You wouldn't register a phase-listener, you'd rather decorate the
action-listener to find a solution to this.
faces-config.xml:
<application>
<action-listener>your decorator goes here</action-listener>
</applicaton>
... the default-action listener calls all actions!
regards,
Martin
On 5/15/07, Petr Kotek <[EMAIL PROTECTED]> wrote:
Hi Rudi,
I am only begginer in JSF and I don't now if exisist better way to
handle login but next code may help You.
PhaseListener
-------------------------------------------
public class LoginPhaseListener implements PhaseListener {
private final String LOGIN_SOURCE = "loginButton";
private final String METHOD_GET = "GET";
private final String MAIN_PAGE = "main.jsp";
private final String LOGIN_PAGE = "index.jsp";
public LoginPhaseListener() {
}
public PhaseId getPhaseId() {
return PhaseId.RESTORE_VIEW;
}
public void beforePhase(PhaseEvent phaseEvent) {
}
public void afterPhase(PhaseEvent phaseEvent) {
FacesContext ctx;
ExternalContext ex;
JSFSession session;
HttpServletRequest hsrq;
String login;
String password;
HttpServletResponse hrsp;
ctx = phaseEvent.getFacesContext();
session =
(JSFSession)ctx.getApplication().createValueBinding("#{JSFSession}").getValue(ctx);
if (!session.isLogged()) {
ex = ctx.getExternalContext();
try {
hsrq = (HttpServletRequest)ex.getRequest();
// If source is loginButton, then try doLogin
if (LOGIN_SOURCE.equalsIgnoreCase(hsrq.getParameter("source"))) {
// Get ifo from login page
login = hsrq.getParameter("login");
password = hsrq.getParameter("password");
// Check it
if ((login == null) || (password == null) || (login.length()
== 0) || (password.length() == 0)) {
ctx.addMessage(null, new
FacesMessage(FacesMessage.SEVERITY_ERROR, "Login or Password can't be
empty!", null));
} else if (session.doLogin(login, password)) {
if (METHOD_GET.equalsIgnoreCase(hsrq.getMethod())) {
// Special login (for debug app - autologin) from request
parameters (?source=loginButton&login=name&password=psw) - redirect to
main.jsp
ex.redirect(MAIN_PAGE);
}
} else {
ctx.addMessage(null, new
FacesMessage(FacesMessage.SEVERITY_ERROR, "Bad Login or Password!", null));
}
} else if (hsrq.getRequestURI().indexOf(LOGIN_PAGE) < 0) {
ctx.addMessage(null, new
FacesMessage(FacesMessage.SEVERITY_ERROR, "Session Logged Out or
Expired!", null));
ex.redirect(LOGIN_PAGE);
}
} catch (Exception e) {
e.printStackTrace();
ctx.addMessage(null, new
FacesMessage(FacesMessage.SEVERITY_ERROR, "Unexpected login error!",
e.getMessage()));
try {
ex.redirect(LOGIN_PAGE);
} catch (IOException f) {;}
}
}
}
}
-------------------------------------------
Navigation Handler
-------------------------------------------
public class LoginNavigationHandler extends NavigationHandler {
private final NavigationHandler deflNavHandler; // Original handler
public LoginNavigationHandler(NavigationHandler navHandler) {
super();
deflNavHandler = navHandler;
}
public void handleNavigation(FacesContext facesContext, String
fromAction, String outcome) {
JSFSession session;
try {
session =
(JSFSession)facesContext.getApplication().createValueBinding("#{JSFSession}").getValue(facesContext);
if (!session.isLogged()) {
outcome = "logout";
}
} catch (Exception ex) {
ex.printStackTrace();
} finally {
deflNavHandler.handleNavigation(facesContext, fromAction, outcome);
}
}
}
-------------------------------------------
Where JSFSession is session bean with boolean .isLogged() and boolean
.doLogin(login, password) methods. Actually I checked login/password
against database table with valid users.
Petr
Rudi Steiner wrote:
> Hi Veit,
>
> I don't use spring, so I can't use this mechanism :(
>
> Is there a possibility to get the action to call over the facesContext?
>
> thanks,
> Rudi
>
> On 5/15/07, Walter Oliver (BR/ICI3) <[EMAIL PROTECTED]>
> wrote:
>> Frau Nolte wird heute abend 16:30 erste Testbestellungen absenden.
>>
>> Kunden können ebenso bereits bestellen.
>>
>> Gruss Oliver Walter
>>
>> > -----Ursprüngliche Nachricht-----
>> > Von: Veit Guna [mailto:[EMAIL PROTECTED]
>> > Gesendet: Dienstag, 15. Mai 2007 12:11
>> > An: MyFaces Discussion
>> > Betreff: Re: MyFaces and Security
>> >
>> > I didn't follow the whole thread, but isn't acegi (if you use
>> > spring) a solution? I use it to protect specific url's as
>> > well es method invocations on backing beans. Works fine for
>> > me (but I'm using spring). I must also admit, that I'm using
>> > jsf-spring to let spring create the backing beans for me (and
>> > thus let acegi take over security).
>> >
>> > /Veit
>> >
>> >
>> > -------- Original-Nachricht --------
>> > Datum: Tue, 15 May 2007 12:03:21 +0200
>> > Von: "Rudi Steiner" <[EMAIL PROTECTED]>
>> > An: "MyFaces Discussion" <users@myfaces.apache.org>
>> > Betreff: Re: MyFaces and Security
>> >
>> > > Hi Cagatay,
>> > >
>> > > thanks for the hint. This is definitely one step in making
>> > an jsf-app
>> > > secure.
>> > >
>> > > I would like to increase the security of my app by writing a
>> > > phaselistener, which checks the action the current request
>> > is calling
>> > > and makes sure, that the current user has the right to call this
>> > > action (example calling the method deleteUser() in a backingbean).
>> > >
>> > > Could anyone please tell me, how I can determine in a phaselistener
>> > > which action is going to be called in the current request?
>> > >
>> > > best regards,
>> > > Rudi
>> > >
>> > > On 5/14/07, Cagatay Civici <[EMAIL PROTECTED]> wrote:
>> > > > Hi,
>> > > >
>> > > > Regarding your concerns about the viewstate at client;
>> > > >
>> > > > http://wiki.apache.org/myfaces/Secure_Your_Application
>> > > >
>> > > > Cagatay
>> > > >
>> > > >
>> > > > On 5/14/07, Rudi Steiner <[EMAIL PROTECTED]> wrote:
>> > > > > Hello,
>> > > > >
>> > > > > I'm in the final state of a project and thinking about,
>> > which is the
>> > > > > best way to make a myFaces-App secure (authentication,
>> > authorization,
>> > > > > ...)
>> > > > >
>> > > > > I'm thinking about the Tomcat build in mechanism or an
>> > alternative
>> > > > > like securityFilter. But thinking about it, I got some
>> > questions like,
>> > > > > how about to fake the view state on the client side.
>> > > > >
>> > > > > Could It be, that for example a normal user who knows the
>> > > > > applicationcode, fakes the viewstate on the client for
>> > a page which
>> > > > > has for example some commandbuttons which are rendered
>> > for an admin
>> > > > > but are not rendered for a normal user? Has anyone made
>> > experiences in
>> > > > > this area?
>> > > > >
>> > > > > thanks a lot,
>> > > > > Rudi
>> > > > >
>> > > >
>> > > >
>> >
>> > --
>> > GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS.
>> > Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail
>> >
>>
>
--
http://www.irian.at
Your JSF powerhouse -
JSF Consulting, Development and
Courses in English and German
Professional Support for Apache MyFaces
