You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@myfaces.apache.org by Varma Dendukuri <vd...@gmail.com> on 2007/02/15 19:12:30 UTC
[Tobago] Security Filter
Hi,
I'm using the following SecurityFilter for my Application. But when the user
clicked logout link it is running to infinite loop.
Any guesses why this is running into infinite loop ?? Glad if someone can
provide some sample security filter implemented for tobago.
---- faces-config.xml
<navigation-case>
<from-outcome>logout</from-outcome>
<to-view-id>/jsp/login.jsp</to-view-id>
<redirect/>
</navigation-case>
----- Logout Code in Backing Bean
public String logout()
{
FacesContext facesContext = FacesContext.getCurrentInstance();
HttpSession session = (HttpSession)
facesContext.getExternalContext().getSession(false);
if(session != null){
session.invalidate();
}
return "logout";
}
------ SecurityFilter
public class SessionFilter implements Filter
{
Logger logger = Logger.getLogger(SessionFilter.class);
/**
* Holds all the Page Names that does not require Authentication.
*/
private static List<String> NON_SECURED_PAGES = new ArrayList<String>();
static{
NON_SECURED_PAGES.add("login.faces");
}
/**
* Creates Instance of Session Filter
*/
public SessionFilter()
{
logger.debug("SessionFilter Instance Created");
}
/**
*
* @param filterConfig
* @throws javax.servlet.ServletException
*/
public void init( FilterConfig filterConfig ) throws ServletException
{
this.filterConfig = filterConfig;
}
/**
* Filter the Request
*/
public void doFilter(ServletRequest servletRequest,
ServletResponse servletResponse,
FilterChain filterChain )
throws IOException, ServletException
{
if(filterConfig == null) {
return;
}
HttpServletRequest request = (HttpServletRequest) servletRequest;
HttpServletResponse response = (HttpServletResponse)
servletResponse;
boolean sessionExpired = false;
HttpSession session = request.getSession(false);
if(session == null) {
// TODO ** Add a message saying Session is expired
sessionExpired = true;
}
if(!sessionExpired) {
User user = (User)session.getAttribute("user");
boolean isSecuredPage = isAccessingSecuredPage(request);
if(logger.isDebugEnabled()){
logger.debug
("--------------------------------------------------------");
logger.debug("Page Information :");
logger.debug("Request URL :" + request.getRequestURL());
logger.debug("Sevlet Path :" + request.getServletPath());
logger.debug
("---------------------------------------------------------");
}
if(isSecuredPage && (user == null)) {
// TODO ** Add a message saying Authentication is Required
// to Access the Page
sessionExpired = true;
}
}
if(sessionExpired) {
logger.debug("Session Expired !! Redirecting to login.jsp ");
response.sendRedirect(request.getContextPath() +
"/login.faces");
}
else {
filterChain.doFilter( servletRequest, servletResponse );
}
}
/**
* Helper API to check whether the user is Accessing the Secured
* Page or Not, If Accessing the SecuredPage returns <code>true</code>
* otherwise returns <code>false</code>
*
* @param request The HttpServletRequest that has to be Processed
*
* @return If Accessing the SecuredPage returns <code>true</code>
* otherwise returns <code>false</code>
*/
protected boolean isAccessingSecuredPage(HttpServletRequest request)
{
String servletPath = request.getServletPath();
for(String nonSecuredPage : NON_SECURED_PAGES) {
if(servletPath.indexOf(nonSecuredPage) >= 0) {
return false;
}
}
return true;
}
public void destroy() {
filterConfig = null;
}
private FilterConfig filterConfig = null;
}
-- Log
22:47:26,296 DEBUG [SessionFilter]
--------------------------------------------------------
22:47:26,296 DEBUG [SessionFilter] Page Information :
22:47:26,296 DEBUG [SessionFilter] Request URL :
http://localhost:8080/Store/jsp/storeFront.faces
22:47:26,296 DEBUG [SessionFilter] Sevlet Path :/jsp/storeFront.faces
22:47:26,296 DEBUG [SessionFilter]
---------------------------------------------------------
22:47:26,359 DEBUG [LogoutController] User logged out !!
