0

I have a question concerning jsf page navigation. How can I configure my jsf application in that way, that after a successful login the only way of navigation gets to the page "list.xhtml"?

Now i have the current situation (I'm using JSF 2.x PrimeFaces and a Glassfish application server):

  1. My user navigates to my login page. The only way to get to this point is the insert in the browser url: "localhost:8080/myApp. Now my user see the login page and must be insert username and userpasswort.

  2. My users can insert an another page navigation path in the browser url column like "localhost:8080/myApp/myPath/resultcalculation.xhmtl", while he is seeing the login page.

  3. Now the browser url column involved "localhost:8080/myApp/myPath/resultcalculation.xhmtl", the user insert the loginname and loginpasswort and will be navigate directly to the page "resultcalculation.xhmtl"

But that is a terrible situation. The user must be navigated to the page "list.xhtml" in that path: "localhost:8080/myApp/myPath/list.xhtml". It is not ok, that he can be navigated through my application by using the browser url column directly.

How can I prevent, that the user do this? He should only using the navigation, which i have developed in my xhtml pages with jsf components like <h:commandButton> or <h:commandLink>.

Cœur
  • 37,241
  • 25
  • 195
  • 267
  • Related: http://stackoverflow.com/a/3512494/1225328 – sp00m Apr 17 '14 at 07:24
  • You can't prevent it, you have -no- power over the client, nor should you. At best you can design your web application properly such that the user is redirected away or blocked if he's somewhere where he/she is not supposed to be. – Gimby Apr 17 '14 at 07:45
  • ok but how can i set that kind of redirection? In faces-config.xml? –  Apr 17 '14 at 07:54
  • You can do it. You can store page "from" in session and check it on page "to". If it not valid page "from" redirect to "some". For that you can use javascript checking or filter. Yes, it is possible, but it is lot of additional work and very small positive effect for application. Usually application is divided to 2 parts: for logged in users and for non-logged in user (it is enough for 99 % of real word cases). – Vasil Lukach Apr 17 '14 at 10:15
  • 1
    Your application need an authorization mechanism so that only the logged in users can view e.g. the list. So you need to create a user filter or either use a session attribute and check whether the user is logged in if he navigates directly to page other than login-page and if he's correctly authenticated he can see it otherwise you redirect him to the login-page. – Omoro Apr 17 '14 at 11:38

0 Answers0