JSF redirect doesn't stop page rendering

Question

We're using JSF in a very simple way. All we're doing is implementing tags that contain a little Java code.

I have implemented a "security" tag that sends a 302 redirect back to the login page whenever the user isn't logged in:

// make them log in
ctx.getExternalContext().redirect("login.xhtml");
ctx.responseComplete();

The trouble is that the redirect() method doesn't stop the rest of the page being rendered. Tags that are further down the page are getting executed. This is a problem because non-logged-in users could see things they shouldn't if they had their browser ignore redirects.

How do I get responseComplete() to do what I thought it was supposed to do?

http://stackoverflow.com/questions/8480100/how-implement-a-login-filter-in-jsf — elciospy, Dec 05 '13 at 16:42

score 1 · Answer 1 · answered Feb 07 '13 at 06:42

1

Its always better to implement the login related logic in a servlet filter, like below:

Implement a filter for the URL patterns that you want to secure
In the filter, check if the user is logged in (may be by just checking if Username/UserId is present in user session)
If the user is not logged in, redirect the user to a HTML based login page.
If the user is logged in, let the user access the resources.

There are a lot of ways (may be better than this) to implement this, but this is the most basic one.

answered Feb 07 '13 at 06:42

Apurv

3,723
3
30
51

Yes, better take advantage of faces-config.xml provided by JSF – Chaitanya Gudala Feb 07 '13 at 07:59
This is the way we did it originally. The trouble is that some paths shouldn't be secured, like /login.xhtml and /images/*. Maintaining the list was ugly. With this scheme I can just put a single tag in a header common to all secure pages. – ccleve Feb 07 '13 at 22:45
You can secure only your (dynamic) pages with that shows secured contents. Securing static resources, like images, css, JS may be skipped. In the filter, you add a condition to bypass Login page. – Apurv Feb 11 '13 at 12:14

score 0 · Answer 2 · answered Feb 07 '13 at 01:26

Maybe you could use a flag to verify if the user is logged in.
Then, you can use the render=#{managedBean.logged} property in the tags you don't want to render.
This is just a workaround... can't really help too much with that amount of information you gave.

score 0 · Answer 3 · answered Dec 05 '13 at 13:59

0

Try it!

ctx.getExternalContext().dispatch("login.xhtml");
ctx.responseComplete();

answered Dec 05 '13 at 13:59

elciospy

260
4
11

JSF redirect doesn't stop page rendering

3 Answers3