Using Java-EE 6, JSF2, Glassfish 3.1.
What is the best method to redirect a user away from certain pages, such as the 'log in' page when they're already logged in?
I was going to user the following in each of the pages I did not want logged in users to access:
<f:metadata>
<f:event type="preRenderView" listener="#{aBean.checkIfLoggedInAndRedirect()}" />
</f:metadata>
Is there a more elegant method?
Something like a security constraint for anonymous users so that no other roles (i.e. logged in users) can view these pages.
With no other better suggestions, I have used the following on each page I don't want to a logged in user to see. Not the most solid implementation (as the page is still there).
<c:if test="#{request.remoteUser != null}">
<meta http-equiv="refresh" content="0; url=/home" />
</c:if>
Related
My JSF 2.2 web-app has some sites that uses BASIC auth. as long the user is NOT logged in all sites with iframes (external content on a other server) working fine ("local" sites too).
On user login the iframe sites does NOT work anymore (shown empty) - all the "local" sites with and without BASIC auth are still fine.
Remarks:
- The sites with iframes are not part of the BASIC Auth scope. Means they are accessable without login.
- The JSF web-app runing on wildfly 10.1.0 - the content of the iframes are hosted on a Tomcat.
QUESTIONs:
- Why does the iframe sites on user login dont work anymore?
- How can I prevent this?
<ui:composition xmlns="http://www.w3.org/1999/xhtml"
xmlns:ui="http://java.sun.com/jsf/facelets"
xmlns:h="http://java.sun.com/jsf/html"
xmlns:f="http://java.sun.com/jsf/core"
xmlns:p="http://primefaces.org/ui" template="/WEB-INF/template.xhtml">
<ui:define name="implementation">
<h:form>
<iframe src="http://myTomcatServer:8080/myContent/erkennungsquote.htm"
width="100%"
height="1000"
frameborder="0"/>
</h:form>
</ui:define>
</ui:composition>
After these questions:
https://stackoverflow.com/questions/8589315/jsf2-dynamic-template
Dynamic ui:include
How can I retrieve an object on #WindowScoped?
How can I check if an object stored with #WindowScoped is stored correctly?
ICE Faces and error in creation of a bean in WindowScoped
that I wrote all to resolve a "stupid" issue for the JSF2 framework, the fact that I can't link directly to a page stored in a /WEB-INF subfolder. After that I did some research on Google and Stackoverflow I would know a thing: How do I structure a JSF2 web project?
In particular, where exactly do I put the XHTML pages?
Files in /WEB-INF folder are indeed not publicly accessible by enduser. So you cannot have something like http://localhost:8080/contextname/WEB-INF/some.xhtml. That would be a potential security hole as the enduser would be able to view among others /WEB-INF/web.xml and so on.
You can however use the /WEB-INF folder to put master template files, include files and tag files in. For example, the following template client page.xhtml which is placed outside /WEB-INF and is accessible by http://localhost:8080/contextname/page.xhtml:
<ui:composition template="/WEB-INF/templates/template.xhtml"
xmlns="http://www.w3.org/1999/xhtml"
xmlns:f="http://java.sun.com/jsf/core"
xmlns:h="http://java.sun.com/jsf/html"
xmlns:ui="http://java.sun.com/jsf/facelets"
>
<ui:define name="content">
...
<ui:include src="/WEB-INF/includes/include.xhtml" />
...
</ui:define>
</ui:composition>
The advantage of placing master templates and include files in /WEB-INF is that the enduser won't be able to open them directly by entering/guessing its URL in the browser addres bar. The normal pages and template clients which are intented to be accessed directly must not be placed in /WEB-INF folder.
By the way, the composite component files are in turn also not supposed to be publicly accessible, however they are by specification required to be placed in /resources folder which is by default publicly accesible. If you make sure that you access all resources using the therefor provided components so that they are never accessed by /resources in URL (but instead by /javax.faces.resource), then you can add the following constraint to web.xml to block all public access to the /resources folder:
<security-constraint>
<display-name>Restrict direct access to the /resources folder.</display-name>
<web-resource-collection>
<web-resource-name>The /resources folder.</web-resource-name>
<url-pattern>/resources/*</url-pattern>
</web-resource-collection>
<auth-constraint />
</security-constraint>
I created JSF login page which is used for client authentication. I created filter which destroys user session when the user opens page logout.html. I want to create simple http link which will be used when it's clicked to redirect user to logout.html page. What JSF tag can you recommend for page redirection?
Just use <h:outputLink>.
<h:outputLink value="logout.html">Logout</h:outputLink>
Do you know that you can even use plain HTML in JSF?
Logout
I am creating an application that will allow people to publish content on our website and have it simultaneously appear in their Facebook timeline. From my understanding of the OpenGraph API, I need to create a publicly available page with metadata that Facebook can access in order for the publish action to work. For example:
<head>
<meta property="fb:app_id" content="" />
<meta property="og:type" content="" />
<meta property="og:title" content="" />
<meta property="og:image" content="" />
<meta property="og:url" content="" />
<meta property="og:description" content="" />
</head>
My concern is that if this page is available to Facebook, then people who are not logged into our website will be able to see this content as well. Is this a common security concern? What best practices are recommended to make your users' content secure from unauthorized users?
It depends on what you want to share.
If you just want to share text or a photo that you've uploaded to a user's album, you can create a post or photo using the Graph API.
Otherwise, you need to restrict the visibility of shared pages with rules on your server. The shared page needs to be visible to the Facebook scraper (See this SO post for details), but require authentication for other users and search engines.
Hi Friends i developed web application when user logout i am clearing the session and redirecting to the logout page. the problem is when user click back button of browser it shows the previous page content, i want to redirect user to login page after he click back button of browser.
I tried no-catch, no-store, expire-0 all the methods included in jsp and also setting through action methods but not working.
when i google it i found that the content it is showing is history,in some article they say to redirect through https instead of http it will over look on all that so can anybody give suggestion i need it desperately. also i wonder how these gmail, facebook fellows have overcome that one.
I am open to suggestion please tell me exactly how to overcome that one because in my application it perform some creditcard transactions
Can you use JavaScript to control the redirecting? If so, you could use:
window.location.replace(path/to/page);
to replace the confirmation page with the log out page in the browser history. If the user clicks the back button, they are redirected to the page before the confirmation page.
Add this into head. What is happening is that the browser is storing the page in cache; it is not actually reloading the page.
This code tells the browser to not cache the page (therefore request the page again, triggering your redirect code)
<meta http-equiv="cache-control" content="no-cache"> <!-- tells browser not to cache -->
<meta http-equiv="expires" content="0"> <!-- says that the cache expires 'now' -->
<meta http-equiv="pragma" content="no-cache"> <!-- says not to use cached stuff, if there is any -->