Hi,
I found out, that configuring an action-listener in the facesconfig,
the action defined in the action-attribute of a commandButton is not
called anymore. Does this mean, that configuring an action-listener in
the facesconfig, this is the one and only actionlistener for all
actions and the actions defined in the attributes in the tags in the
jsp-page are ignored?
Best regards,
Rudi
On 5/16/07, Rudi Steiner <[EMAIL PROTECTED]> wrote:
Hi Petr, hi Martin,
I think the right way is to register an action-listener in the
faces-config and to determine in the method processAction(ActionEvent
event), if the current user has the role to execute this action.
Has anyone an idea, how to implement the role-check, maybe with
annotations on the method which is going to be called? How can I find
out from the event-param, which method in the backingbean is going to
be called by this action?
thanks a lot,
Rudi
On 5/15/07, Martin Marinschek <[EMAIL PROTECTED]> wrote:
> You wouldn't register a phase-listener, you'd rather decorate the
> action-listener to find a solution to this.
>
> faces-config.xml:
> <application>
> <action-listener>your decorator goes here</action-listener>
> </applicaton>
>
> ... the default-action listener calls all actions!
>
> regards,
>
> Martin
>
> On 5/15/07, Petr Kotek <[EMAIL PROTECTED]> wrote:
> > Hi Rudi,
> >
> > I am only begginer in JSF and I don't now if exisist better way to
> > handle login but next code may help You.
> >
> > PhaseListener
> > -------------------------------------------
> > public class LoginPhaseListener implements PhaseListener {
> > private final String LOGIN_SOURCE = "loginButton";
> > private final String METHOD_GET = "GET";
> > private final String MAIN_PAGE = "main.jsp";
> > private final String LOGIN_PAGE = "index.jsp";
> >
> > public LoginPhaseListener() {
> > }
> >
> > public PhaseId getPhaseId() {
> > return PhaseId.RESTORE_VIEW;
> > }
> >
> > public void beforePhase(PhaseEvent phaseEvent) {
> > }
> >
> > public void afterPhase(PhaseEvent phaseEvent) {
> > FacesContext ctx;
> > ExternalContext ex;
> > JSFSession session;
> > HttpServletRequest hsrq;
> > String login;
> > String password;
> > HttpServletResponse hrsp;
> >
> > ctx = phaseEvent.getFacesContext();
> > session =
> >
(JSFSession)ctx.getApplication().createValueBinding("#{JSFSession}").getValue(ctx);
> > if (!session.isLogged()) {
> > ex = ctx.getExternalContext();
> > try {
> > hsrq = (HttpServletRequest)ex.getRequest();
> > // If source is loginButton, then try doLogin
> > if (LOGIN_SOURCE.equalsIgnoreCase(hsrq.getParameter("source"))) {
> > // Get ifo from login page
> > login = hsrq.getParameter("login");
> > password = hsrq.getParameter("password");
> > // Check it
> > if ((login == null) || (password == null) || (login.length()
> > == 0) || (password.length() == 0)) {
> > ctx.addMessage(null, new
> > FacesMessage(FacesMessage.SEVERITY_ERROR, "Login or Password can't be
> > empty!", null));
> > } else if (session.doLogin(login, password)) {
> > if (METHOD_GET.equalsIgnoreCase(hsrq.getMethod())) {
> > // Special login (for debug app - autologin) from request
> > parameters (?source=loginButton&login=name&password=psw) - redirect to
> > main.jsp
> > ex.redirect(MAIN_PAGE);
> > }
> > } else {
> > ctx.addMessage(null, new
> > FacesMessage(FacesMessage.SEVERITY_ERROR, "Bad Login or Password!", null));
> > }
> > } else if (hsrq.getRequestURI().indexOf(LOGIN_PAGE) < 0) {
> > ctx.addMessage(null, new
> > FacesMessage(FacesMessage.SEVERITY_ERROR, "Session Logged Out or
> > Expired!", null));
> > ex.redirect(LOGIN_PAGE);
> > }
> > } catch (Exception e) {
> > e.printStackTrace();
> > ctx.addMessage(null, new
> > FacesMessage(FacesMessage.SEVERITY_ERROR, "Unexpected login error!",
> > e.getMessage()));
> > try {
> > ex.redirect(LOGIN_PAGE);
> > } catch (IOException f) {;}
> > }
> > }
> > }
> > }
> > -------------------------------------------
> > Navigation Handler
> > -------------------------------------------
> > public class LoginNavigationHandler extends NavigationHandler {
> > private final NavigationHandler deflNavHandler; // Original handler
> >
> > public LoginNavigationHandler(NavigationHandler navHandler) {
> > super();
> > deflNavHandler = navHandler;
> > }
> >
> > public void handleNavigation(FacesContext facesContext, String
> > fromAction, String outcome) {
> > JSFSession session;
> > try {
> > session =
> >
(JSFSession)facesContext.getApplication().createValueBinding("#{JSFSession}").getValue(facesContext);
> > if (!session.isLogged()) {
> > outcome = "logout";
> > }
> > } catch (Exception ex) {
> > ex.printStackTrace();
> > } finally {
> > deflNavHandler.handleNavigation(facesContext, fromAction, outcome);
> > }
> > }
> > }
> > -------------------------------------------
> >
> >
> > Where JSFSession is session bean with boolean .isLogged() and boolean
> > .doLogin(login, password) methods. Actually I checked login/password
> > against database table with valid users.
