Hi Petr, hi Martin,
I think the right way is to register an action-listener in the
faces-config and to determine in the method processAction(ActionEvent
event), if the current user has the role to execute this action.
Has anyone an idea, how to implement the role-check, maybe with
annotations on the method which is going to be called? How can I find
out from the event-param, which method in the backingbean is going to
be called by this action?
thanks a lot,
Rudi
On 5/15/07, Martin Marinschek <[EMAIL PROTECTED]> wrote:
You wouldn't register a phase-listener, you'd rather decorate the
action-listener to find a solution to this.
faces-config.xml:
<application>
<action-listener>your decorator goes here</action-listener>
</applicaton>
... the default-action listener calls all actions!
regards,
Martin
On 5/15/07, Petr Kotek <[EMAIL PROTECTED]> wrote:
> Hi Rudi,
>
> I am only begginer in JSF and I don't now if exisist better way to
> handle login but next code may help You.
>
> PhaseListener
> -------------------------------------------
> public class LoginPhaseListener implements PhaseListener {
> private final String LOGIN_SOURCE = "loginButton";
> private final String METHOD_GET = "GET";
> private final String MAIN_PAGE = "main.jsp";
> private final String LOGIN_PAGE = "index.jsp";
>
> public LoginPhaseListener() {
> }
>
> public PhaseId getPhaseId() {
> return PhaseId.RESTORE_VIEW;
> }
>
> public void beforePhase(PhaseEvent phaseEvent) {
> }
>
> public void afterPhase(PhaseEvent phaseEvent) {
> FacesContext ctx;
> ExternalContext ex;
> JSFSession session;
> HttpServletRequest hsrq;
> String login;
> String password;
> HttpServletResponse hrsp;
>
> ctx = phaseEvent.getFacesContext();
> session =
>
(JSFSession)ctx.getApplication().createValueBinding("#{JSFSession}").getValue(ctx);
> if (!session.isLogged()) {
> ex = ctx.getExternalContext();
> try {
> hsrq = (HttpServletRequest)ex.getRequest();
> // If source is loginButton, then try doLogin
> if (LOGIN_SOURCE.equalsIgnoreCase(hsrq.getParameter("source"))) {
> // Get ifo from login page
> login = hsrq.getParameter("login");
> password = hsrq.getParameter("password");
> // Check it
> if ((login == null) || (password == null) || (login.length()
> == 0) || (password.length() == 0)) {
> ctx.addMessage(null, new
> FacesMessage(FacesMessage.SEVERITY_ERROR, "Login or Password can't be
> empty!", null));
> } else if (session.doLogin(login, password)) {
> if (METHOD_GET.equalsIgnoreCase(hsrq.getMethod())) {
> // Special login (for debug app - autologin) from request
> parameters (?source=loginButton&login=name&password=psw) - redirect to
> main.jsp
> ex.redirect(MAIN_PAGE);
> }
> } else {
> ctx.addMessage(null, new
> FacesMessage(FacesMessage.SEVERITY_ERROR, "Bad Login or Password!", null));
> }
> } else if (hsrq.getRequestURI().indexOf(LOGIN_PAGE) < 0) {
> ctx.addMessage(null, new
> FacesMessage(FacesMessage.SEVERITY_ERROR, "Session Logged Out or
> Expired!", null));
> ex.redirect(LOGIN_PAGE);
> }
> } catch (Exception e) {
> e.printStackTrace();
> ctx.addMessage(null, new
> FacesMessage(FacesMessage.SEVERITY_ERROR, "Unexpected login error!",
> e.getMessage()));
> try {
> ex.redirect(LOGIN_PAGE);
> } catch (IOException f) {;}
> }
> }
> }
> }
> -------------------------------------------
> Navigation Handler
> -------------------------------------------
> public class LoginNavigationHandler extends NavigationHandler {
> private final NavigationHandler deflNavHandler; // Original handler
>
> public LoginNavigationHandler(NavigationHandler navHandler) {
> super();
> deflNavHandler = navHandler;
> }
>
> public void handleNavigation(FacesContext facesContext, String
> fromAction, String outcome) {
> JSFSession session;
> try {
> session =
>
(JSFSession)facesContext.getApplication().createValueBinding("#{JSFSession}").getValue(facesContext);
> if (!session.isLogged()) {
> outcome = "logout";
> }
> } catch (Exception ex) {
> ex.printStackTrace();
> } finally {
> deflNavHandler.handleNavigation(facesContext, fromAction, outcome);
> }
> }
> }
> -------------------------------------------
>
>
> Where JSFSession is session bean with boolean .isLogged() and boolean
> .doLogin(login, password) methods. Actually I checked login/password
> against database table with valid users.
