1

I have a JSF page contentEdit.xhtml which accepts a request parameter "code" to load the content for editing and other operations related. To provide access control, I create a filter ContentAccessFilter and applies it to contentEdit.xhtml to check whether the current user is authorized to the content which is identified by "code".

Fragment of ContentAccessFilter:

        boolean isAuthorized = false;
        String userId = httpReq.getRemoteUser();
        String code = httpReq.getParameter("code");

        if (code != null && !code.isEmpty())
        {
            ContentDAO dao = ContentDAO.getInstance();
            isAuthorized = dao.isContentAuthorized(code, userId);
        }

        if (!isAuthorized)
        {
            httpRes.sendError(HttpServletResponse.SC_NOT_FOUND);
            return;
        }

For the first entry of the contentEdit.xhtml, the filter works properly as the code parameter always exists during the first entry by calling such as /contentArea.xhtml?code=cnn from an anchor html tag. However, the code parameter is lost when there is subsequent operations on contentEdit.xhtml. For example, I have buttons like these.

<p:commandButton value="Download" action="#{contentView.downloadContent}"/>
<p:commandButton value="Publish" action="#{contentView.publishContent}"/>

Clicking the button will call the same URL as contentEdit.xhtml, while the parameter code is not included in the request URL. This missing parameter fails in the filter.

Is using a Servlet Filter a proper way to achieve the access control in this case? If it is, how to include a request parameter when triggers a commandButton?

lumion
  • 25
  • 5

1 Answers1

0

Filters are a great way to implement authorization in a web app... you're on the right track.

The best way would be to use your filter but store the code parameter value in a session (javax.servlet.http.HttpSession), that way the parameter doesn't need to be passed in the query string with each request. You would set the code attribute in the session data on the first request and retrieve it whenever a new request is received.

If you must use the query string to pass the code value with each request, you'll need to use the includeViewParams parameter in the query string creation to preserve the code parameter in the generated URLs. BalusC (the JSF God) explains this better than anyone... https://stackoverflow.com/a/17745573/3858863

Community
  • 1
  • 1
A-Diddy
  • 582
  • 7
  • 11
  • Thanks for help. I think the session way should be the best for my need. My form is a multi-part form, which introduce some complexity when using f:param, as I am using a servlet 2.5 container. – lumion Feb 16 '15 at 01:13