I'm trying to find a clean way so that the login and logout pages for my liferay portal aren't shown in my menu. For the login page I guess I could move the user to the private pages section but I have no clue how I can make the logout landing page not visible. And preferably the logout page would only be navigable to when you're effectively logged out so users can't accidentally go to it when they've got the url cached in their browser.
Any input would be appreciated.
Regarding hiding the landing pages: Just create them and check "hidden" in "Manage Page" for that page. This will make the page accessible according to the permissions, but hide it in the navigation - e.g. if you know the page's name, you can go there - just as you requested.
If you display the currently logged in user on the logout landing page (e.g. through the "Sign In" portlet, you don't need to display a message like "you've been logged out", but display the current state of the user's session.
Of course you're free to not use the Sign-In opportunity on that page, in this case you'll have to display the current session state in a different portlet. It could be as simple as a templated WebContent portlet, accessing the currently logged in user.
Edit: If you set default.logout.page.path=/web/guest/logout and auth.forward.by.last.path=true but you're still not redirected on logout, chances are that changes made through the UI override your portal-ext.properties. If you've edited "Settings" in ControlPanel, this is most likely the case. You can set these values there, on the first page in settings.
As noted in your comment: You cannot make the first page hidden. This shouldn't be a problem: Just make any other page hidden. Even if you don't have more public content than this, you can have at least a public page stating that you need to login. Make this the first, so the logout page can be either a child page of this or a new toplevel page - but most importantly: It can be hidden.
Related
I want to restrict direct access to certain page in my application. Those pages can only be accessible if the user is redirected to those pages by the application.
All the redirections are done via ExternalContext#redirect(url) method.
User can use back and forward button, also can refresh the page by pressing F5 or via browser's refresh button. What I want is user cannot save, or bookmark URLs of some page, also cannot copy those redistricted URL and paste and go via address bar of the browser.
Followings are the cases:
Say, I have Page-A and Page-B.
Redirection is done to Page-B from Page-A.
User can go back to Page-A and can come again to Page-B by using browser's back and forward button.
User can refresh Page-B and he/she will stay in Page-B.
User CANNOT copy the URL of Page-B and access it later time (in new tab or by bookmarking).
Is it feasible? Any pointer would be very helpful to me.
I don't think you can do all that from JSF.
Your obvious alternative is to use Javascript.
I never herd a concept of disabling Bookmark option in Browser using Javascript. However you can always disable the address field if you open the page in new Window.
You can solve it with
JSF Navigation Handler - set a session attribute from some previous page and expire the value after some time with a timer. From the Handler impl check the value of the attribute and restrict access e.g. redirect to some other page in case the value is not present.
You can achieve similar behaviour with web frameworks. Enforcing controlled navigation is a basic feature in most WEB FXs e.g. JBoss Seam conversations or Spring Web Flow controlled navigation implementations.
I have an unusual scenario in which only one page of our SP 2007 site is throwing this error "You are not authorized to view this page".
Here are some details:
SP 2007 Enterprise
The page in question uses SmartPart to display custom usercontrol.
We have 50+ pages that also use custom user controls in SmartPart, and none of them generate this error.
The page in question has several functions, and it initially loads just fine. First time it loads, user selects a customer from a dropdown, then enters a search query and clicks the search button. That all works, and the page then returns some search results. That works as well. The the user can click on a Modify link for each item. It's clicking on this Modify link that generates the page error. All of these things are done one this one page, it just refreshes accordingly. The Modify link is just a standard asp:commandline field that causes the page to load the line item in editable mode.
Here's the other strange thing. If I login as the SP Administrator account, and go to this page, it all works properly, no errors...and, then all other users can go in and use the page properly, without errors as well. It's as if whatever the security issue is, is being resolved temporarily as a result of the Admin using the page first. But after a code publish, or IISRESET, etc, the page goes back to not working for any general users.
Any ideas on what I should look for in trying to resolve this issue? I can also provide code if anyone thinks that may be relevant.
Thanks!
use SPSecurity.RunWithElevatedPrivileges for running your code with anonymous access user:
SPSecurity.RunWithElevatedPrivileges(delegate()
{
using (SPSite site = new SPSite(web.Site.ID))
{
// implementation details omitted
}
});
We created an E-Newsletter for a client that includes lots of story links as well as banner adds. The majority of users are reading the newsletter in MS Outlook. The client thinks users will get confused when they click on a link from the newsletter and it opens in their browser and then the user can't hit the browser's back button in order to get back to the newsletter.
What are my options?
Is it possible to control where the Browsers back button takes the user? I would guess not for security reasons.
If I have the newsletter links go through our main site and then redirect to the desired page (story or ad), can I do it in such a way that the back button will work and won't result in the user being redirected back to the redirect page?
Is there a better approach?
Overall, the back and forward buttons step the user through the history and for security reasons, there is very little you can do about that. But ...
You do have a certain amount of control over the history. In particular, page 1 can say "go to page 2", and once the user is on page 2, the back button will return the user to page 1 OR page 1 can say "replace me in history with page 2"; then once the user is on page 2, the back button will return the user whatever was before page 1, if anything. This is a good way to Orwell redirect pages right out of memory.
See here for details.
We would like to add content to the now blank page next to the user/pw boxes. I can get content to show up as the front page once the user has logged in, but how do we add content to be viewed by anonymous users only during the login process?
Thank you!
Follow these steps:
Create a block and only check the 'anonymous' checkbox in the Role Specific Visibility Settings.
Set the Page Specific Visibility Settings to display the block on <front> for the front page, user for the login page, or the urls for any other pages on which you may want it to display.
Finally, save the block and place it in the region of your choice.
I am using MOSS with ADS. I want to display Terms of Use page before the user can login into SharePoint with two button i.e. "Accept","Decline". If user select "Accept" he will be directed to sharepoint site, if not to our companies intranet front page. This will be applicable for the current session. ie. If the user has signed off, then it should prompt the terms of use again when user hits the MOSS site but once accepted user should not get this page again until he/she signs off.
Please advise.
Thank you
You can follow one of the Approach below based on your requirement & Flexibility.
If you have AD Configured with the FBA, Make a copy of Login.aspx and save it as MyLogin.aspx & Edit the Login Control and insert your Terms & Conditions there,keep in a check box AND enable the login button only if I agree is checked.
Next is to have a control that is deployed to the Master Page, this control will not have a UI but it will check in the session to see if the user has agreed the Terms and condition if yes it will redirect to the welcome page or the page user has requested else will navigate him to the Terms page until accepts.On Accept flag that information in session.
If you are using SharePoint 2010 you could use the Dialog framework to show a popup & get this done.
You could create a custom page in /_layouts which has your terms and conditions, along with the buttons for accept/decline.
Hitting the accept button will create a cookie for keeping track of whether or not the user has accepted the conditions for the current session.
Then, you could create a HttpModule which intercepts all requests to the SharePoint site. If the cookie is present, do nothing (ie let the user access the requested page), otherwise redirect the browser to the custom accept/decline page.
You should be able to do this fairly easily. If you dont care about them accepting or denying it, then just use this redirect module http://httpcode.s3.amazonaws.com/httpcode.Redirect.wsp to redirect them once to the page. You can tell this module to do it once. If you need to verify that they accept/decline, you will need to add all the people to a new group, and then on accepting, remove them from that group. That way they will always be directed to the new page.
Hope this helps