>
> Petr
>
>
>
> Rudi Steiner wrote:
> > Hi Veit,
> >
> > I don't use spring, so I can't use this mechanism :(
> >
> > Is there a possibility to get the action to call over the facesContext?
> >
> > thanks,
> > Rudi
> >
> > On 5/15/07, Walter Oliver (BR/ICI3) <[EMAIL PROTECTED]>
> > wrote:
> >> Frau Nolte wird heute abend 16:30 erste Testbestellungen absenden.
> >>
> >> Kunden können ebenso bereits bestellen.
> >>
> >> Gruss Oliver Walter
> >>
> >> > -----Ursprüngliche Nachricht-----
> >> > Von: Veit Guna [mailto:[EMAIL PROTECTED]
> >> > Gesendet: Dienstag, 15. Mai 2007 12:11
> >> > An: MyFaces Discussion
> >> > Betreff: Re: MyFaces and Security
> >> >
> >> > I didn't follow the whole thread, but isn't acegi (if you use
> >> > spring) a solution? I use it to protect specific url's as
> >> > well es method invocations on backing beans. Works fine for
> >> > me (but I'm using spring). I must also admit, that I'm using
> >> > jsf-spring to let spring create the backing beans for me (and
> >> > thus let acegi take over security).
> >> >
> >> > /Veit
> >> >
> >> >
> >> > -------- Original-Nachricht --------
> >> > Datum: Tue, 15 May 2007 12:03:21 +0200
> >> > Von: "Rudi Steiner" <[EMAIL PROTECTED]>
> >> > An: "MyFaces Discussion" <[email protected]>
> >> > Betreff: Re: MyFaces and Security
> >> >
> >> > > Hi Cagatay,
> >> > >
> >> > > thanks for the hint. This is definitely one step in making
> >> > an jsf-app
> >> > > secure.
> >> > >
> >> > > I would like to increase the security of my app by writing a
> >> > > phaselistener, which checks the action the current request
> >> > is calling
> >> > > and makes sure, that the current user has the right to call this
> >> > > action (example calling the method deleteUser() in a backingbean).
> >> > >
> >> > > Could anyone please tell me, how I can determine in a phaselistener
> >> > > which action is going to be called in the current request?
> >> > >
> >> > > best regards,
> >> > > Rudi
> >> > >
> >> > > On 5/14/07, Cagatay Civici <[EMAIL PROTECTED]> wrote:
> >> > > > Hi,
> >> > > >
> >> > > > Regarding your concerns about the viewstate at client;
> >> > > >
> >> > > > http://wiki.apache.org/myfaces/Secure_Your_Application
> >> > > >
> >> > > > Cagatay
> >> > > >
> >> > > >
> >> > > > On 5/14/07, Rudi Steiner <[EMAIL PROTECTED]> wrote:
> >> > > > > Hello,
> >> > > > >
> >> > > > > I'm in the final state of a project and thinking about,
> >> > which is the
> >> > > > > best way to make a myFaces-App secure (authentication,
> >> > authorization,
> >> > > > > ...)
> >> > > > >
> >> > > > > I'm thinking about the Tomcat build in mechanism or an
> >> > alternative
> >> > > > > like securityFilter. But thinking about it, I got some
> >> > questions like,
> >> > > > > how about to fake the view state on the client side.
> >> > > > >
> >> > > > > Could It be, that for example a normal user who knows the
> >> > > > > applicationcode, fakes the viewstate on the client for
> >> > a page which
> >> > > > > has for example some commandbuttons which are rendered
> >> > for an admin
> >> > > > > but are not rendered for a normal user? Has anyone made
> >> > experiences in
> >> > > > > this area?
> >> > > > >
> >> > > > > thanks a lot,
> >> > > > > Rudi
> >> > > > >
> >> > > >
> >> > > >
> >> >
> >> > --
> >> > GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS.
> >> > Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail
> >> >
> >>
> >
>
--
http://www.irian.at
Your JSF powerhouse -
JSF Consulting, Development and
Courses in English and German
Professional Support for Apache MyFaces
