2

I have a JSF2 (GlassFish 3.0) application which security constraints defined (example below). My problem is, I have a "sign up" link that should not be accessible when the user is logged in.

That is, if they try to hit "/signup.jsf" they should be able to access is if they are logged; so if the have any roles, they should not be able to see the page.

Is there a way to do an "inverse" security constraint like that?

Any suggestions are welcome, thanks! Rob

Example constraint from my app, in case that's useful:

<security-constraint>
    <display-name>profileForm</display-name>
    <web-resource-collection>
        <web-resource-name>profileForm</web-resource-name>
        <url-pattern>/profileForm.jsf</url-pattern>
        <http-method>DELETE</http-method>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
        <http-method>PUT</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>GENERAL</role-name>
        <role-name>ADMIN</role-name>
        <role-name>STAFF</role-name>
        <role-name>INSTRUCTOR</role-name>
    </auth-constraint>
    <user-data-constraint>
        <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
</security-constraint>
maple_shaft
  • 10,435
  • 6
  • 46
  • 74

1 Answers1

0

Just create a Filter which does exactly that.

@WebFilter(urlPatterns={"/signup.jsf"})
public class SignupFilter implements Filter {
    
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        // ...

        if (userIsLoggedIn) {
            ((HttpServletResponse) response).sendRedirect("already_loggedin.jsf");
        } else {
            chain.doFilter(request, response);
        }
    }

    // ...
}

There is really nothing which standard JSF offers out the box with regard to authorization/authentication. JSF is just a component based MVC framework.

See also:

Community
  • 1
  • 1
BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
  • Hi BalusC, before I saw your answer I implemented a PhaseListener and do a ".handleNavigation(fc, null, "main?faces-redirect=true");" when trying to access "signUp" when not logged in. Works, but do you have any suggestions for why your solution might be better way to go? Thanks! –  May 17 '11 at 18:53
  • 1
    You're not interested to hook anywhere in the JSF lifecycle. You're rather interested to hook on specific HTTP requests. For that a Filter is a better tool to do the job. A PhaseListener get executed on all JSF requests and adds lot of overhead and which you don't need at all to do the job. – BalusC May 17 '11 at 18:54