> >
> > Petr
> >
> >
> >
> > Rudi Steiner wrote:
> > > Hi Veit,
> > >
> > > I don't use spring, so I can't use this mechanism :(
> > >
> > > Is there a possibility to get the action to call over the facesContext?
> > >
> > > thanks,
> > > Rudi
> > >
> > > On 5/15/07, Walter Oliver (BR/ICI3) <[EMAIL PROTECTED]>
> > > wrote:
> > >> Frau Nolte wird heute abend 16:30 erste Testbestellungen absenden.
> > >>
> > >> Kunden können ebenso bereits bestellen.
> > >>
> > >> Gruss Oliver Walter
> > >>
> > >> > -----Ursprüngliche Nachricht-----
> > >> > Von: Veit Guna [mailto:[EMAIL PROTECTED]
> > >> > Gesendet: Dienstag, 15. Mai 2007 12:11
> > >> > An: MyFaces Discussion
> > >> > Betreff: Re: MyFaces and Security
> > >> >
> > >> > I didn't follow the whole thread, but isn't acegi (if you use
> > >> > spring) a solution? I use it to protect specific url's as
> > >> > well es method invocations on backing beans. Works fine for
> > >> > me (but I'm using spring). I must also admit, that I'm using
> > >> > jsf-spring to let spring create the backing beans for me (and
> > >> > thus let acegi take over security).
> > >> >
> > >> > /Veit
> > >> >
> > >> >
> > >> > -------- Original-Nachricht --------
> > >> > Datum: Tue, 15 May 2007 12:03:21 +0200
> > >> > Von: "Rudi Steiner" <[EMAIL PROTECTED]>
> > >> > An: "MyFaces Discussion" <[email protected]>
> > >> > Betreff: Re: MyFaces and Security
> > >> >
> > >> > > Hi Cagatay,
> > >> > >
> > >> > > thanks for the hint. This is definitely one step in making
> > >> > an jsf-app
> > >> > > secure.
> > >> > >
> > >> > > I would like to increase the security of my app by writing a
> > >> > > phaselistener, which checks the action the current request
> > >> > is calling
> > >> > > and makes sure, that the current user has the right to call this
> > >> > > action (example calling the method deleteUser() in a backingbean).
> > >> > >
> > >> > > Could anyone please tell me, how I can determine in a phaselistener
> > >> > > which action is going to be called in the current request?
> > >> > >
> > >> > > best regards,
> > >> > > Rudi
> > >> > >
> > >> > > On 5/14/07, Cagatay Civici <[EMAIL PROTECTED]> wrote:
> > >> > > > Hi,
> > >> > > >
> > >> > > > Regarding your concerns about the viewstate at client;
> > >> > > >
> > >> > > > http://wiki.apache.org/myfaces/Secure_Your_Application
> > >> > > >
> > >> > > > Cagatay
> > >> > > >
> > >> > > >
> > >> > > > On 5/14/07, Rudi Steiner <[EMAIL PROTECTED]> wrote:
> > >> > > > > Hello,
> > >> > > > >
> > >> > > > > I'm in the final state of a project and thinking about,
> > >> > which is the
> > >> > > > > best way to make a myFaces-App secure (authentication,
> > >> > authorization,
> > >> > > > > ...)
> > >> > > > >
> > >> > > > > I'm thinking about the Tomcat build in mechanism or an
> > >> > alternative
> > >> > > > > like securityFilter. But thinking about it, I got some
> > >> > questions like,
> > >> > > > > how about to fake the view state on the client side.
> > >> > > > >
> > >> > > > > Could It be, that for example a normal user who knows the
> > >> > > > > applicationcode, fakes the viewstate on the client for
> > >> > a page which
> > >> > > > > has for example some commandbuttons which are rendered
> > >> > for an admin
> > >> > > > > but are not rendered for a normal user? Has anyone made
> > >> > experiences in
> > >> > > > > this area?
> > >> > > > >
> > >> > > > > thanks a lot,
> > >> > > > > Rudi
> > >> > > > >
> > >> > > >
> > >> > > >
> > >> >
> > >> > --
> > >> > GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS.
> > >> > Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail
> > >> >
> > >>
> > >
> >
>
>
> --
>
> http://www.irian.at
>
> Your JSF powerhouse -
> JSF Consulting, Development and
> Courses in English and German
>
> Professional Support for Apache MyFaces
>
