What's best way to implement login page in JSF 1.2? If session is timeout, use will be redirected to login in page. i found 2 ways to do it on internet.
use PhaseListener ->
http://www.jsfcentral.com/listings/A92000?link
use filter ->
What is the correct way to implement login with redirect using JSF 2.0?.
also i want user go through an agreement page right after login page. user need to click on "agree" button to continue to use the system.
can anyone tell me which option is better or if there is a better way to implement this.
thank you,
What's best way to implement login page in JSF 1.2?
Just use a JSP/Facelet page with a <h:form> and appropriate input elements and a backing bean which puts the user in an injected session scoped bean.
If session is timeout, use will be redirected to login in page. i found 2 ways to do it on internet.
Definitely use a Filter. A PhaseListener has too much overhead for this simple use case. You're not interested in filtering/modifying the JSF lifecycle, but just on filtering/modifying HTTP requests.
also i want user go through an agreement page right after login page. user need to click on "agree" button to continue to use the system.
Well, then just develop such a page? If you stucks, press Ask Question on the right top with the actual problem described in detail.
Filter is always better is meant for this, and more suitable also.
Now for your requirement ,
On successful Login
- Add managedBean holding user info to session
On acceptance of terms
- update this bean's field
and check for both the condition for rest of the pages.
no check on login page
check of bean for term page
In JSF2 it can be done using System events. In your template page put
< f:event type="preRenderView" listener="#{loginBean.checkLogin}"/>
and in loginBean ( make it session scoped ) you can do like this
public void checkLogin(ComponentSystemEvent event) {
// loggedIn is a boolean variable when sucessfully logged in make it true and at logout make it false.
if (!loggedIn) {
FacesContext context = FacesContext.getCurrentInstance();
ConfigurableNavigationHandler handler = (ConfigurableNavigationHandler)
context.getApplication().getNavigationHandler();
handler.performNavigation("login");
}
}
Related
I have a #ManagedBean #SessionScoped class to represent a user session. Assume it has a theoretical method doHorribleThings(). Access to methods of this bean through JSF can, for example, be enabled through Expression Language attributes such as action="#{userSession.doHorribleThings()}" on a Prime Faces p:commandButton.
My question is, does JSF manage access security for such method? Can a user issue performing the action of a button that is not being rendered for him, e.g. by sending an artificial HTTP package? Or does JSF capsulate a virtual client desktop that stretches accross the network, effectively enabling access control through GUI design?
No, JSF doesn't have an access security for invoking a method in a managedbean other than the UI, as far as I know.
Because if your able to mimic an action that happens through the click of a JSP/Primefaces button with a manual HTTP request then JSF container cannot identify the difference between the two and hence work the same way for both the request
In my JSF project I have a multi page wizard. I am using a #ConversationScoped CDI bean for that wizard. The conversation works well. When user comes to the first page of the wizard, new conversation begins. When user clicks a submit button in any page, the conversation ends. But i have several questions.
What happens if, at the middle of the wizard, the user entered a url in address bar and navigated to another page without clicking a submit button, do I still have a way to end the conversation?
Should I bother about this situation or can accumulating such non-ended conversations become a overhead for my application?
Most applications ends up with some kind of system that tracks where the user is currently at. This is supposed to be helped by #FlowScoped in JSF 2.2. If you can use that instead then everything should be managed for you. It should be really easy to find examples.
If you can't use FlowScoped and want to stay on #ConversationScoped you must implement your own system for tracking where the user is at. When the user is no longer in your flow you end the conversation.
#Inject Conversation conversation;
// conversation.end();
Here is a useful part for implementing this: How to cleanly end a CDI #ConversationScoped
However I would go for http://deltaspike.apache.org/core.html and use: To get the conversation.
MyBean myBean = BeanProvider.getContextualReference(MyBean.class, false);
Personally I would do an extension to the type safe navigation in Deltaspikes JSF module to achieve the same thing if I could not use FlowScoped.
Good luck
For ages I've been puzzled about why after login I sometimes don't directed to the application welcome page. I've finally figured it out (years after everyone else):
I login successfully via j_security_check and go to the welcome page
wait for session timeout
click on h:link which sends a GET request
because it's a GET and not a POST my custom ViewExpiredException
handler doesn't kick in
container security redirects to the login page because the session
has timed out. Because of the session timeout+container security the
get request (from h:link) isn't seen by the application, in either a phase listener
or filter.
I successfully login again
j_security_check redirects me to the page which triggered the
authentication, in this case the target of the GET request.
The last bit I'd not understood, I assumed it would always go to the welcome page.
