Hi Bernd,
Thanks for the Info. Now i replaced my SecurityFilter with the
PhaseListener.
http://tech.groups.yahoo.com/group/jsf-developers/message/471
Regards,
Varma
On 2/16/07, Bernd Bohmann <[EMAIL PROTECTED]> wrote:
Hello Varma,
search for 'PhaseListener jsf security' with your search engine, please.
Regards
Bernd
Varma Dendukuri wrote:
> Hi,
>
> I'm using the following SecurityFilter for my Application. But when the
> user
> clicked logout link it is running to infinite loop.
>
> Any guesses why this is running into infinite loop ?? Glad if someone
can
> provide some sample security filter implemented for tobago.
>
> ---- faces-config.xml
> <navigation-case>
> <from-outcome>logout</from-outcome>
> <to-view-id>/jsp/login.jsp</to-view-id>
> <redirect/>
> </navigation-case>
>
>
> ----- Logout Code in Backing Bean
>
> public String logout()
> {
> FacesContext facesContext = FacesContext.getCurrentInstance();
> HttpSession session = (HttpSession)
> facesContext.getExternalContext().getSession(false);
> if(session != null){
> session.invalidate();
> }
> return "logout";
> }
>
> ------ SecurityFilter
>
> public class SessionFilter implements Filter
> {
> Logger logger = Logger.getLogger(SessionFilter.class);
>
> /**
> * Holds all the Page Names that does not require Authentication.
> */
> private static List<String> NON_SECURED_PAGES = new
ArrayList<String>();
> static{
> NON_SECURED_PAGES.add("login.faces");
> }
>
> /**
> * Creates Instance of Session Filter
> */
> public SessionFilter()
> {
> logger.debug("SessionFilter Instance Created");
> }
>
> /**
> *
> * @param filterConfig
> * @throws javax.servlet.ServletException
> */
> public void init( FilterConfig filterConfig ) throws ServletException
> {
> this.filterConfig = filterConfig;
> }
>
> /**
> * Filter the Request
> */
> public void doFilter(ServletRequest servletRequest,
> ServletResponse servletResponse,
> FilterChain filterChain )
> throws IOException, ServletException
> {
> if(filterConfig == null) {
> return;
> }
>
> HttpServletRequest request = (HttpServletRequest) servletRequest;
> HttpServletResponse response = (HttpServletResponse)
> servletResponse;
>
> boolean sessionExpired = false;
> HttpSession session = request.getSession(false);
>
> if(session == null) {
> // TODO ** Add a message saying Session is expired
> sessionExpired = true;
> }
>
> if(!sessionExpired) {
> User user = (User)session.getAttribute("user");
>
> boolean isSecuredPage = isAccessingSecuredPage(request);
>
> if(logger.isDebugEnabled()){
> logger.debug
> ("--------------------------------------------------------");
> logger.debug("Page Information :");
> logger.debug("Request URL :" + request.getRequestURL());
> logger.debug("Sevlet Path :" + request.getServletPath());
> logger.debug
> ("---------------------------------------------------------");
> }
>
> if(isSecuredPage && (user == null)) {
>
> // TODO ** Add a message saying Authentication is
Required
> // to Access the Page
> sessionExpired = true;
> }
> }
>
> if(sessionExpired) {
> logger.debug("Session Expired !! Redirecting to login.jsp ");
> response.sendRedirect(request.getContextPath() +
> "/login.faces");
> }
> else {
> filterChain.doFilter( servletRequest, servletResponse );
> }
> }
>
> /**
> * Helper API to check whether the user is Accessing the Secured
> * Page or Not, If Accessing the SecuredPage returns
<code>true</code>
> * otherwise returns <code>false</code>
> *
> * @param request The HttpServletRequest that has to be Processed
> *
> * @return If Accessing the SecuredPage returns <code>true</code>
> * otherwise returns <code>false</code>
> */
> protected boolean isAccessingSecuredPage(HttpServletRequest request)
> {
> String servletPath = request.getServletPath();
> for(String nonSecuredPage : NON_SECURED_PAGES) {
> if(servletPath.indexOf(nonSecuredPage) >= 0) {
> return false;
> }
> }
> return true;
> }
>
>
> public void destroy() {
> filterConfig = null;
> }
>
> private FilterConfig filterConfig = null;
> }
>
>
> -- Log
>
> 22:47:26,296 DEBUG [SessionFilter]
> --------------------------------------------------------
> 22:47:26,296 DEBUG [SessionFilter] Page Information :
> 22:47:26,296 DEBUG [SessionFilter] Request URL :
> http://localhost:8080/Store/jsp/storeFront.faces
> 22:47:26,296 DEBUG [SessionFilter] Sevlet Path :/jsp/storeFront.faces
> 22:47:26,296 DEBUG [SessionFilter]
> ---------------------------------------------------------
> 22:47:26,359 DEBUG [LogoutController] User logged out !!
> 22:47:26,375 DEBUG [SessionFilter] Session Expired !! Redirecting to
> login.jsp false
> 22:47:26,406 DEBUG [SessionFilter] Session Expired !! Redirecting to
> login.jsp false
> 22:47:26,406 DEBUG [SessionFilter] Session Expired !! Redirecting to
> login.jsp false
> 22:47:26,421 DEBUG [SessionFilter] Session Expired !! Redirecting to
> login.jsp false
> ---
>
> Regards,
> Varma
>
