Redirecting to Login page if User not Logs in in JSF

Question

I am developing a JSF application. That is intended for Authourised users only.

So whenever some one trying to access any pages through URL it should redirect to Login .

I am using XHTML as front end. And using JSF framework.

And i am storing Login Bean in Session scope.

And unfortunately I have used Servlets and static pages "response.sendRedirect()".

Thanks in advance.

I think one solution is putting all pages inside WEB-INF but one problem is I am using resonse.sendRedirect() and also I am using Templates with facelets.

Please suggest me.

---

My Login page in folder

"/Common/Login.xhtml" and some pages in

"/Admin/*.xhtml"

and some pages in

`"Employee/*.ahtml"` 

how to set Filter for these 2 folders Admin and Employee

I gave like this but request not enering into Filter Servlet

<filter-mapping>    
     <filter-name>LoginFilter</filter-name>   
      <url-pattern>/faces/Admin/*</url-pattern>    
     <url-pattern>/faces/Employee/*</url-pattern>           
<dispatcher>REQUEST</dispatcher>
       <dispatcher>FORWARD</dispatcher>  
   </filter-mapping>` 

if I give like this

 <url-pattern>/*</url-pattern>

its going into Infinite loop please give your solution for this prob

Answer 1

I solved this problem. My Filter Mapping

  <filter-mapping>
    <filter-name>LoginFilter</filter-name>
    <url-pattern>/*</url-pattern>

    <dispatcher>REQUEST</dispatcher>
    <dispatcher>FORWARD</dispatcher>
</filter-mapping>

and my Filter class

 public void doFilter(ServletRequest request, ServletResponse response,
        FilterChain chain)
        throws IOException, ServletException {
    System.out.println("Entered intop Login Filter");
    HttpServletRequest req = (HttpServletRequest) request;
    LoginBean login = (LoginBean) req.getSession().getAttribute("login");
    String path = req.getRequestURI().substring(req.getContextPath().length());
    System.out.println("path:" + path);

    if (path.contains("/Admin/") || path.contains("/Employee/")) {
        if (login != null) {
            if (login.getUsername() != null && !login.getUsername().equals("")) {
                chain.doFilter(request, response);
            } else {
                HttpServletResponse res = (HttpServletResponse) response;
                res.sendRedirect("/EMS2/faces/Html/Common/Login.xhtml");
            }
        } else {
            HttpServletResponse res = (HttpServletResponse) response;
            res.sendRedirect("/EMS2/faces/Html/Common/Login.xhtml");
        }


    } else {
        chain.doFilter(request, response);
    }
}

Answer 2

The way I decided to handle this same problem is to use JSF2 integrated with Spring and Spring Security 3. A good tutorial and example project can be found here how to do this appropriately.

http://technology-for-human.blogspot.com/2010/12/jsf-2-with-spring-3-basics-part-1-of-2.html

If you do not wish to integrate Spring into your project then the best way I can think to do this would be to implement a servlet filter that will authorize or deny an HTTP request before it gets to the FacesServlet.

  <filter>
    <filter-name>securityFilter</filter-name>
    <filter-class>org.company.filters.SecurityFilter</filter-class>
  </filter>
  <filter-mapping>
    <filter-name>securityFilter</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
    <dispatcher>FORWARD</dispatcher>
  </filter-mapping>

Any SessionScoped beans that exist can be found as attributes of the HttpSession, so you will be able to retrieve the logged in user from the SessionScoped managed bean in this manner.

Authorization should be simple at this point. If the logged in user should not be viewing this page then redirect the user to an unauthorized page.