private final static String SECURE_PREFIX = "secure:";
@Override
public void handleNavigation(FacesContext context, String fromAction,
String outcome)
{
// outcome in the format of "secure:viewid"
if (outcome != null && outcome.startsWith(SECURE_PREFIX))
{
String viewId = outcome.substring(SECURE_PREFIX.length());
// note, this will only work for servlets, not portlets
HttpServletRequest req = (HttpServletRequest)context
.getExternalContext().getRequest();
if (!req.isSecure())
{
String url = context.getApplication().getViewHandler()
.getActionURL(context, viewId);
if (url != null)
{
url = context.getExternalContext().encodeActionURL(url);
StringBuilder sb = new StringBuilder("https://";)
.append(req.getServerName()) // TODO: support alternate port #
.append(req.getContextPath())
.append(url);
context.getExternalContext().sendRedirect(sb.toString());
context.responseComplete();
}
}
}
else
super.handleNavigation(context, fromAction, outcome);
}
Note that this approach requires that your outcome is in a viewID format.
Other ideas to avoid that is to (1) use a custom view handler (and
parse the view ID there), (2) use a custom servlet filter to ensure
are secure (and make sure this filter fires on REQUEST, FORWARD and
INCLUDE) or (3) use web.xml to ensure the URL is secure/confidential,
and use <redirect /> in your navigation cases.
There may be other possibilities, but none are out of the box with JSF
1.1 (or 1.2 that I know of). If the navigation handler would have a
"String getViewId(FacesContext, String, String)" method, it would be
much better, but it doesn't (I've requested it be added to the
specification, but not sure how that is coming along).
-Andrew
On 5/4/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
Andrew,
In your response, you wrote "build the full URL including 'https'".
However, when you get the viewId in handleNavigation, it has the actual
file name, e.g., "page.xhtml" (I am using facelets). However, I think
(maybe I am wrong) that an actual URL has to be of the form "page.jsf"
(if using ".jsf" as the filter url-pattern). Would it be safe to simply
replace ".xhtml" with ".jsf" to form the URL (along with "https://";)?
Or is there a way to change the protocol to HTTPS and then just use the
same viewId (without the "secure:" prefix)?
Thanks!
----- Original Message -----
From: Andrew Robinson <[EMAIL PROTECTED]>
Date: Thursday, May 3, 2007 1:41 pm
Subject: Re: Navigation to and from an HTTPS URL
To: MyFaces Discussion <[email protected]>
> > > For the custom navigation handler, I don't have an example, but
> you> > could just setup some kind of pattern that you could parse
> via regex.
> > > Something like
> > >
> > > secure:/myview.xhtml
> > >
> > > Then in the navigation handler, see:
> > > private final static String SECURE = "secure:";
> > > ...
> > > if (viewId.startsWith(SECURE))
> > > {
> > > viewId = viewId.substring(SECURE.length());
> > > // see if the HttpServletRequest.isSecure() returns false
> > > // if so then:
> > > // get the faces external context
> > > // build the full URL including "https"
> > > // call external context.redirect
> > > // call context.responseComplete();
> > > }
> > > else ...
> > >
