You wouldn't register a phase-listener, you'd rather decorate the action-listener to find a solution to this.
faces-config.xml: <application> <action-listener>your decorator goes here</action-listener> </applicaton> ... the default-action listener calls all actions! regards, Martin On 5/15/07, Petr Kotek <[EMAIL PROTECTED]> wrote:
Hi Rudi, I am only begginer in JSF and I don't now if exisist better way to handle login but next code may help You. PhaseListener ------------------------------------------- public class LoginPhaseListener implements PhaseListener { private final String LOGIN_SOURCE = "loginButton"; private final String METHOD_GET = "GET"; private final String MAIN_PAGE = "main.jsp"; private final String LOGIN_PAGE = "index.jsp"; public LoginPhaseListener() { } public PhaseId getPhaseId() { return PhaseId.RESTORE_VIEW; } public void beforePhase(PhaseEvent phaseEvent) { } public void afterPhase(PhaseEvent phaseEvent) { FacesContext ctx; ExternalContext ex; JSFSession session; HttpServletRequest hsrq; String login; String password; HttpServletResponse hrsp; ctx = phaseEvent.getFacesContext(); session = (JSFSession)ctx.getApplication().createValueBinding("#{JSFSession}").getValue(ctx); if (!session.isLogged()) { ex = ctx.getExternalContext(); try { hsrq = (HttpServletRequest)ex.getRequest(); // If source is loginButton, then try doLogin if (LOGIN_SOURCE.equalsIgnoreCase(hsrq.getParameter("source"))) { // Get ifo from login page login = hsrq.getParameter("login"); password = hsrq.getParameter("password"); // Check it if ((login == null) || (password == null) || (login.length() == 0) || (password.length() == 0)) { ctx.addMessage(null, new FacesMessage(FacesMessage.SEVERITY_ERROR, "Login or Password can't be empty!", null)); } else if (session.doLogin(login, password)) { if (METHOD_GET.equalsIgnoreCase(hsrq.getMethod())) { // Special login (for debug app - autologin) from request parameters (?source=loginButton&login=name&password=psw) - redirect to main.jsp ex.redirect(MAIN_PAGE); } } else { ctx.addMessage(null, new FacesMessage(FacesMessage.SEVERITY_ERROR, "Bad Login or Password!", null)); } } else if (hsrq.getRequestURI().indexOf(LOGIN_PAGE) < 0) { ctx.addMessage(null, new FacesMessage(FacesMessage.SEVERITY_ERROR, "Session Logged Out or Expired!", null)); ex.redirect(LOGIN_PAGE); } } catch (Exception e) { e.printStackTrace(); ctx.addMessage(null, new FacesMessage(FacesMessage.SEVERITY_ERROR, "Unexpected login error!", e.getMessage())); try { ex.redirect(LOGIN_PAGE); } catch (IOException f) {;} } } } } ------------------------------------------- Navigation Handler ------------------------------------------- public class LoginNavigationHandler extends NavigationHandler { private final NavigationHandler deflNavHandler; // Original handler public LoginNavigationHandler(NavigationHandler navHandler) { super(); deflNavHandler = navHandler; } public void handleNavigation(FacesContext facesContext, String fromAction, String outcome) { JSFSession session; try { session = (JSFSession)facesContext.getApplication().createValueBinding("#{JSFSession}").getValue(facesContext); if (!session.isLogged()) { outcome = "logout"; } } catch (Exception ex) { ex.printStackTrace(); } finally { deflNavHandler.handleNavigation(facesContext, fromAction, outcome); } } } ------------------------------------------- Where JSFSession is session bean with boolean .isLogged() and boolean .doLogin(login, password) methods. Actually I checked login/password against database table with valid users. Petr Rudi Steiner wrote: > Hi Veit, > > I don't use spring, so I can't use this mechanism :( > > Is there a possibility to get the action to call over the facesContext? > > thanks, > Rudi > > On 5/15/07, Walter Oliver (BR/ICI3) <[EMAIL PROTECTED]> > wrote: >> Frau Nolte wird heute abend 16:30 erste Testbestellungen absenden. >> >> Kunden können ebenso bereits bestellen. >> >> Gruss Oliver Walter >> >> > -----Ursprüngliche Nachricht----- >> > Von: Veit Guna [mailto:[EMAIL PROTECTED] >> > Gesendet: Dienstag, 15. Mai 2007 12:11 >> > An: MyFaces Discussion >> > Betreff: Re: MyFaces and Security >> > >> > I didn't follow the whole thread, but isn't acegi (if you use >> > spring) a solution? I use it to protect specific url's as >> > well es method invocations on backing beans. Works fine for >> > me (but I'm using spring). I must also admit, that I'm using >> > jsf-spring to let spring create the backing beans for me (and >> > thus let acegi take over security). >> > >> > /Veit >> > >> > >> > -------- Original-Nachricht -------- >> > Datum: Tue, 15 May 2007 12:03:21 +0200 >> > Von: "Rudi Steiner" <[EMAIL PROTECTED]> >> > An: "MyFaces Discussion" <users@myfaces.apache.org> >> > Betreff: Re: MyFaces and Security >> > >> > > Hi Cagatay, >> > > >> > > thanks for the hint. This is definitely one step in making >> > an jsf-app >> > > secure. >> > > >> > > I would like to increase the security of my app by writing a >> > > phaselistener, which checks the action the current request >> > is calling >> > > and makes sure, that the current user has the right to call this >> > > action (example calling the method deleteUser() in a backingbean). >> > > >> > > Could anyone please tell me, how I can determine in a phaselistener >> > > which action is going to be called in the current request? >> > > >> > > best regards, >> > > Rudi >> > > >> > > On 5/14/07, Cagatay Civici <[EMAIL PROTECTED]> wrote: >> > > > Hi, >> > > > >> > > > Regarding your concerns about the viewstate at client; >> > > > >> > > > http://wiki.apache.org/myfaces/Secure_Your_Application >> > > > >> > > > Cagatay >> > > > >> > > > >> > > > On 5/14/07, Rudi Steiner <[EMAIL PROTECTED]> wrote: >> > > > > Hello, >> > > > > >> > > > > I'm in the final state of a project and thinking about, >> > which is the >> > > > > best way to make a myFaces-App secure (authentication, >> > authorization, >> > > > > ...) >> > > > > >> > > > > I'm thinking about the Tomcat build in mechanism or an >> > alternative >> > > > > like securityFilter. But thinking about it, I got some >> > questions like, >> > > > > how about to fake the view state on the client side. >> > > > > >> > > > > Could It be, that for example a normal user who knows the >> > > > > applicationcode, fakes the viewstate on the client for >> > a page which >> > > > > has for example some commandbuttons which are rendered >> > for an admin >> > > > > but are not rendered for a normal user? Has anyone made >> > experiences in >> > > > > this area? >> > > > > >> > > > > thanks a lot, >> > > > > Rudi >> > > > > >> > > > >> > > > >> > >> > -- >> > GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS. >> > Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail >> > >> >
-- http://www.irian.at Your JSF powerhouse - JSF Consulting, Development and Courses in English and German Professional Support for Apache MyFaces