-1

Like the title says, how do I limit users from accessing certain pages in JSF? I have two different kinds of pages that I want to limit access to. The first one is pages that need parameters to load, would it be possible to redirect if a user tries to redirect access that page without any parameters? The second one is pages that only certain users should have access to. In my app you have the ability to create and edit competitions, however, I only want the host of the event to be able to access the edit page for that event - which at the moment anyone can access if they know the right parameters. Is there something in JSF that lets me do this?

Grebalb
  • 113
  • 1
  • 12
  • 2
    Try to do some searching first. Lots and lots of info on this on the internet: Suggestion: use existing frameworks for this. Don'tt start a homegrown thing. – Kukeltje Mar 21 '20 at 12:49

1 Answers1

1

General page access

Have a look at @WebFilter and its doFilter method. Inside you can check if your user is logged in retrieving your session scoped bean from the HttpSession.

@WebFilter(filterName = "UserAuthenticationFilter", urlPatterns =
{
    "/sites/user/account.xhtml"
}   , dispatcherTypes =
{
    DispatcherType.FORWARD, DispatcherType.REQUEST, DispatcherType.ERROR
})
public class UserAuthenticationFilter extends HttpFilter
{
    @Override
    public void doProductionFilter(final HttpServletRequest request, final HttpServletResponse response, final HttpSession session, final FilterChain chain) throws IOException, ServletException
    {
        final UserBean userBean = session.getAttribute("userBean");


        // check if logged in and redirect to login page if not
        if (userBean.isLoggedIn()
            chain.doFilter(request, response);
        else
            response.sendRedirect(request.getContextPath() + "/login.xhtml");
    }
}

Specific page access

Check your request param either in your @PostConstruct or better in your viewAction or initPreRenderView methods since in the later two you have access to your injected view parameters.

If user does not has sufficient rights to access the data redirect or/and show faces message or do something else.

djmj
  • 5,579
  • 5
  • 54
  • 92
  • Thanks for answering, but there are many duplicates in SO about this. Better to vote as a duplicate then of an existing answer. – Kukeltje Mar 30 '20 at 07:34
  • Yes you are right and i saw your comment but i thought at least we should mention `@WebFilter` in the comment so the user gets a better idea what to search for. – djmj Mar 30 '20 at 12:55
  • 2
    The duplicate has a `@WebFilter` in it ;-). Check the duplicate link at the top of the question... Cheers – Kukeltje Mar 30 '20 at 15:59