Ok, sounds good! I'm glad it's working for you now.
Thanks,
Ken
Karam Singh Badesha wrote:
> Ken,
> I am able to get what I want by just putting the check in the
> initPage. And I have a common file that gets included everywhere, so
> this change is just one line. Our security requirement is that only
> that unauthorized users should not be able to look at the reports (jsf
> pages only, we don't really care about if they look at the images
> etc). Since all our secure data is in the database, this is sufficient
> for us.
>
> We can't really do anything in the appserver as our team doesn't have
> access to it (actually no one except the admin has permission) or the
> host. That is why our application has to be self sustained. So using
> the above fix, it will be still secure enough for us as no one but
> admin has access to the appserver and the host where its running.
>
> thanks,
> Karam
>
> Karam Singh Badesha wrote:
>> Ken,
>> I can give this a try. In the login page do I need to setup something
>> special to show that the login is successful? Can you define the flow
>> and if there is anything that I need to specify/set in success and
>> failure cases? Please let me know and I will give it a try tomorrow.
>>
>> thanks
>> Karam
>>
>> Ken Paulsen wrote:
>>>
>>> I would have thought "initPage" would do what you're trying to do...
>>> however, I think you're probably doing a lot more work than you need
>>> to do.
>>>
>>> What you probably want to do is use the container's built-in
>>> authentication so your application doesn't have to worry (much)
>>> about it. Here's our "security" stuff from our web.xml file (this
>>> one is a little more involved than most... but you should be able to
>>> get the point):
>>>
>>> <security-constraint>
>>> <web-resource-collection>
>>> <web-resource-name>noaccess</web-resource-name>
>>> <url-pattern>/theme/*</url-pattern>
>>> <http-method>DELETE</http-method>
>>> <http-method>GET</http-method>
>>> <http-method>POST</http-method>
>>> <http-method>PUT</http-method>
>>> </web-resource-collection>
>>> <auth-constraint>
>>> <role-name>noaccess</role-name>
>>> </auth-constraint>
>>> </security-constraint>
>>> <security-constraint>
>>> <web-resource-collection>
>>> <web-resource-name>protected</web-resource-name>
>>> <url-pattern>*.jsf</url-pattern>
>>> <url-pattern>/download/*</url-pattern>
>>> <url-pattern>/resource/*</url-pattern>
>>> <http-method>DELETE</http-method>
>>> <http-method>GET</http-method>
>>> <http-method>POST</http-method>
>>> <http-method>PUT</http-method>
>>> </web-resource-collection>
>>> <auth-constraint>
>>> <role-name>admin</role-name>
>>> </auth-constraint>
>>> </security-constraint>
>>> <security-constraint>
>>> <web-resource-collection>
>>> <web-resource-name>public</web-resource-name>
>>> <url-pattern>/theme/com/sun/webui/*</url-pattern>
>>> <url-pattern>/theme/META-INF/*</url-pattern>
>>> <url-pattern>/resource/favicon.ico</url-pattern>
>>> <url-pattern>/resource/js/*</url-pattern>
>>> <url-pattern>/resource/css/*</url-pattern>
>>> <url-pattern>/resource/images/*</url-pattern>
>>> <http-method>GET</http-method>
>>> </web-resource-collection>
>>> </security-constraint>
>>> <login-config>
>>> <auth-method>FORM</auth-method>
>>> <realm-name>admin-realm</realm-name>
>>> <form-login-config>
>>> <form-login-page>/login.jsf</form-login-page>
>>> <form-error-page>/loginError.jsf</form-error-page>
>>> </form-login-config>
>>> </login-config>
>>> <security-role>
>>> <role-name>admin</role-name>
>>> </security-role>
>>>
>>> You will need to setup a Realm in which to authenticate the user.
>>> Once this is done, the container will ensure all your pages that are
>>> secure (the ones in the "protected" group above, minus the ones
>>> allowed by "public" above), are not accessed by anyone that is not
>>> authenticated.
>>>
>>> If the above does not satisfy your requirements and you really do
>>> want to write code on every page... I'd suggest including that code
>>> from a common file (or using the ui:include mechanism that I need to
>>> get checked in soon -- already available for the Facelets syntax).
>>> Also I think that a "redirect" in an "if" from an "initPage" event
>>> should do the trick.
>>>
>>> Good luck!
>>>
>>> Ken
>>>
>>> Karam Singh Badesha wrote:
>>>> Hi,
>>>> I have implemented the login for my app and once successfully
>>>> logged I setup a session variable. Now I have have following
>>>> questions:
>>>>
>>>> - where do I put the if statements on all of the pages to check if
>>>> the session variable exists and have the correct value and also if
>>>> true load the page normally otherwise redirect to the login page? I
>>>> have tried putting if statements under initPage and beforeCreate
>>>> events but it doesn't work. What is the best way to handle this
>>>> kind of scenario? Is their any other way to take care of this. Any
>>>> sample code I can look at?
>>>>
>>>> thanks
>>>> Karam