You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@myfaces.apache.org by SO...@austin.rr.com on 2007/05/04 19:59:06 UTC
Re: Navigation to and from an HTTPS URL - One Last Question
Andrew,
In your response, you wrote "build the full URL including 'https'".
However, when you get the viewId in handleNavigation, it has the actual
file name, e.g., "page.xhtml" (I am using facelets). However, I think
(maybe I am wrong) that an actual URL has to be of the form "page.jsf"
(if using ".jsf" as the filter url-pattern). Would it be safe to simply
replace ".xhtml" with ".jsf" to form the URL (along with "https://")?
Or is there a way to change the protocol to HTTPS and then just use the
same viewId (without the "secure:" prefix)?
Thanks!
----- Original Message -----
From: Andrew Robinson <an...@gmail.com>
Date: Thursday, May 3, 2007 1:41 pm
Subject: Re: Navigation to and from an HTTPS URL
To: MyFaces Discussion <us...@myfaces.apache.org>
> > > For the custom navigation handler, I don't have an example, but
> you> > could just setup some kind of pattern that you could parse
> via regex.
> > > Something like
> > >
> > > secure:/myview.xhtml
> > >
> > > Then in the navigation handler, see:
> > > private final static String SECURE = "secure:";
> > > ...
> > > if (viewId.startsWith(SECURE))
> > > {
> > > viewId = viewId.substring(SECURE.length());
> > > // see if the HttpServletRequest.isSecure() returns false
> > > // if so then:
> > > // get the faces external context
> > > // build the full URL including "https"
> > > // call external context.redirect
> > > // call context.responseComplete();
> > > }
> > > else ...
> > >
Re: Navigation to and from an HTTPS URL - One Last Question
Posted by Andrew Robinson <an...@gmail.com>.
private final static String SECURE_PREFIX = "secure:";
@Override
public void handleNavigation(FacesContext context, String fromAction,
String outcome)
{
// outcome in the format of "secure:viewid"
if (outcome != null && outcome.startsWith(SECURE_PREFIX))
{
String viewId = outcome.substring(SECURE_PREFIX.length());
// note, this will only work for servlets, not portlets
HttpServletRequest req = (HttpServletRequest)context
.getExternalContext().getRequest();
if (!req.isSecure())
{
String url = context.getApplication().getViewHandler()
.getActionURL(context, viewId);
if (url != null)
{
url = context.getExternalContext().encodeActionURL(url);
StringBuilder sb = new StringBuilder("https://")
.append(req.getServerName()) // TODO: support alternate port #
.append(req.getContextPath())
.append(url);
context.getExternalContext().sendRedirect(sb.toString());
context.responseComplete();
}
}
}
else
super.handleNavigation(context, fromAction, outcome);
}
Note that this approach requires that your outcome is in a viewID format.
Other ideas to avoid that is to (1) use a custom view handler (and
parse the view ID there), (2) use a custom servlet filter to ensure
are secure (and make sure this filter fires on REQUEST, FORWARD and
INCLUDE) or (3) use web.xml to ensure the URL is secure/confidential,
and use <redirect /> in your navigation cases.
There may be other possibilities, but none are out of the box with JSF
1.1 (or 1.2 that I know of). If the navigation handler would have a
"String getViewId(FacesContext, String, String)" method, it would be
much better, but it doesn't (I've requested it be added to the
specification, but not sure how that is coming along).
-Andrew
On 5/4/07, SOSELLA@austin.rr.com <SO...@austin.rr.com> wrote:
> Andrew,
>
> In your response, you wrote "build the full URL including 'https'".
> However, when you get the viewId in handleNavigation, it has the actual
> file name, e.g., "page.xhtml" (I am using facelets). However, I think
> (maybe I am wrong) that an actual URL has to be of the form "page.jsf"
> (if using ".jsf" as the filter url-pattern). Would it be safe to simply
> replace ".xhtml" with ".jsf" to form the URL (along with "https://")?
> Or is there a way to change the protocol to HTTPS and then just use the
> same viewId (without the "secure:" prefix)?
>
> Thanks!
>
> ----- Original Message -----
> From: Andrew Robinson <an...@gmail.com>
> Date: Thursday, May 3, 2007 1:41 pm
> Subject: Re: Navigation to and from an HTTPS URL
> To: MyFaces Discussion <us...@myfaces.apache.org>
>
> > > > For the custom navigation handler, I don't have an example, but
> > you> > could just setup some kind of pattern that you could parse
> > via regex.
> > > > Something like
> > > >
> > > > secure:/myview.xhtml
> > > >
> > > > Then in the navigation handler, see:
> > > > private final static String SECURE = "secure:";
> > > > ...
> > > > if (viewId.startsWith(SECURE))
> > > > {
> > > > viewId = viewId.substring(SECURE.length());
> > > > // see if the HttpServletRequest.isSecure() returns false
> > > > // if so then:
> > > > // get the faces external context
> > > > // build the full URL including "https"
> > > > // call external context.redirect
> > > > // call context.responseComplete();
> > > > }
> > > > else ...
> > > >
>
>