22:47:26,375 DEBUG [SessionFilter] Session Expired !! Redirecting to
login.jsp false
22:47:26,406 DEBUG [SessionFilter] Session Expired !! Redirecting to
login.jsp false
22:47:26,406 DEBUG [SessionFilter] Session Expired !! Redirecting to
login.jsp false
22:47:26,421 DEBUG [SessionFilter] Session Expired !! Redirecting to
login.jsp false
---
Regards,
Varma
Re: [Tobago] Security Filter
Posted by Varma Dendukuri <vd...@gmail.com>.
Hi Bernd,
Thanks for the Info. Now i replaced my SecurityFilter with the
PhaseListener.
http://tech.groups.yahoo.com/group/jsf-developers/message/471
Regards,
Varma
On 2/16/07, Bernd Bohmann <be...@atanion.com> wrote:
>
> Hello Varma,
>
> search for 'PhaseListener jsf security' with your search engine, please.
>
> Regards
>
> Bernd
>
> Varma Dendukuri wrote:
> > Hi,
> >
> > I'm using the following SecurityFilter for my Application. But when the
> > user
> > clicked logout link it is running to infinite loop.
> >
> > Any guesses why this is running into infinite loop ?? Glad if someone
> can
> > provide some sample security filter implemented for tobago.
> >
> > ---- faces-config.xml
> > <navigation-case>
> > <from-outcome>logout</from-outcome>
> > <to-view-id>/jsp/login.jsp</to-view-id>
> > <redirect/>
> > </navigation-case>
> >
> >
> > ----- Logout Code in Backing Bean
> >
> > public String logout()
> > {
> > FacesContext facesContext = FacesContext.getCurrentInstance();
> > HttpSession session = (HttpSession)
> > facesContext.getExternalContext().getSession(false);
> > if(session != null){
> > session.invalidate();
> > }
> > return "logout";
> > }
> >
> > ------ SecurityFilter
> >
> > public class SessionFilter implements Filter
> > {
> > Logger logger = Logger.getLogger(SessionFilter.class);
> >
> > /**
> > * Holds all the Page Names that does not require Authentication.
> > */
> > private static List<String> NON_SECURED_PAGES = new
> ArrayList<String>();
> > static{
> > NON_SECURED_PAGES.add("login.faces");
> > }
> >
> > /**
> > * Creates Instance of Session Filter
> > */
> > public SessionFilter()
> > {
> > logger.debug("SessionFilter Instance Created");
> > }
> >
> > /**
> > *
> > * @param filterConfig
> > * @throws javax.servlet.ServletException
> > */
> > public void init( FilterConfig filterConfig ) throws ServletException
> > {
> > this.filterConfig = filterConfig;
> > }
> >
> > /**
> > * Filter the Request
> > */
> > public void doFilter(ServletRequest servletRequest,
> > ServletResponse servletResponse,
> > FilterChain filterChain )
> > throws IOException, ServletException
> > {
> > if(filterConfig == null) {
> > return;
> > }
> >
> > HttpServletRequest request = (HttpServletRequest) servletRequest;
> > HttpServletResponse response = (HttpServletResponse)
> > servletResponse;
> >
> > boolean sessionExpired = false;
> > HttpSession session = request.getSession(false);
> >
> > if(session == null) {
> > // TODO ** Add a message saying Session is expired
> > sessionExpired = true;
> > }
> >
> > if(!sessionExpired) {
> > User user = (User)session.getAttribute("user");
> >
> > boolean isSecuredPage = isAccessingSecuredPage(request);
> >
> > if(logger.isDebugEnabled()){
> > logger.debug
> > ("--------------------------------------------------------");
> > logger.debug("Page Information :");
> > logger.debug("Request URL :" + request.getRequestURL());
> > logger.debug("Sevlet Path :" + request.getServletPath());
> > logger.debug
