For ages I've been puzzled about why after login I sometimes don't directed to the application welcome page. I've finally figured it out (years after everyone else):
I login successfully via j_security_check and go to the welcome page
wait for session timeout
click on h:link which sends a GET request
because it's a GET and not a POST my custom ViewExpiredException
handler doesn't kick in
container security redirects to the login page because the session
has timed out. Because of the session timeout+container security the
get request (from h:link) isn't seen by the application, in either a phase listener
or filter.
I successfully login again
j_security_check redirects me to the page which triggered the
authentication, in this case the target of the GET request.
The last bit I'd not understood, I assumed it would always go to the welcome page.
My problem is that my current design requires that after login I always show the welcome page. The welcome page has a preRenderView event which sets up some context information in a session scoped bean after login and increments a few counters etc...
This context information is required by backing bean code for other pages, and presently if I don't go through the welcome page first there'll be an exception.
In terms of fixing it I've looked at the following options:
Ideally there'd be an #PostLogin method that could be called, which would cleanly solve all my problems. I use JSF (Mojarra) with Myfaces CODI but I don't see anything which does what I want.
I could add some more code to my filter, but I need to persist some data (i.e. login count), it doesn't look like a nice option. Maybe I'm wrong.
I make all the preRenderView methods of potential targets of j_security_check (pages called with GET) handle the case where they are called directly from j_seecurity_check. I can see this being what I have to do but it seems like a lot of hassle.
Write a Server Authentication Module for glassfish to override j_security_check behavior.
How is this normally handled? I've started hitting this problem after moving to GETs for simple navigation cases after years of abusing POSTs, and the custom exception handler doesn't work. If anyone has any guidance on this issue I'd appreciate it, at least I know what's going on now. Hopefully I've missed something obvious!
Thanks
O/S
Ideally there'd be an #PostLogin method that could be called, which would cleanly solve all my problems. I use JSF (Mojarra) with Myfaces CODI but I don't see anything which does what I want.
There is indeed no such thing.
I could add some more code to my filter, but I need to persist some data (i.e. login count), it doesn't look like a nice option. Maybe I'm wrong.
That would indeed be the "easiest" way. Basically:
UserPrincipal user = request.getUserPrincipal();
HttpSession session = request.getSession();
if (user != null && session.getAttribute("user") == null) {
session.setAttribute("user", user);
// First-time login. You can do your intercepting thing here.
response.sendRedirect(request.getContextPath() + "/welcome.xhtml");
}
I make all the preRenderView methods of potential targets of j_security_check (pages called with GET) handle the case where they are called directly from j_seecurity_check. I can see this being what I have to do but it seems like a lot of hassle.
That's not DRY.
Write a Server Authentication Module for glassfish to override j_security_check behavior.
Can't answer that as I've never done that.
Related
I have a basic question about JSF ManagedBeans for which I can't find a answer.
Suppose I have a bean MyBean with two methods method1 and method2 and a JSF page with a command link
<h:commandLink action="#{myBean.method1}">
</h:commandLink>
Is it possible for someone to analyse the source code of the page and call method2 instead of method1?
Answer
No, this is not possible by design.
Reasoning
Technically the client can only tell the server "The user clicked a html element with a certain id".
This event is then processed by JSF on the server-side, the component with the corresponding id is looked up and in this case the method "#{myBean.method1}" is executed.
As you can see, the client can not[!] tell the server what to do with this event.
Sources
JSF 2.2 Spec - 3.4 Event and Listener Model
Caveat
JSF is stateful and there are multiple ways to hold this state. The default is to hold state information server-side (e.g. in the users HttpSession).
Another option is to transfer (encrypted) state to and from the client. This is still conceptionally secure, but there *might* be bugs with client side state saving. Such a bug *could* be exploitable to do something like you described.
Yes, it is always possible to modify code (or markup-language) on the client-side. Your "action" will be called through some forms and/or Javascript-Methods - everything visible to experienced users.
But that's not an issue of JSF-2 only - this applies for every language which allows insights from the client side.
You shouldn't apply "security through obscurity" (https://en.wikipedia.org/wiki/Security_through_obscurity) but rather make sure, that you can handle this on the server-side.
If a user, who has access to two urls modifies url1 to url2 - that's fine, why not? (Could be bookmarked) - But YOU should take care of the modified request, if he is not allowed to access url2.
I'm pretty new to JSF and I ran into an interesting problem. I have a web application, with a session timeout specified and even if I make actions, the session expires. As far as I know, every new request restarts the timeout counter, well it is not happening. Also, during development I noticed, that after timeout (redirected to the login page), if I reload the page, the session is still valid. Same session Id, counter still going... I have no idea what is wrong, I am using Glassfish and PrimeFaces.
I googled a lot, even tried to catch the ViewExpiredException, but with no luck. The redirection is done using the
<meta http-equiv="refresh" content="#{session.maxInactiveInterval};url=login.jsf?reason=expired>
method. Maybe I am missing something obvious in the web.xml, I am out of ideas.
Please give me some advice on this, thank you very much!
The approach you are using is not the best fit for implementing session timeout, The reason is meta tag will refresh the page on a specific interval, and in your case it redirects to another url on refresh,
i.e., if value of session.maxInactiveInterval is 5, the page will be refreshed in 5 seconds and redirects to login.jsf?reason=expired, regardless of the actions you make. only page refresh will reset the counter.
Learn more about meta tags here
If you want to implement idle monitor, i suggest you to have a look at <p:idleMonitor> at Primefaces showcase - IdleMonitor
I know that this question seems to be answered by a lot of other threads, but I can't find a solution with JSF 2.0 with Glassfish 3.0.1 for logout an user.
