security - Homegrown authentication filter does not show the welcome page -


so i've come accross quite numbre of questions similar mine, , starting until realised don't, in short, here's story :

in authentification bean, success of authentification should result in accessing web resources, failure should "filter" access , redirect current login page. now, in authentification bean, added line in case of success : 

facescontext.getcurrentinstance().getexternalcontext().getsessionmap().put(authentificationbean1.auth_state, "true") ;

auth_state defined in bean : 

public static final string auth_state = "";

in case of failure, following : 

facescontext.getcurrentinstance().getexternalcontext().getsessionmap().put(authentificationbean1.auth_state, null) ;

now in filter (one applied every file except of authentification page), dofilter method looks : 

public void dofilter(servletrequest request, servletresponse response,             filterchain chain)             throws ioexception, servletexception {          if (((httpservletrequest) request).getsession().getattribute(authentificationbean1.auth_state) == null) {             ((httpservletresponse) response).sendredirect("authentification.xhtml");          }           if(((httpservletrequest) request).getsession().getattribute(authentificationbean1.auth_state) != null) {             ((httpservletresponse) response).sendredirect("accueil.xhtml");         }      }

my idea if authentification went well, authentificationbean1.auth_state session attribut set not null, in filter test i'll able redirect welcom page (accueil.xhtml) ; if attribut null, we'll stay in authentification page.

tasting whole thing : filter seems work much, mean when authentification test must succeed doesn't allow me pass welcome page. working fine without filter, looks missed using filters jsf or filters it.

p.s : didn't apply chain.dofilter because not have filter call, suspecting there.

thanks indications.

edit : 

<filter>         <filter-name>restrictionfilter</filter-name>         <filter-class>beans.restrictionfilter</filter-class> </filter> <filter-mapping>         <filter-name>restrictionfilter</filter-name>         <url-pattern>/faces/accueil.xhtml</url-pattern> </filter-mapping>

your filter running in infinite loop, redirecting everytime. never continuing request servlet. seems you're misunderstood how http works. response.sendredirect() you're firing brand new http request. brand new http request invoke filter again. so, when filter matches condition in order redirect accueil.xhtml, keep redirecting page in infinite loop , never continue servlet in order process request.

further misunderstood meaning of chain.dofilter(). not explicitly advance next filter. continues request if there no filter. whether there's filter next in chain or not irrelevant. if there's no filter, end in target servlet (which facesservlet in case, who's responsible processing jsf page).

basically, flow should follows:

  • if user not logged in, then:
    • if requested page not authentification.xhtml, redirect it.
    • or if requested page authentification.xhtml, continue request.
  • or if user logged in, continue request regardless of requested page.

in other words, should it:

@override public void dofilter(servletrequest req, servletresponse res, filterchain chain) throws servletexception, ioexception {         httpservletrequest request = (httpservletrequest) req;     httpservletresponse response = (httpservletresponse) res;     httpsession session = request.getsession(false);     string loginurl = request.getcontextpath() + "/authentification.xhtml";      boolean loggedin = session != null && session.getattribute(authentificationbean1.auth_state) != null;     boolean loginrequest = request.getrequesturi().startswith(loginurl);     boolean resourcerequest = request.getrequesturi().startswith(request.getcontextpath() + resourcehandler.resource_identifier);      if (loggedin || loginrequest || resourcerequest)) {         chain.dofilter(request, response);     } else {         response.sendredirect(loginurl);     } }

note added check on jsf resources (the css/js/image files included via <h:outputstylesheet|outputscript|graphicimage>), otherwise blocked when login page presented. note filter can mapped on /* , not on single page.


Comments

Post a Comment

Popular posts from this blog

.htaccess - First slash is removed after domain when entering a webpage in the browser -

sometimes when hit address of webpage in browser, removes first slash after domain. examples: www.mywebsite.com/scripts/script_6.php -> trying load www.mywebsite.comscripts/script_6.php www.mywebsite.com/test.php -> trying load www.mywebsite.comtest.php after entering again, loads page. a .htaccess settings must wrong: rewritebase / errordocument 404 http://www.mywebsite.com/oops.php errordocument 401 /notallowed.php rewriteengine on # turn on rewriting engine #gzip <ifmodule mod_deflate.c> addoutputfilterbytype deflate text/text text/html text/plain text/xml text/css application/x- javascript application/javascript </ifmodule> #end gzip rewritecond %{http_host} ^mywebsite\.com rewriterule ^(.*)$ http://www.mywebsite.com$1 [r=permanent,l] directoryindex index6.php rewriterule ^termsofuse/?$ termsofuse.php [nc,l] # handle requests "adpolicy" rewriterule ^privacy-policy/?$ privacy-policy.php [nc,l] # handle requ...
Read more

Automatically create pages in phpfox -

i have array of information of places , wanna use them create multiple pages in phpfox site. first tried manually insert data in phpfox database (in tables of phpfox_pages , phpfox_pages_text ). the page shown in site when opening it's link, site says: the page looking cannot found. do know other tables should manipulate make work? or know plugin phpfox same? thanks, solved ( @purefan guide): "pages" has user if take @ phpfox_user table, you'll found out how fetch new records on that. there 2 ambiguous fields in table ( password & password_salt ). can use script create values fields: <?php function generaterandomstring() { $length = 164; $characters = '-_0123456789abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz'; $randomstring = ''; ($i = 0; $i < $length; $i++) { $randomstring .= $characters[rand(0, strlen($characters) - 1)]; } return $randomstring; } $ssalt = '';...
Read more

c# - Farseer ContactListener is not working -

i'm using farseer in xna project, have trouble contactlistener. created class contactlistener these 2 error messages , don't know how fix problems. the type or namespace name 'contactlistener' not found (are missing using directive or assembly reference?) the type or namespace name 'contactimpulse' not found (are missing using directive or assembly reference?) what wrong contactlistener class? class mycontactlistener: contactlistener { void begincontact(contact contact) { /* handle begin event */ } void endcontact(contact contact) { /* handle end event */ } void presolve(contact contact, ref manifold oldmanifold) { fixture fixturea = contact.fixturea; fixture fixtureb = contact.fixtureb; if (fixtureb.collisioncategories == category.cat10) { contact.enabled = false; } } void postsolve(contact contact, ref contactimpulse impulse) { /* handle post-solve event */ } }...
Read more