I would have thought "initPage" would do what you're trying to do...
however, I think you're probably doing a lot more work than you need to do.
What you probably want to do is use the container's built-in
authentication so your application doesn't have to worry (much) about
it. Here's our "security" stuff from our web.xml file (this one is a
little more involved than most... but you should be able to get the point):
<security-constraint>
<web-resource-collection>
<web-resource-name>noaccess</web-resource-name>
<url-pattern>/theme/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>noaccess</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>protected</web-resource-name>
<url-pattern>*.jsf</url-pattern>
<url-pattern>/download/*</url-pattern>
<url-pattern>/resource/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>public</web-resource-name>
<url-pattern>/theme/com/sun/webui/*</url-pattern>
<url-pattern>/theme/META-INF/*</url-pattern>
<url-pattern>/resource/favicon.ico</url-pattern>
<url-pattern>/resource/js/*</url-pattern>
<url-pattern>/resource/css/*</url-pattern>
<url-pattern>/resource/images/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>admin-realm</realm-name>
<form-login-config>
<form-login-page>/login.jsf</form-login-page>
<form-error-page>/loginError.jsf</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
You will need to setup a Realm in which to authenticate the user. Once
this is done, the container will ensure all your pages that are secure
(the ones in the "protected" group above, minus the ones allowed by
"public" above), are not accessed by anyone that is not authenticated.
If the above does not satisfy your requirements and you really do want
to write code on every page... I'd suggest including that code from a
common file (or using the ui:include mechanism that I need to get
checked in soon -- already available for the Facelets syntax). Also I
think that a "redirect" in an "if" from an "initPage" event should do
the trick.
Good luck!
Ken
Karam Singh Badesha wrote:
> Hi,
> I have implemented the login for my app and once successfully logged I
> setup a session variable. Now I have have following questions:
>
> - where do I put the if statements on all of the pages to check if the
> session variable exists and have the correct value and also if true
> load the page normally otherwise redirect to the login page? I have
> tried putting if statements under initPage and beforeCreate events but
> it doesn't work. What is the best way to handle this kind of
> scenario? Is their any other way to take care of this. Any sample
> code I can look at?
>
> thanks
> Karam