Can see secured page while not logged in

Question

I use Tomcat 7. My problem is that not logged in users should not see certain page (home.xhtml in my case), but should be redirected to the login page. The behaviour is: 1. If the application just started and nobody tried to login, one can directly access the restricted page. 2. If somebody logged in and logged out, and after that tried to access the mentioned home.xhtml, browser shows the page with errors (while it should redirect to login page):

An Error Occurred:

viewId:/home.xhtml - View /home.xhtml could not be restored.
- Stack Trace

javax.faces.application.ViewExpiredException: viewId:/home.xhtml - View /home.xhtml could not be restored.
    at com.sun.faces.lifecycle.RestoreViewPhase.execute(RestoreViewPhase.java:205)
    at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:101)
    at com.sun.faces.lifecycle.RestoreViewPhase.doPhase(RestoreViewPhase.java:116)
    at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:118)
    at javax.faces.webapp.FacesServlet.service(FacesServlet.java:593)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:503)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:745)
+ Component Tree

+ Scoped Variables

Jan 22, 2015 8:57:04 PM - Generated by Mojarra/Facelets

My faces-config.xml:

<?xml version='1.0' encoding='UTF-8'?>
<faces-config version="2.0"
    xmlns="http://java.sun.com/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-facesconfig_2_0.xsd">
    <navigation-rule>
        <from-view-id>/login.xhtml</from-view-id>
        <navigation-case>
            <from-outcome>home</from-outcome>
            <to-view-id>/home.xhtml</to-view-id>
        <redirect>     
        </redirect>
        </navigation-case>
 </navigation-rule>
</faces-config>

web.xml:

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
    <context-param>
        <param-name>javax.faces.PROJECT_STAGE</param-name>
        <param-value>Development</param-value>
    </context-param>
    <servlet>
        <servlet-name>Faces Servlet</servlet-name>
        <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>

    <servlet-mapping>
        <servlet-name>Faces Servlet</servlet-name>
        <url-pattern>*.xhtml</url-pattern>
    </servlet-mapping>
    <session-config>
        <session-timeout>
            30
        </session-timeout>
    </session-config>
    <welcome-file-list>
        <welcome-file>login.xhtml</welcome-file>
    </welcome-file-list>
 </web-app>

Filter:

public void doFilter(ServletRequest request, ServletResponse response,
            FilterChain chain) {

            HttpServletRequest req = (HttpServletRequest) request;
            HttpServletResponse res = (HttpServletResponse) response;
            HttpSession session = req.getSession();
            String reqURI = req.getRequestURI();
            if (reqURI.indexOf("/login.xhtml") >= 0
                    || (session != null && session.getAttribute("username") != null)
                    || reqURI.indexOf("/public/") >= 0
                    || reqURI.contains("javax.faces.resource"))
                try {
                    chain.doFilter(request, response);
                } catch (IOException e) {
                    System.out.println("IO exc after doFilter");
                } catch (ServletException e) {
                    System.out.println("Servlet exc after doFilter");
                }
            else
                try {
                    res.sendRedirect(req.getContextPath() + "/login.xhtml");
                } catch (IOException e) {
                    System.out.println("IO exc after redirect");
                }

    }

What's wrong? BTW none of my sysouts in catchers are printed, so exceptions are somewhere deep.

EDIT 1: I found the answer for the part of my question related to the exception here, but I am still confused while it shows the page it shouldn't...

Is this acceptable as duplicate? http://stackoverflow.com/questions/4194207/prevent-user-from-going-back-to-the-previous-secured-page-after-logout/ Here you can find a more extensive example of an access restriction filter http://stackoverflow.com/questions/14580267/authorization-redirect-on-session-expiration-does-not-work-on-submitting-a-jsf-f/ — BalusC, Jan 23 '15 at 08:22
The problem is not in cache, I tried completely clean browser. The problem is somewhere else... — Battle_Slug, Jan 23 '15 at 16:20

score 0 · Answer 1 · answered Jan 23 '15 at 08:18

0

Have you tried checking !session.getAttribute("username").isEmpty(). The Strings are passed as empty strings rather than converted to Null. I would also add if contains username yo see if it's present in session attributes before performing the Null and isEmpty check

answered Jan 23 '15 at 08:18

yohanfernando

61
5

Actually, this case it should be null, not "", so `!= null` check is enough. You can try yourself. – Battle_Slug Jan 23 '15 at 18:50

score 0 · Accepted Answer · answered Jan 23 '15 at 18:46

I solved that riddle... I just didn't populate the filter in the web.xml. I didn't know that this should be done, because this is my first test project. So the web.xml should contain in my case:

<filter>
   <filter-name>AuthFulter</filter-name>
   <filter-class>com.demshin.beans.AuthFilter</filter-class>
</filter>
<filter-mapping>
   <filter-name>AuthFulter</filter-name>
   <url-pattern>/*</url-pattern>
</filter-mapping>

Can see secured page while not logged in

2 Answers2