My problem is that my current design requires that after login I always show the welcome page. The welcome page has a preRenderView event which sets up some context information in a session scoped bean after login and increments a few counters etc...
This context information is required by backing bean code for other pages, and presently if I don't go through the welcome page first there'll be an exception.
In terms of fixing it I've looked at the following options:
Ideally there'd be an #PostLogin method that could be called, which would cleanly solve all my problems. I use JSF (Mojarra) with Myfaces CODI but I don't see anything which does what I want.
I could add some more code to my filter, but I need to persist some data (i.e. login count), it doesn't look like a nice option. Maybe I'm wrong.
I make all the preRenderView methods of potential targets of j_security_check (pages called with GET) handle the case where they are called directly from j_seecurity_check. I can see this being what I have to do but it seems like a lot of hassle.
Write a Server Authentication Module for glassfish to override j_security_check behavior.
How is this normally handled? I've started hitting this problem after moving to GETs for simple navigation cases after years of abusing POSTs, and the custom exception handler doesn't work. If anyone has any guidance on this issue I'd appreciate it, at least I know what's going on now. Hopefully I've missed something obvious!
Thanks
O/S
Ideally there'd be an #PostLogin method that could be called, which would cleanly solve all my problems. I use JSF (Mojarra) with Myfaces CODI but I don't see anything which does what I want.
There is indeed no such thing.
I could add some more code to my filter, but I need to persist some data (i.e. login count), it doesn't look like a nice option. Maybe I'm wrong.
That would indeed be the "easiest" way. Basically:
UserPrincipal user = request.getUserPrincipal();
HttpSession session = request.getSession();
if (user != null && session.getAttribute("user") == null) {
session.setAttribute("user", user);
// First-time login. You can do your intercepting thing here.
response.sendRedirect(request.getContextPath() + "/welcome.xhtml");
}
I make all the preRenderView methods of potential targets of j_security_check (pages called with GET) handle the case where they are called directly from j_seecurity_check. I can see this being what I have to do but it seems like a lot of hassle.
That's not DRY.
Write a Server Authentication Module for glassfish to override j_security_check behavior.
Can't answer that as I've never done that.
I am a beginner in JSF. I am building an application where on loggin on user details from the database are to be displayed in another JSP. I use a managed bean each for all of my jsp pages (JSF) I have defined thier scope as request in my faces-config XML. On logging in the details are verified by an actionListener method in my login page. Before leaving this method I am attempting to set attributes of the managed bean of the next page. But the state that I have set is not preserved in the second page. What am I missing out.
P.S. Please redirect me if this question was asked before and answered.
Thank you
The boundary between the two requests is when you return the navigation outcome from your managed bean action. Then a redirect (if configured so) is triggered to that outcome.
You have three options:
don't use <redirect /> in your navigation rules - thus you'll stay within the same request even when you show another page after submit. The downside is that this hurts user experience - if refresh is pressed, the ugly 'resubmit' dialog appears
use session scope - this is not harmful in small doses, but be careful not to have too many session-scoped beans.
use a conversation framework (like MyFaces Orchestra) - defines a custom scope called "conversation.access" - your data is accessible as long as it is needed.
use <a4j:keepAlive> from richfaces - preferred for ajax-requests.
We have the following problem...
Application's environment:
JSF, Richfaces, a4J
Consider having the following scenario:
The user logs into the system
The user navigates to a new page which consists of an a4j form containing a4j components, the user fills into the form but doesn't submit.
The user opens a new Tab and opens the same URL and fill in the new form with new data
The user returns to his first Tab and submits the information (Note: All beans are defined are session scope)
Result:
The submitted information is the information from the second Tab but submitted from the first Tab, which is expected as long as the beans are defined as session scope.
Problem:
We need to get the behavior of a request scope (i.e: dealing with new tab as a new request although the bean is defined as a session scope).
Notes:
When defining the bean scope as a request scope the partial Ajax response from individual components in the same form, resets the other components since they are not submitted yet.
Any suggestions ?
--
Thanks so much
This is a well known problem for Web applications.
Of course you can try to solve this problem using more custom code
but my quick suggestion is to use the seam framework which solves exactly this.
Seam is a superset of JSF and introduces a new conversation scope for
beans that does exactly what you want.
Seam supports richfaces natively (both are projects of JBoss/Redhat) so
you should not expect any problems with integration.
What is the reason the bean needs to be in session scope ?
If this is only to get ajax functionality then you can change the bean to request and use the a4j:keepAlive tag.
a4j:keepAlive extends the live cycle for the request scope bean, your bean instance then acts like it is in session scope for ajax requests. When the user opens two of the same page they are using two different bean instances.