0

I have a login page that creates a session when users log in to stop random page traversal to add some form of "security" to the pages past the login page. I have used the following code from: here

public class AuthorizationListener implements PhaseListener {

 public void afterPhase(PhaseEvent event) {

  FacesContext facesContext = event.getFacesContext();
  String currentPage = facesContext.getViewRoot().getViewId();

  boolean isLoginPage = (currentPage.lastIndexOf("login.xhtml") > -1);
  HttpSession session = (HttpSession) facesContext.getExternalContext().getSession(false);

  if(session==null){
      NavigationHandler nh = facesContext.getApplication().getNavigationHandler();
      nh.handleNavigation(facesContext, null, "loginPage");
  }

  else{

      Object currentUser = session.getAttribute("username");

  if (!isLoginPage && (currentUser == null || currentUser == "")) {
      NavigationHandler nh = facesContext.getApplication().getNavigationHandler();
      nh.handleNavigation(facesContext, null, "loginPage");
  }
 }
}

public void beforePhase(PhaseEvent event) {

}

 public PhaseId getPhaseId() {
     return PhaseId.RESTORE_VIEW;
 }
}

How could I edit this to allow users to access the following pages without them needing a session aka omitting certain pages from the session.

customerRegistration.xhtml
employeeRegistration.xhtml

At the moment it is not allowing me to register as no session has been created. I have tried to edit the afterPhase() method with no success.

If any more details are needed please let me know. I am very new to JSF2 and Primefaces so please let me know if I need to add/remove anything...

EDIT I Have tried the following with no success.

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
DeanMWake
  • 893
  • 3
  • 19
  • 38
  • I don't know if you can do it with a PhaseListener, but I think you would want to use a Filter instead so you have access to the request: http://stackoverflow.com/questions/14580267/authorization-redirect-on-session-expiration-does-not-work-on-submitting-a-jsf-f. Then you can just call chain.doFilter() for your 2 urls without checking the session – Jaqen H'ghar Sep 30 '14 at 05:40
  • That phase listener is terrible. Throw away it. – BalusC Sep 30 '14 at 06:45
  • Sigh, do you have any phase filter suggestions then please? I'm new to this so I really don't know what I'm doing here... – DeanMWake Sep 30 '14 at 06:53
  • 1
    Start here: http://stackoverflow.com/questions/9965708/how-to-handle-authentication-authorization-with-users-in-a-database – BalusC Sep 30 '14 at 08:24

0 Answers0