRequest that has to be Processed
*
* @return If Accessing the SecuredPage returns <code>true</code>
* otherwise returns <code>false</code>
*/
protected boolean isAccessingSecuredPage(HttpServletRequest request)
{
String servletPath = request.getServletPath();
for(String nonSecuredPage : NON_SECURED_PAGES) {
if(servletPath.indexOf(nonSecuredPage) >= 0) {
return false;
}
}
return true;
}
public void destroy() {
filterConfig = null;
}
private FilterConfig filterConfig = null;
}
-- Log
22:47:26,296 DEBUG [SessionFilter]
--------------------------------------------------------
22:47:26,296 DEBUG [SessionFilter] Page Information :
22:47:26,296 DEBUG [SessionFilter] Request URL :
http://localhost:8080/Store/jsp/storeFront.faces
22:47:26,296 DEBUG [SessionFilter] Sevlet Path :/jsp/storeFront.faces
22:47:26,296 DEBUG [SessionFilter]
---------------------------------------------------------
22:47:26,359 DEBUG [LogoutController] User logged out !!
22:47:26,375 DEBUG [SessionFilter] Session Expired !! Redirecting to
login.jsp false
22:47:26,406 DEBUG [SessionFilter] Session Expired !! Redirecting to
login.jsp false
22:47:26,406 DEBUG [SessionFilter] Session Expired !! Redirecting to
login.jsp false
22:47:26,421 DEBUG [SessionFilter] Session Expired !! Redirecting to
login.jsp false
---
Regards,
Varma