> > ("---------------------------------------------------------");
> > }
> >
> > if(isSecuredPage && (user == null)) {
> >
> > // TODO ** Add a message saying Authentication is
> Required
> > // to Access the Page
> > sessionExpired = true;
> > }
> > }
> >
> > if(sessionExpired) {
> > logger.debug("Session Expired !! Redirecting to login.jsp ");
> > response.sendRedirect(request.getContextPath() +
> > "/login.faces");
> > }
> > else {
> > filterChain.doFilter( servletRequest, servletResponse );
> > }
> > }
> >
> > /**
> > * Helper API to check whether the user is Accessing the Secured
> > * Page or Not, If Accessing the SecuredPage returns
> <code>true</code>
> > * otherwise returns <code>false</code>
> > *
> > * @param request The HttpServletRequest that has to be Processed
> > *
> > * @return If Accessing the SecuredPage returns <code>true</code>
> > * otherwise returns <code>false</code>
> > */
> > protected boolean isAccessingSecuredPage(HttpServletRequest request)
> > {
> > String servletPath = request.getServletPath();
> > for(String nonSecuredPage : NON_SECURED_PAGES) {
> > if(servletPath.indexOf(nonSecuredPage) >= 0) {
> > return false;
> > }
> > }
> > return true;
> > }
> >
> >
> > public void destroy() {
> > filterConfig = null;
> > }
> >
> > private FilterConfig filterConfig = null;
> > }
> >
> >
> > -- Log
> >
> > 22:47:26,296 DEBUG [SessionFilter]
> > --------------------------------------------------------
> > 22:47:26,296 DEBUG [SessionFilter] Page Information :
> > 22:47:26,296 DEBUG [SessionFilter] Request URL :
> > http://localhost:8080/Store/jsp/storeFront.faces
> > 22:47:26,296 DEBUG [SessionFilter] Sevlet Path :/jsp/storeFront.faces
> > 22:47:26,296 DEBUG [SessionFilter]
> > ---------------------------------------------------------
> > 22:47:26,359 DEBUG [LogoutController] User logged out !!
> > 22:47:26,375 DEBUG [SessionFilter] Session Expired !! Redirecting to
> > login.jsp false
> > 22:47:26,406 DEBUG [SessionFilter] Session Expired !! Redirecting to
> > login.jsp false
> > 22:47:26,406 DEBUG [SessionFilter] Session Expired !! Redirecting to
> > login.jsp false
> > 22:47:26,421 DEBUG [SessionFilter] Session Expired !! Redirecting to
> > login.jsp false
> > ---
> >
> > Regards,
> > Varma
> >
>
Re: [Tobago] Security Filter
Posted by Bernd Bohmann <be...@atanion.com>.
Hello Varma,
search for 'PhaseListener jsf security' with your search engine, please.
Regards
Bernd
Varma Dendukuri wrote:
> Hi,
>
> I'm using the following SecurityFilter for my Application. But when the
> user
> clicked logout link it is running to infinite loop.
>
> Any guesses why this is running into infinite loop ?? Glad if someone can
> provide some sample security filter implemented for tobago.
>
> ---- faces-config.xml
> <navigation-case>
> <from-outcome>logout</from-outcome>
> <to-view-id>/jsp/login.jsp</to-view-id>
> <redirect/>
> </navigation-case>
>
>
> ----- Logout Code in Backing Bean
>
> public String logout()
> {
> FacesContext facesContext = FacesContext.getCurrentInstance();
> HttpSession session = (HttpSession)
> facesContext.getExternalContext().getSession(false);
> if(session != null){
> session.invalidate();
> }
> return "logout";
> }
>
> ------ SecurityFilter
>
> public class SessionFilter implements Filter
> {
> Logger logger = Logger.getLogger(SessionFilter.class);
>
> /**
> * Holds all the Page Names that does not require Authentication.
