Prevent direct access to some page in JSF - jsf

I want to restrict direct access to certain page in my application. Those pages can only be accessible if the user is redirected to those pages by the application.
All the redirections are done via ExternalContext#redirect(url) method.
User can use back and forward button, also can refresh the page by pressing F5 or via browser's refresh button. What I want is user cannot save, or bookmark URLs of some page, also cannot copy those redistricted URL and paste and go via address bar of the browser.
Followings are the cases:
Say, I have Page-A and Page-B.
Redirection is done to Page-B from Page-A.
User can go back to Page-A and can come again to Page-B by using browser's back and forward button.
User can refresh Page-B and he/she will stay in Page-B.
User CANNOT copy the URL of Page-B and access it later time (in new tab or by bookmarking).
Is it feasible? Any pointer would be very helpful to me.

I don't think you can do all that from JSF.
Your obvious alternative is to use Javascript.
I never herd a concept of disabling Bookmark option in Browser using Javascript. However you can always disable the address field if you open the page in new Window.

You can solve it with
JSF Navigation Handler - set a session attribute from some previous page and expire the value after some time with a timer. From the Handler impl check the value of the attribute and restrict access e.g. redirect to some other page in case the value is not present.
You can achieve similar behaviour with web frameworks. Enforcing controlled navigation is a basic feature in most WEB FXs e.g. JBoss Seam conversations or Spring Web Flow controlled navigation implementations.

Related

How does Blazor hijack the Browser-Back button?

Blazor-Server apps use the SignalR circuit.
I can somewhat understand how there is JS that change events happening from the DOM, so instead of sending a new HTTP GET request the framework manipulates the DOM and displays the new blazor page.
But how is it even possible that the circuit is still active and working on page back button? This is a BROWSER FEATURE, not some html element, which can be changed, right? Would it not be a security issue if the browser back button behavior can be manipulated in different ways?
Not firing a new HTTP GET request on page back seems pretty hacky. Wouldn't that allow for malicious websites to do the same? Can websites access the last page visited with that??
How does the browser "know" that the last page should also use the same websocket circuit?
Is it then possible to tell the browser that it should establish a websocket on a past page, that didn't even have any before (would seem like a security risk)?
How does the back button differ from hitting "enter" in the address bar (which will always cut and establish a new circuit)?
Is the back button exactly the same as calling JS history.back() ?

Browser back button is not working in Blazor web-server

I want to go previous page when the user clicks on the browser back button. When I navigate another page, I can not go to the last page by using the browser back button. So, can anyone help me find a solution to this problem?
Ensure that every state that you want to show up in next/back is differentiated by a route change navigated to by NavigationManager.
If you make a page /somePage and you let the user step through several choices, and then the user navigates (using the URL bar) then hits the back button on the browser, they will go back to /somePage and not back to the choices they made.
If you make a page /somePage and each time the user makes a choice they are navigated to a new page using NavigationManager, for example /somePage/someSelection, then when they hit back they will go back to /somePage/someSelection. This requires you to load data on subpage choices on init based on optional page route parameters, but the tradeoff is having browser navigations that are part of next/back.

Serverside Xpages application update causes my browser page partial refresh actions stop working - how to detect it?

Any Xpages application update in design causes the application refresh which removes scope variables, session etc. When this occures and there is a page opened in users browser with some partial refresh action buttons ... such buttons simply do nothing when clicked which is quite confusing. No message that's warning the user that the page is stale or something. Is there a way how to detect such situation in general so I can inform user in browser with some dialog that he should reload the entire page?
For all scope variables above request (which gets initialized when you send a request and is always shiny and new) you never can take their existence for granted. Best example: user leaves a form open, locks the PC, goes for lunch, lets the session expire (which also deletes the view scope). (S)he comes back, opens a new tab and logs in - so there is a valid (new) session, hits submit in the first tab -> bum all your code fails.
This is the same scenario as an updated design short of the scenario Panu was pointing to.
So in your code check for the existence of your scoped variables and force a full refresh. Or (I like that better) add an error to the page so that gets displayed with an appropriate action.

