You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@myfaces.apache.org by bansi <ma...@yahoo.com> on 2007/05/22 03:04:33 UTC
JSF PhaseListener VS Servlet Filter
We use a Homegrown security application
which on successful authentication returns the RequestHeader Variables i.e.
employee Id etc.
We use JSF Spring Hibernate
Wondering whether i should JSF PhaseListener OR Servlet Filter to retrieve
RequestHeader Variables. This is what i am doing currently not sure its best
practice though. Any suggestions/pointers highly appreciated
public class LoginPhaseListener implements PhaseListener
{
public void afterPhase(PhaseEvent pe)
{
FacesContext facesContext = pe.getFacesContext();
String viewId = pe.getFacesContext().getViewRoot().getViewId();
if (viewId.endsWith(".xhtml")) {
String managedBeanName = getManagedBeanNameFromView(viewId);
Object object = facesContext.getApplication().createValueBinding("#{" +
managedBeanName + "}").getValue(facesContext);
if (object == null)
logger.error("OnPageLoad cannot be executed, no such managed bean:"+
managedBeanName);
else {
Login loginBean = (Login) object;
loginBean.onPageLoad();
}
}
}
public String getManagedBeanNameFromView(String viewId) {
String pageName = viewId.substring(1, viewId.length() - 6);
System.out.println("Name="+StringUtils.capitalize(pageName)+"Bean");
return pageName+"Bean";
}
JSF Backing Bean:
public class LoginBean implements Login {
public void onPageLoad() {
//System.out.println("***Inside onPageLoad******");
Map requestHeaderMap =
FacesContext.getCurrentInstance().getExternalContext().getRequestHeaderMap();
String empID = (String) requestHeaderMap.get("EmployeeID");
//Retrieve UserId and User roles from database and populate it with POJO
UserInfo userInfo //pojo
userInfo.setUserId(userId);
userInfo.setUserRoles(userRoles);
/* Store in Session so as to make it available to Spring Layer */
HttpSession userSession =
(HttpSession) FacesContext.getCurrentInstance().getExternalContext()
.getSession(true);
userSession.setAttribute("userInfo", userInfo);
}
}
I am also using Servlet Filter to retrieve Session object
public void doFilter(ServletRequest req, ServletResponse resp, FilterChain
chain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
// grab the current value from the session
UserInfo userInfo = (UserInfo)
request.getSession().getAttribute("userInfo");
// Update the user info bean holder for the current thread.
UserInfoHolder.setUserInfo(userInfo); // ThreadLocal object
// call the chain
//System.out.println("In Security Filter");
chain.doFilter(req,resp);
// threadLocal no longer needed (will be recreated next time through the
filter)
//UserInfoHolder.setUserInfo(null);
}
Now i am thinking instead of using PhaseListener cant i just use the Servelt
Filter to retrieve the RequestHeader variables, make connection to database
instead of using HttpSession
Not sure if its best practice though & also how to retrieve RequestHeader
variables in Servlet Filter
Regards
Bansi
--
View this message in context: http://www.nabble.com/JSF-PhaseListener-VS-Servlet-Filter-tf3793704.html#a10729899
Sent from the MyFaces - Users mailing list archive at Nabble.com.
Re: JSF PhaseListener VS Servlet Filter
Posted by Andrew Robinson <an...@gmail.com>.
When I wrote our custom security layer, I used a ServletFilter and not
a PhaseListener. The reason I did this is to be able to secure
non-Faces URLs (css, js, downloadable resources). If I only wanted to
secure Faces resources, a PhaseListener would have been adequate.
So I would recommend that if you only want to secure Faces
requests/views, use a PhaseListener or, better in my opinion, a custom
view handler (and secure createView/restoreView). If you want to
secure things outside of Faces, use a servlet filter.
As for retrieving HTTP header variables, that is part of the servlet
specification, not the JSF speicification, so it is just as easy, or
slightly easier, to get it in a servlet filter versus a phase
listener.
On 5/21/07, bansi <ma...@yahoo.com> wrote:
>
> We use a Homegrown security application
> which on successful authentication returns the RequestHeader Variables i.e.
> employee Id etc.
> We use JSF Spring Hibernate
> Wondering whether i should JSF PhaseListener OR Servlet Filter to retrieve
> RequestHeader Variables. This is what i am doing currently not sure its best
> practice though. Any suggestions/pointers highly appreciated
>
> public class LoginPhaseListener implements PhaseListener
> {
>
> public void afterPhase(PhaseEvent pe)
> {
> FacesContext facesContext = pe.getFacesContext();
> String viewId = pe.getFacesContext().getViewRoot().getViewId();
> if (viewId.endsWith(".xhtml")) {
> String managedBeanName = getManagedBeanNameFromView(viewId);
> Object object = facesContext.getApplication().createValueBinding("#{" +
> managedBeanName + "}").getValue(facesContext);
> if (object == null)
> logger.error("OnPageLoad cannot be executed, no such managed bean:"+
> managedBeanName);
> else {
> Login loginBean = (Login) object;
> loginBean.onPageLoad();
> }
> }
> }
> public String getManagedBeanNameFromView(String viewId) {
> String pageName = viewId.substring(1, viewId.length() - 6);
> System.out.println("Name="+StringUtils.capitalize(pageName)+"Bean");
> return pageName+"Bean";
> }
>
> JSF Backing Bean:
>
> public class LoginBean implements Login {
>
> public void onPageLoad() {
> //System.out.println("***Inside onPageLoad******");
> Map requestHeaderMap =
> FacesContext.getCurrentInstance().getExternalContext().getRequestHeaderMap();
> String empID = (String) requestHeaderMap.get("EmployeeID");
> //Retrieve UserId and User roles from database and populate it with POJO
> UserInfo userInfo //pojo
> userInfo.setUserId(userId);
> userInfo.setUserRoles(userRoles);
> /* Store in Session so as to make it available to Spring Layer */
> HttpSession userSession =
> (HttpSession) FacesContext.getCurrentInstance().getExternalContext()
> .getSession(true);
> userSession.setAttribute("userInfo", userInfo);
>
> }
> }
>
> I am also using Servlet Filter to retrieve Session object
> public void doFilter(ServletRequest req, ServletResponse resp, FilterChain
> chain) throws IOException, ServletException {
> HttpServletRequest request = (HttpServletRequest) req;
> // grab the current value from the session
> UserInfo userInfo = (UserInfo)
> request.getSession().getAttribute("userInfo");
> // Update the user info bean holder for the current thread.
> UserInfoHolder.setUserInfo(userInfo); // ThreadLocal object
> // call the chain
> //System.out.println("In Security Filter");
> chain.doFilter(req,resp);
> // threadLocal no longer needed (will be recreated next time through the
> filter)
> //UserInfoHolder.setUserInfo(null);
> }
>
> Now i am thinking instead of using PhaseListener cant i just use the Servelt
> Filter to retrieve the RequestHeader variables, make connection to database
> instead of using HttpSession
>
> Not sure if its best practice though & also how to retrieve RequestHeader
> variables in Servlet Filter
>
> Regards
> Bansi
>
> --
> View this message in context: http://www.nabble.com/JSF-PhaseListener-VS-Servlet-Filter-tf3793704.html#a10729899
> Sent from the MyFaces - Users mailing list archive at Nabble.com.
>
>