> */
> private static List<String> NON_SECURED_PAGES = new ArrayList<String>();
> static{
> NON_SECURED_PAGES.add("login.faces");
> }
>
> /**
> * Creates Instance of Session Filter
> */
> public SessionFilter()
> {
> logger.debug("SessionFilter Instance Created");
> }
>
> /**
> *
> * @param filterConfig
> * @throws javax.servlet.ServletException
> */
> public void init( FilterConfig filterConfig ) throws ServletException
> {
> this.filterConfig = filterConfig;
> }
>
> /**
> * Filter the Request
> */
> public void doFilter(ServletRequest servletRequest,
> ServletResponse servletResponse,
> FilterChain filterChain )
> throws IOException, ServletException
> {
> if(filterConfig == null) {
> return;
> }
>
> HttpServletRequest request = (HttpServletRequest) servletRequest;
> HttpServletResponse response = (HttpServletResponse)
> servletResponse;
>
> boolean sessionExpired = false;
> HttpSession session = request.getSession(false);
>
> if(session == null) {
> // TODO ** Add a message saying Session is expired
> sessionExpired = true;
> }
>
> if(!sessionExpired) {
> User user = (User)session.getAttribute("user");
>
> boolean isSecuredPage = isAccessingSecuredPage(request);
>
> if(logger.isDebugEnabled()){
> logger.debug
> ("--------------------------------------------------------");
> logger.debug("Page Information :");
> logger.debug("Request URL :" + request.getRequestURL());
> logger.debug("Sevlet Path :" + request.getServletPath());
> logger.debug
> ("---------------------------------------------------------");
> }
>
> if(isSecuredPage && (user == null)) {
>
> // TODO ** Add a message saying Authentication is Required
> // to Access the Page
> sessionExpired = true;
> }
> }
>
> if(sessionExpired) {
> logger.debug("Session Expired !! Redirecting to login.jsp ");
> response.sendRedirect(request.getContextPath() +
> "/login.faces");
> }
> else {
> filterChain.doFilter( servletRequest, servletResponse );
> }
> }
>
> /**
> * Helper API to check whether the user is Accessing the Secured
> * Page or Not, If Accessing the SecuredPage returns <code>true</code>
> * otherwise returns <code>false</code>
> *
> * @param request The HttpServletRequest that has to be Processed
> *
> * @return If Accessing the SecuredPage returns <code>true</code>
> * otherwise returns <code>false</code>
> */
> protected boolean isAccessingSecuredPage(HttpServletRequest request)
> {
> String servletPath = request.getServletPath();
> for(String nonSecuredPage : NON_SECURED_PAGES) {
> if(servletPath.indexOf(nonSecuredPage) >= 0) {
> return false;
> }
> }
> return true;
> }
>
>
> public void destroy() {
> filterConfig = null;
> }
>
> private FilterConfig filterConfig = null;
> }
>
>
> -- Log
>
> 22:47:26,296 DEBUG [SessionFilter]
> --------------------------------------------------------
> 22:47:26,296 DEBUG [SessionFilter] Page Information :
> 22:47:26,296 DEBUG [SessionFilter] Request URL :
> http://localhost:8080/Store/jsp/storeFront.faces
> 22:47:26,296 DEBUG [SessionFilter] Sevlet Path :/jsp/storeFront.faces
> 22:47:26,296 DEBUG [SessionFilter]
> ---------------------------------------------------------
> 22:47:26,359 DEBUG [LogoutController] User logged out !!
> 22:47:26,375 DEBUG [SessionFilter] Session Expired !! Redirecting to
> login.jsp false
> 22:47:26,406 DEBUG [SessionFilter] Session Expired !! Redirecting to
> login.jsp false
> 22:47:26,406 DEBUG [SessionFilter] Session Expired !! Redirecting to
> login.jsp false
> 22:47:26,421 DEBUG [SessionFilter] Session Expired !! Redirecting to
> login.jsp false
> ---
>
> Regards,
> Varma
>