All geek questions in one place

Using an authorization filter in a JSF project for user authentication

I have built-in login / logout functions in my application, but the filter probably does not work, since I still see pages after logging out when I specify them in the address bar of the browser. Here is my login step: -

this.currentUser = new User(); // initiate currentUser FacesContext facesContext = FacesContext.getCurrentInstance(); facesContext.getApplication().createValueBinding("#{" + Constants.VISIT_KEY_SCOPE + Constants.VISIT_KEY + "}").setValue(facesContext, currentUser); FacesUtils.putIntoSession(Constants.VISIT_KEY, currentUser);

Output Action: -

 FacesContext facesContext = FacesContext.getCurrentInstance(); HttpSession session = (HttpSession)facesContext.getExternalContext().getSession(false); session.removeAttribute(Constants.VISIT_KEY_SCOPE + Constants.VISIT_KEY); if (session != null) { session.invalidate(); }

Class of constants: -

 public class Constants { // Backing bean keys public final static String VISIT_KEY_SCOPE = "sessionScope."; public final static String VISIT_KEY = "currentUser"; // Model object keys public final static String PROJECT_COORDINATOR_SCOPE = "applicationScope."; public final static String ORIGINAL_VIEW_SCOPE = "sessionScope"; public final static String ORIGINAL_VIEW_KEY = "originalTreeId"; }

Web .xml: -

  <filter> <filter-name>AuthorizationFilter</filter-name> <filter-class>org.AuthorizationFilter.AuthorizationFilter</filter-class> </filter> <filter-mapping> <filter-name>AuthorizationFilter</filter-name> <url-pattern>/faces/pages/*</url-pattern> </filter-mapping>

and finally, the authorization filter is as follows: -

 public class AuthorizationFilter implements Filter { FilterConfig config = null; ServletContext servletContext = null; public AuthorizationFilter() { } public void init(FilterConfig filterConfig) throws ServletException { config = filterConfig; servletContext = config.getServletContext(); } public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest httpRequest = (HttpServletRequest)request; HttpServletResponse httpResponse = (HttpServletResponse)response; HttpSession session = httpRequest.getSession(); User currentUser = (User)session.getAttribute("currentUser"); if (session == null || currentUser == null || currentUser.getUserName() == null) { session.setAttribute(Constants.ORIGINAL_VIEW_KEY, httpRequest.getPathInfo()); httpResponse.sendRedirect(httpRequest.getContextPath() + "/faces/pages /login.jsp"); } else { session.removeAttribute(Constants.ORIGINAL_VIEW_KEY); chain.doFilter(request, response); } } public void destroy() { } }

Thanks gratitude for patience and help.

+4
source share
1 answer

You need to tell the browser not to cache pages with restrictions for which you need to check if the user is logged in. Otherwise, the browser will simply display the page from the cache and therefore will never call your filter. You can do this by adding the following lines to the else block in your filter before calling FilterChain#doFilter() :

 httpResponse.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1. httpResponse.setHeader("Pragma", "no-cache"); // HTTP 1.0. httpResponse.setDateHeader("Expires", 0); // Proxies.

Unrelated to a specific problem, there are some flaws in your code:

  • session.removeAttribute() in your logout action will probably throw a NullPointerException because you passed false in getSession() . This line is supernatural when you are going to call session.invalidate() anyway. Just delete it.

  • request.getSession() in your filter never returns null because you are not passing it false . So session == null superfluous or you have to add false .

+3
source

Source: https://habr.com/ru/post/1394982/

More articles:


All Articles