Hi Rudi,
I am only begginer in JSF and I don't now if exisist better way to
handle login but next code may help You.
PhaseListener
-------------------------------------------
public class LoginPhaseListener implements PhaseListener {
private final String LOGIN_SOURCE = "loginButton";
private final String METHOD_GET = "GET";
private final String MAIN_PAGE = "main.jsp";
private final String LOGIN_PAGE = "index.jsp";
public LoginPhaseListener() {
}
public PhaseId getPhaseId() {
return PhaseId.RESTORE_VIEW;
}
public void beforePhase(PhaseEvent phaseEvent) {
}
public void afterPhase(PhaseEvent phaseEvent) {
FacesContext ctx;
ExternalContext ex;
JSFSession session;
HttpServletRequest hsrq;
String login;
String password;
HttpServletResponse hrsp;
ctx = phaseEvent.getFacesContext();
session =
(JSFSession)ctx.getApplication().createValueBinding("#{JSFSession}").getValue(ctx);
if (!session.isLogged()) {
ex = ctx.getExternalContext();
try {
hsrq = (HttpServletRequest)ex.getRequest();
// If source is loginButton, then try doLogin
if (LOGIN_SOURCE.equalsIgnoreCase(hsrq.getParameter("source"))) {
// Get ifo from login page
login = hsrq.getParameter("login");
password = hsrq.getParameter("password");
// Check it
if ((login == null) || (password == null) || (login.length()
== 0) || (password.length() == 0)) {
ctx.addMessage(null, new
FacesMessage(FacesMessage.SEVERITY_ERROR, "Login or Password can't be
empty!", null));
} else if (session.doLogin(login, password)) {
if (METHOD_GET.equalsIgnoreCase(hsrq.getMethod())) {
// Special login (for debug app - autologin) from request
parameters (?source=loginButton&login=name&password=psw) - redirect to
main.jsp
ex.redirect(MAIN_PAGE);
}
} else {
ctx.addMessage(null, new
FacesMessage(FacesMessage.SEVERITY_ERROR, "Bad Login or Password!", null));
}
} else if (hsrq.getRequestURI().indexOf(LOGIN_PAGE) < 0) {
ctx.addMessage(null, new
FacesMessage(FacesMessage.SEVERITY_ERROR, "Session Logged Out or
Expired!", null));
ex.redirect(LOGIN_PAGE);
}
} catch (Exception e) {
e.printStackTrace();
ctx.addMessage(null, new
FacesMessage(FacesMessage.SEVERITY_ERROR, "Unexpected login error!",
e.getMessage()));
try {
ex.redirect(LOGIN_PAGE);
} catch (IOException f) {;}
}
}
}
}
-------------------------------------------
Navigation Handler
-------------------------------------------
public class LoginNavigationHandler extends NavigationHandler {
private final NavigationHandler deflNavHandler; // Original handler
public LoginNavigationHandler(NavigationHandler navHandler) {
super();
deflNavHandler = navHandler;
}
public void handleNavigation(FacesContext facesContext, String
fromAction, String outcome) {
JSFSession session;
try {
session =
(JSFSession)facesContext.getApplication().createValueBinding("#{JSFSession}").getValue(facesContext);
if (!session.isLogged()) {
outcome = "logout";
}
} catch (Exception ex) {
ex.printStackTrace();
} finally {
deflNavHandler.handleNavigation(facesContext, fromAction, outcome);
}
}
}
-------------------------------------------
Where JSFSession is session bean with boolean .isLogged() and boolean
.doLogin(login, password) methods. Actually I checked login/password
against database table with valid users.
Petr
Rudi Steiner wrote:
Hi Veit,
I don't use spring, so I can't use this mechanism :(
Is there a possibility to get the action to call over the facesContext?
thanks,
Rudi
On 5/15/07, Walter Oliver (BR/ICI3) <[EMAIL PROTECTED]>
wrote:
Frau Nolte wird heute abend 16:30 erste Testbestellungen absenden.
Kunden können ebenso bereits bestellen.
Gruss Oliver Walter
> -----Ursprüngliche Nachricht-----
> Von: Veit Guna [mailto:[EMAIL PROTECTED]
> Gesendet: Dienstag, 15. Mai 2007 12:11
> An: MyFaces Discussion
> Betreff: Re: MyFaces and Security
>
> I didn't follow the whole thread, but isn't acegi (if you use
> spring) a solution? I use it to protect specific url's as
> well es method invocations on backing beans. Works fine for
> me (but I'm using spring). I must also admit, that I'm using
> jsf-spring to let spring create the backing beans for me (and
> thus let acegi take over security).
>
> /Veit
>
>
> -------- Original-Nachricht --------
> Datum: Tue, 15 May 2007 12:03:21 +0200
> Von: "Rudi Steiner" <[EMAIL PROTECTED]>
> An: "MyFaces Discussion" <[email protected]>
> Betreff: Re: MyFaces and Security
>
> > Hi Cagatay,
> >
> > thanks for the hint. This is definitely one step in making
> an jsf-app
> > secure.
> >
> > I would like to increase the security of my app by writing a
> > phaselistener, which checks the action the current request
> is calling
> > and makes sure, that the current user has the right to call this
> > action (example calling the method deleteUser() in a backingbean).
> >
> > Could anyone please tell me, how I can determine in a phaselistener
> > which action is going to be called in the current request?
> >
> > best regards,
> > Rudi
> >
> > On 5/14/07, Cagatay Civici <[EMAIL PROTECTED]> wrote:
> > > Hi,
> > >
> > > Regarding your concerns about the viewstate at client;
> > >
> > > http://wiki.apache.org/myfaces/Secure_Your_Application
> > >
> > > Cagatay
> > >
> > >
> > > On 5/14/07, Rudi Steiner <[EMAIL PROTECTED]> wrote:
> > > > Hello,
> > > >
> > > > I'm in the final state of a project and thinking about,
> which is the
> > > > best way to make a myFaces-App secure (authentication,
> authorization,
> > > > ...)
> > > >
> > > > I'm thinking about the Tomcat build in mechanism or an
> alternative
> > > > like securityFilter. But thinking about it, I got some
> questions like,
> > > > how about to fake the view state on the client side.
> > > >
> > > > Could It be, that for example a normal user who knows the
> > > > applicationcode, fakes the viewstate on the client for
> a page which
> > > > has for example some commandbuttons which are rendered
> for an admin
> > > > but are not rendered for a normal user? Has anyone made
> experiences in
> > > > this area?
> > > >
> > > > thanks a lot,
> > > > Rudi
> > > >
> > >
> > >
>
> --
> GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS.
> Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail
>