I tried either with a BASIC authentication and FORM authentication using j_security_check as action.
But for the logout method I can't find any of them that works.
I tried using a servlet with session.invalidate(), i used a managed bean tring to invalide the session, but nothing happened. I also tried with j_security_logout without success.
Does someone know what I can do for logout an user?
Calling session.invalidate() should work.
Your problem is probably that you used the browser back button to view a restricted page to test if logout really succeeded, but that page was actually served from the browser cache instead of straight from the webserver over a real HTTP connection.
In that case, you need to instruct the webbrowser to not cache the restricted pages. This way the browser will always request the page straight from the webserver. You can do this with help of a Filter. You can find an example in this question: Prevent user from seeing previously visited secured page after logout
What's best way to implement login page in JSF 1.2? If session is timeout, use will be redirected to login in page. i found 2 ways to do it on internet.
use PhaseListener ->
http://www.jsfcentral.com/listings/A92000?link
use filter ->
What is the correct way to implement login with redirect using JSF 2.0?.
also i want user go through an agreement page right after login page. user need to click on "agree" button to continue to use the system.
can anyone tell me which option is better or if there is a better way to implement this.
thank you,
What's best way to implement login page in JSF 1.2?
Just use a JSP/Facelet page with a <h:form> and appropriate input elements and a backing bean which puts the user in an injected session scoped bean.
If session is timeout, use will be redirected to login in page. i found 2 ways to do it on internet.
Definitely use a Filter. A PhaseListener has too much overhead for this simple use case. You're not interested in filtering/modifying the JSF lifecycle, but just on filtering/modifying HTTP requests.
also i want user go through an agreement page right after login page. user need to click on "agree" button to continue to use the system.
Well, then just develop such a page? If you stucks, press Ask Question on the right top with the actual problem described in detail.
Filter is always better is meant for this, and more suitable also.
Now for your requirement ,
On successful Login
- Add managedBean holding user info to session
On acceptance of terms
- update this bean's field
and check for both the condition for rest of the pages.
no check on login page
check of bean for term page
In JSF2 it can be done using System events. In your template page put
< f:event type="preRenderView" listener="#{loginBean.checkLogin}"/>
and in loginBean ( make it session scoped ) you can do like this
public void checkLogin(ComponentSystemEvent event) {
// loggedIn is a boolean variable when sucessfully logged in make it true and at logout make it false.
if (!loggedIn) {
FacesContext context = FacesContext.getCurrentInstance();
ConfigurableNavigationHandler handler = (ConfigurableNavigationHandler)
context.getApplication().getNavigationHandler();
handler.performNavigation("login");
}
}
Once the user successful login to the system, the system will redirect the user to the homepage. Now my problem is, if the user clicks on the view account page without login to the system the system will redirect user to the login page. if user login to the system now the system will redirect the user to the homepage, in this case any method can redirect user to the previous page that is view account page instead of homepage?
i tried using session
String url = (String)session.getAttribute("url");
if(url != null)
response.sendRedirect(url);
else
response.sendRedirect("homepage.faces");
i put this code under public void doBtnAction(){} if the user login successful then redirect to the url. But i got this error
java.lang.IllegalStateException: Cannot forward after response has been committed
com.sun.faces.context.ExternalContextImpl.dispatch(ExternalContextImpl.java:322)
com.sun.faces.application.ViewHandlerImpl.renderView(ViewHandlerImpl.java:130)
com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:87)
com.sun.faces.lifecycle.LifecycleImpl.phase(LifecycleImpl.java:200)
com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:117)
javax.faces.webapp.FacesServlet.service(FacesServlet.java:198)
This exception is caused because you called response.sendRedirect() and didn't block JSF from rendering the normal response. You need to inform JSF that it doesn't need to handle normal response by adding
FacesContext.getCurrentInstance().responseComplete();
to the action method.
Or, even better, just don't get the HttpServletResponse from under the JSF's hoods, but instead do:
FacesContext.getCurrentInstance().getExternalContext().redirect(url);
This will automatically invoke responseComplete() and it also keeps your code clean from unnecessary Servlet API stuff. Also see the ExternalContext API.
Not sure, but try doing this through ExternalContext facilities:
Something like this:
ExternalContext externalContext = FacesContext.getCurrentInstance().getExternalContext();
externalContext.redirect(externalContext.encodeResourceURL(externalContext.getRequestContextPath()+getUrl()));
You haven't described any framework facilities you use for authentication so I assume that you perform authentication in own code. Probably, the simplest approach would be to save initial destination in session before redirecting to the login page, and then after successful login you can check this attribute and redirect to right place.
I particular for JSF you can do this in action method that processes login.
Actually, I'd suggest to use some framework for authentication, for example Spring Security, because it does such things out of box, and it will be much easier to extend your security system in case you need some additional features, though it needs some additional configuration
Logic described (login-redirect) should be implemented through Filter mechanics. Also you can try standard jsf navigation rules(if it can fit you case). And if you still want to send redirect to a custom url and don't want to use Filters, do it in your servlet in render phase, not in your jsf bean.
java.lang.IllegalStateException: Cannot forward after response has been committed
The exception is fairly clear:
The response has been committed.
You cannot forward after the response has been committed.
What doesn't make sense?
You're too late and that is giving you the exception. Do it in a phaselistener before the render response phase.
Placing the below syntax in web.xml should work:
<context-param>
<param-name>com.sun.faces.writeStateAtFormEnd</param-name>
<param-value>false</param-value>
</context-param>