Ken,
I am able to get what I want by just putting the check in the initPage.
And I have a common file that gets included everywhere, so this change
is just one line. Our security requirement is that only that
unauthorized users should not be able to look at the reports (jsf pages
only, we don't really care about if they look at the images etc). Since
all our secure data is in the database, this is sufficient for us.
We can't really do anything in the appserver as our team doesn't have
access to it (actually no one except the admin has permission) or the
host. That is why our application has to be self sustained. So using the
above fix, it will be still secure enough for us as no one but admin has
access to the appserver and the host where its running.
thanks,
Karam
Karam Singh Badesha wrote:
> Ken,
> I can give this a try. In the login page do I need to setup something
> special to show that the login is successful? Can you define the flow
> and if there is anything that I need to specify/set in success and
> failure cases? Please let me know and I will give it a try tomorrow.
>
> thanks
> Karam
>
> Ken Paulsen wrote:
>>
>> I would have thought "initPage" would do what you're trying to do...
>> however, I think you're probably doing a lot more work than you need
>> to do.
>>
>> What you probably want to do is use the container's built-in
>> authentication so your application doesn't have to worry (much) about
>> it. Here's our "security" stuff from our web.xml file (this one is a
>> little more involved than most... but you should be able to get the
>> point):
>>
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name>noaccess</web-resource-name>
>> <url-pattern>/theme/*</url-pattern>
>> <http-method>DELETE</http-method>
>> <http-method>GET</http-method>
>> <http-method>POST</http-method>
>> <http-method>PUT</http-method>
>> </web-resource-collection>
>> <auth-constraint>
>> <role-name>noaccess</role-name>
>> </auth-constraint>
>> </security-constraint>
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name>protected</web-resource-name>
>> <url-pattern>*.jsf</url-pattern>
>> <url-pattern>/download/*</url-pattern>
>> <url-pattern>/resource/*</url-pattern>
>> <http-method>DELETE</http-method>
>> <http-method>GET</http-method>
>> <http-method>POST</http-method>
>> <http-method>PUT</http-method>
>> </web-resource-collection>
>> <auth-constraint>
>> <role-name>admin</role-name>
>> </auth-constraint>
>> </security-constraint>
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name>public</web-resource-name>
>> <url-pattern>/theme/com/sun/webui/*</url-pattern>
>> <url-pattern>/theme/META-INF/*</url-pattern>
>> <url-pattern>/resource/favicon.ico</url-pattern>
>> <url-pattern>/resource/js/*</url-pattern>
>> <url-pattern>/resource/css/*</url-pattern>
>> <url-pattern>/resource/images/*</url-pattern>
>> <http-method>GET</http-method>
>> </web-resource-collection>
>> </security-constraint>
>> <login-config>
>> <auth-method>FORM</auth-method>
>> <realm-name>admin-realm</realm-name>
>> <form-login-config>
>> <form-login-page>/login.jsf</form-login-page>
>> <form-error-page>/loginError.jsf</form-error-page>
>> </form-login-config>
>> </login-config>
>> <security-role>
>> <role-name>admin</role-name>
>> </security-role>
>>
>> You will need to setup a Realm in which to authenticate the user.
>> Once this is done, the container will ensure all your pages that are
>> secure (the ones in the "protected" group above, minus the ones
>> allowed by "public" above), are not accessed by anyone that is not
>> authenticated.
>>
>> If the above does not satisfy your requirements and you really do
>> want to write code on every page... I'd suggest including that code
>> from a common file (or using the ui:include mechanism that I need to
>> get checked in soon -- already available for the Facelets syntax).
>> Also I think that a "redirect" in an "if" from an "initPage" event
>> should do the trick.
>>
>> Good luck!
>>
>> Ken
>>
>> Karam Singh Badesha wrote:
>>> Hi,
>>> I have implemented the login for my app and once successfully logged
>>> I setup a session variable. Now I have have following questions:
>>>
>>> - where do I put the if statements on all of the pages to check if
>>> the session variable exists and have the correct value and also if
>>> true load the page normally otherwise redirect to the login page? I
>>> have tried putting if statements under initPage and beforeCreate
>>> events but it doesn't work. What is the best way to handle this kind
>>> of scenario? Is their any other way to take care of this. Any
>>> sample code I can look at?
>>>
>>> thanks
>>> Karam