Google Chrome Extension - prevent cookie on jquery ajax request or Use a chome.extension

I have a great working chrome extension now.
It basically loops over a list of HTML of a web auction site, if a user has not paid for to have the image shown in the main list. A default image is shown.
My plugin use a jQuery Ajax request to load the auction page and find the main image to display as a thumbnail for any missing images. WORKS GREAT.
The plugin finds the correct image url and update the HTML Dom to the new image and sets a new width.
The issue is, that the auction site tracks all pages views and saves it to a "recently viewed" section of the site "users can see any auctions they have clicked on"
ISSUE
- My plugin uses ajax and the cookies are sent via the jQuery ajax request. I am pretty sure I cannot modify the cookies in this request so the auction site tracks the request and for any listing that has a missing image this listing is now shown in my "recently viewed" even though I have not actually navigated to it.
Can I remove cookies for ajax request (I dont think I can)
Can chrome remove the cookie (only for the ajax requests)
Could I get chrome to make the request (eg curl, with no cookie?)
Just for the curious.
Here is a page with missing images on this auction site
http://www.trademe.co.nz/Browse/SearchResults.aspx?searchType=all&searchString=toaster&type=Search&generalSearch_keypresses=9&generalSearch_suggested=0
Thanks for any input, John.
You can use the webRequest API to intercept and modify requests (including blanking headers). It cannot be used to modify requests which are created within the context of a Chrome extension though. If you want to use this API for cookie-blanking purposes, you have to load the page in a non-extension context. Either by creating a new tab, or use an off-screen tab (using the experimental offscreenTabs API.
Another option is to use the chrome.cookie API, and bind a onChanged event. Then, you can intercept cookie modifications, and revert the changes using chrome.cookies.set.
The last option is to create a new window+tab in Incognito mode. This method is not reliable, and should not be used:
The user can disallow access to the Incognito mode
The user could have navigated to the page in incognito mode, causing cookie fields to be populated.
It's disruptive: A new window is created.
Presumably this AJAX interaction is being run from a content script? Could you run it from the background page instead and pass the data to the content script? I belive the background page operates in a different context and shouldn't send the normal cookies.

Custom Terms of Use Page before login to SharePoint

I am using MOSS with ADS. I want to display Terms of Use page before the user can login into SharePoint with two button i.e. "Accept","Decline". If user select "Accept" he will be directed to sharepoint site, if not to our companies intranet front page. This will be applicable for the current session. ie. If the user has signed off, then it should prompt the terms of use again when user hits the MOSS site but once accepted user should not get this page again until he/she signs off.
Please advise.
Thank you
You can follow one of the Approach below based on your requirement & Flexibility.
If you have AD Configured with the FBA, Make a copy of Login.aspx and save it as MyLogin.aspx & Edit the Login Control and insert your Terms & Conditions there,keep in a check box AND enable the login button only if I agree is checked.
Next is to have a control that is deployed to the Master Page, this control will not have a UI but it will check in the session to see if the user has agreed the Terms and condition if yes it will redirect to the welcome page or the page user has requested else will navigate him to the Terms page until accepts.On Accept flag that information in session.
If you are using SharePoint 2010 you could use the Dialog framework to show a popup & get this done.
You could create a custom page in /_layouts which has your terms and conditions, along with the buttons for accept/decline.
Hitting the accept button will create a cookie for keeping track of whether or not the user has accepted the conditions for the current session.
Then, you could create a HttpModule which intercepts all requests to the SharePoint site. If the cookie is present, do nothing (ie let the user access the requested page), otherwise redirect the browser to the custom accept/decline page.
You should be able to do this fairly easily. If you dont care about them accepting or denying it, then just use this redirect module http://httpcode.s3.amazonaws.com/httpcode.Redirect.wsp to redirect them once to the page. You can tell this module to do it once. If you need to verify that they accept/decline, you will need to add all the people to a new group, and then on accepting, remove them from that group. That way they will always be directed to the new page.
Hope this helps

Resources