Primefaces Login Application

Question

Possible Duplicate:
JSF HTTP Session Login

I am using Primefaces to implement my web application. In my implementation the user can log in to the system, then they can load the redirected pages again by copying that URL without login again. How can I prevent this?

Here is my login logic:

public String doLogin() {
    if(username != null  &&
        username.equals("admin") &&
        password != null  &&
        password.equals("admin")) {
        msg = "table?faces-redirect=true";
    } else
        if(user_name.contains(username) &&
            pass_word.contains(password) &&
            !user_name.contains("admin")) {
            msg = "table1?faces-redirect=true";
        }
    }
    return msg;
}

score 2 · Answer 1 · edited May 23 '17 at 12:27

2

If the user session hasn't expired, then this is normal behavior for web applications. If the session has expired, then you must make sure there is a logged user and that is has the privileges to access to the page he/she's using in the URL. You can achieve this using a Filter.

I'm assuming your web app is on a Java EE 6 container like Tomcat 7 or GlassFish 3.x:

@WebFilter(filterName = "MyFilter", urlPatterns = {"/*.xhtml"})
public class MyFilter implements Filter {

    public void doFilter(
        ServletRequest request, ServletResponse response, FilterChain chain)
        throws IOException, ServletException {

        //get the request page
        String requestPath = httpServletRequest.getRequestURI();
        if (!requestPath.contains("home.xhtml")) {
            boolean validate = false;
            //getting the session object
            HttpServletRequest httpServletRequest = (HttpServletRequest) request;
            HttpSession session = (HttpSession)httpServletRequest.getSession();
            //check if there is a user logged in your session
            //I'm assuming you save the user object in the session (not the managed bean).
            User user = (User)session.get("LoggedUser");
            if (user != null) {
                //check if the user has rights to access the current page
                //you can omit this part if you only need to check if there is a valid user logged in
                ControlAccess controlAccess = new ControlAccess();
                if (controlAccess.checkUserRights(user, requestPath)) {
                    validate = true;
                    //you can add more logic here, like log the access or similar
                }
            }
            if (!validate) {
                HttpServletResponse httpServletResponse = (HttpServletResponse) response;
                httpServletResponse.sendRedirect(
                    httpServletRequest.getContextPath() + "/home.xhtml");
            }
        }
        chain.doFilter(request, response);
    }
}

Some implementation for your ControlAccess class:

public class ControlAccess {

    public ControlAccess() {
    }

    public boolean checkUserRights(User user, String path) {
        UserService userService = new UserService();
        //assuming there is a method to get the right access for the logged users.
        List<String> urlAccess = userService.getURLAccess(user);
        for(String url : urlAccess) {
            if (path.contains(url)) {
                return true;
            }
        }
        return false;
    }
}

While looking for a nice way to explain this, I found a better answer from BalusC (JSF expert). This is JSF 2 based:

JSF HTTP Session Login

edited May 23 '17 at 12:27

Community

1
1

answered Oct 01 '12 at 04:31

Luiggi Mendoza

85,076
16
154
332

Thank you very much.But I'm not save the user object in the session.How can I do this? – user1705260 Oct 01 '12 at 04:56
How do you control if a user has logged in/out in the application? – Luiggi Mendoza Oct 01 '12 at 05:05
There is no any control if a user has logged in/out in the application.And I haven't any idea to handle this.So can you please help me to solve that my issues with good example and good explanation.Thank you very much – user1705260 Oct 01 '12 at 05:22
The code posted here is pretty intuitive. I'll add more info to get you involved in these matters. In future projects, you **must** control which user access to your application for security reasons. – Luiggi Mendoza Oct 01 '12 at 05:31
OK.Thank you Mr.Luggie for your valuable comments. – user1705260 Oct 01 '12 at 05:35
@user1705260 check the last update of my answer. I really suggest you to read it. – Luiggi Mendoza Oct 01 '12 at 05:41
I have already go through this.But in here I had some errors in private UserService.What is it? – user1705260 Oct 01 '12 at 05:53
UserService is an EJB that provides access to the database. This is based in constructing a layered application: presentation layer, business logic layer and data access (service) layer. Are you software engineering student or similar? – Luiggi Mendoza Oct 01 '12 at 05:59
I'm computer science student.OK.I had import javax.ejb.EJB.But still there is en error with UserService.It says can not find symbol.What is the reason? – user1705260 Oct 01 '12 at 06:08
That's because it is not a built-in class in an API. You should create it. As a side note, you must not copy/paste code from anywhere, you have to **adapt** the proposed solution to your specific case. If you don't need a class, just don't copy it. You have to learn based on these examples, not just seeing the code. – Luiggi Mendoza Oct 01 '12 at 06:11
OK Mr.Luiggi.Can you please tell me how do I create it? – user1705260 Oct 01 '12 at 06:21
Mr.Luggi.Can you please help me.I really want to solve this matter.So please tell me what should I do?How do I build this EJB class in an API.Thank you very much again.. – user1705260 Oct 01 '12 at 07:04
You should use what you need. You're trying to copy/paste code without even thinking if it will be suited for your needs. If you want to learn what's an EJB, google it! Based in your comments, you need to learn the basics of JSF Programming. There's lot of info in [our wiki](http://stackoverflow.com/tags/jsf/info). – Luiggi Mendoza Oct 01 '12 at 07:07
Mr.Luiggi.If you provide the complete code then I can understand what happened.otherwise parts of codes are very difficult to understand.I'm not just copy and paste.So please can you provide the complete code of some example regarding this. – user1705260 Oct 01 '12 at 09:24
@user1705260 I provided the basic code when I posted my answer the first time but you asked for further info, then I post the BalusC answer (that contains more info that my answer) and you started asking what's an `UserService`, an `EJB`. I provided you with more info in the wiki. What you first need to do is learn the concepts, how the [Java Web Filter](http://www.oracle.com/technetwork/java/filters-137243.html) works in web application and then apply it wisely in your app based on your needs. No one else but you know what code you specifically need to make this work. – Luiggi Mendoza Oct 01 '12 at 16:37

fareed · Answer 2 · 2012-10-01T07:17:26.643

0

You can do form based authentication to protect your inner pages from being accessed by unauthenticated users.

You can also let the container handle the authentication for you using JDBC realm authentication as in this example

edited Oct 01 '12 at 07:17

answered Oct 01 '12 at 05:48

fareed

3,034
6
37
65

Your answer is covered in the BalusC answer. I'll suggest you to read it. – Luiggi Mendoza Oct 01 '12 at 06:45
@LuiggiMendoza Thank you, I have noticed your update just now. Also I have updated my answer. :) – fareed Oct 01 '12 at 07:00
The second option is a good approach but it looks like OP doesn't validate users with the database. – Luiggi Mendoza Oct 01 '12 at 07:02

Primefaces Login Application

2 Answers2

Linked

Related