3

Are there some issues if I insert some check into the template file? For example if I insert the user check into the template's xhtml file it could be some security issue if I use this template in ALL my xhtml pages?

Something like:

<?xml version='1.0' encoding='UTF-8' ?> 
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
      xmlns:ui="http://java.sun.com/jsf/facelets"
      xmlns:h="http://java.sun.com/jsf/html">
    <h:head>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
        <title><ui:insert name="title">Default Title</ui:insert></title>
        <h:outputStylesheet name="css/jsfcrud.css"/>
    </h:head>
    <h:body>
        <h:panelGroup rendered="#{userBean.cognome!=null}">
            Utente connesso:<h:outputText value="#{userBean.cognome}"/>&nbsp;<h:outputText value="#{userBean.nome}"/>
            <h1><ui:insert name="title">Default Title</ui:insert></h1>
            <p><ui:insert name="body">Default Body</ui:insert></p>
        </h:panelGroup>
    </h:body>
</html>
BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
Filippo1980
  • 2,745
  • 5
  • 30
  • 44

2 Answers2

4

I understand that you're checking the presence of the logged-in user before displaying the content. This may be okay this way, but any user who opens the page without being logged-in will receive blank content. This is not very user friendly. You'd like to redirect a non-logged-in user to the login page.

This is normally already taken into account if you're using Java EE provided container managed authentication. But if you're homegrowing authentication, you'd need to create a servlet filter for this. If you collect all restricted pages in a common folder like /app so that you can use a common URL pattern for the filter, e.g. /app/* (and put all public pages such as the login page outside this folder), then you should be able to filter out non-logged-in users as follows, assuming that #{userBean} is a session scoped JSF @ManagedBean or some session attribute which you've put in session scope yourself:

@WebFilter("/app/*")
public class LoginFilter implements Filter {

    @Override
    public void init(FilterConfig config) throws ServletException {
        // NOOP.
    }

    @Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
        HttpServletRequest request = (HttpServletRequest) req;
        HttpServletResponse response = (HttpServletResponse) res;
        HttpSession session = request.getSession(false);
        UserBean user = (session != null) ? (UserBean) session.getAttribute("userBean") : null;

        if (user == null || user.getCognome() == null) {
            response.sendRedirect(request.getContextPath() + "/login.xhtml"); // No logged-in user found, so redirect to login page.
        } else {
            chain.doFilter(req, res); // Logged-in user found, so just continue request.
        }
    }

    @Override
    public void destroy() {
        // NOOP.
    }

}

See also:

Community
  • 1
  • 1
BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
  • Thank you Balus! You win the bounty! – Filippo1980 Apr 03 '12 at 08:52
  • I must click only on "accepted" if I would give to you the bounty right? – Filippo1980 Apr 03 '12 at 08:56
  • You're welcome. To give the bounty, I believe you have to click some other button right below the accept button (which the answerer can't see, but the asker can "see"). But you can also wait for the bounty period to be ended, the bounty will then automatically be awarded to the accepted answer, if it has at least 2 upvotes. – BalusC Apr 03 '12 at 11:30
2

I doubt you will have issues with security but be sure you put the templates inside the WEB-INF folder so the templates dont have visibility form the outside. I also recommend to you to use Spring-Security.

IturPablo
  • 1,572
  • 2
  • 22
  • 35