FAQ
I want to control access to the pages within my application to prevent
bookmarking or linking to pages within application. I intended to do this
using the servlet specification security constraint:

<security-constraint>
<display-name>sensitive</display-name>
<web-resource-collection>
<web-resource-name>submittal</web-resource-name>
<url-pattern>/faces/pages/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>sensitive</role-name>
</auth-constraint>
</security-constraint>

No one is in the "sensitive" role, therefore no one can get to these pages.
I could then define an error page that would do nothing but redirect to the
application start page.

Another security constraint allows authorized users in through the front door.

<security-constraint>
<display-name>default</display-name>
<web-resource-collection>
<web-resource-name>submittal</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>

This way a login would be required (BASIC) on the application start page and
the user could not get to any of the other pages without having first been
to the application start page.

The problem: It seems to work for some navigation elements but not for
others. Some of the navigation links correctly allow the user to go to the
page while others do not. I suspect it has something to do with the way the
request is executed. (redirect, forward, etc).

Any ideas on how to set up my navigation rules and components so that they
will always forward.

-Mark

Search Discussions

  • Martin Marinschek at Jun 16, 2005 at 5:25 pm
    AFAIK, a forward should be the standard.

    you would have to embed a "<redirect/>" in your Navigation-rules to
    have a redirect executed.

    Your problem might be that with a forward, you might render a very
    different page than the request goes to - and as the security
    constraints do not know about this, they don't restrict the access to
    these pages.

    In this case, you would have to do a redirect whenever you cross
    boundaries of what a user is allowed to do or not to do, use the
    MyFaces enabledOnUserRole construct for all restricted links or
    decorate the view and/or navigationhandler to properly restrict access
    to all pages.

    regards,

    Martin
    On 16 Jun 2005 16:07:32 -0000, mfaine wrote:
    I want to control access to the pages within my application to prevent
    bookmarking or linking to pages within application. I intended to do this
    using the servlet specification security constraint:

    <security-constraint>
    <display-name>sensitive</display-name>
    <web-resource-collection>
    <web-resource-name>submittal</web-resource-name>
    <url-pattern>/faces/pages/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <role-name>sensitive</role-name>
    </auth-constraint>
    </security-constraint>

    No one is in the "sensitive" role, therefore no one can get to these pages.
    I could then define an error page that would do nothing but redirect to the
    application start page.

    Another security constraint allows authorized users in through the front door.

    <security-constraint>
    <display-name>default</display-name>
    <web-resource-collection>
    <web-resource-name>submittal</web-resource-name>
    <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <role-name>*</role-name>
    </auth-constraint>
    </security-constraint>

    This way a login would be required (BASIC) on the application start page and
    the user could not get to any of the other pages without having first been
    to the application start page.

    The problem: It seems to work for some navigation elements but not for
    others. Some of the navigation links correctly allow the user to go to the
    page while others do not. I suspect it has something to do with the way the
    request is executed. (redirect, forward, etc).

    Any ideas on how to set up my navigation rules and components so that they
    will always forward.

    -Mark
  • Mfaine at Jun 16, 2005 at 6:12 pm

    On Thu, 16 Jun 2005 19:17:36 +0200, Martin Marinschek wrote :

    AFAIK, a forward should be the standard.

    you would have to embed a "<redirect/>" in your Navigation-rules to
    have a redirect executed.

    Your problem might be that with a forward, you might render a very
    different page than the request goes to - and as the security
    constraints do not know about this, they don't restrict the access to
    these pages.

    In this case, you would have to do a redirect whenever you cross
    boundaries of what a user is allowed to do or not to do, use the
    MyFaces enabledOnUserRole construct for all restricted links or
    decorate the view and/or navigationhandler to properly restrict access
    to all pages.

    regards,

    Martin

    You are correct and all of my navigation rules are set to forward. The
    problem I am having is that pages are being restricted to users. According
    to the security constraint the pages should be restricted to any direct
    browser requests but internally dispatched requests (forwarded by a
    controller, like the NavigationHandler) should still be able to access the
    pages. It seems that sometimes this works and sometimes it doesn't.

    I will take a look at the NavigationHandler code and see if I can figure out
    how the navigation is done.

    Thanks,
    -Mark
  • Mfaine at Jun 16, 2005 at 8:01 pm

    On 16 Jun 2005 18:11:34 -0000, "mfaine" wrote :

    On Thu, 16 Jun 2005 19:17:36 +0200, Martin Marinschek
    wrote :
    AFAIK, a forward should be the standard.

    you would have to embed a "<redirect/>" in your Navigation-rules to
    have a redirect executed.

    Your problem might be that with a forward, you might render a very
    different page than the request goes to - and as the security
    constraints do not know about this, they don't restrict the access to
    these pages.

    In this case, you would have to do a redirect whenever you cross
    boundaries of what a user is allowed to do or not to do, use the
    MyFaces enabledOnUserRole construct for all restricted links or
    decorate the view and/or navigationhandler to properly restrict access
    to all pages.

    regards,

    Martin

    You are correct and all of my navigation rules are set to forward. The
    problem I am having is that pages are being restricted to users. According
    to the security constraint the pages should be restricted to any direct
    browser requests but internally dispatched requests (forwarded by a
    controller, like the NavigationHandler) should still be able to access the
    pages. It seems that sometimes this works and sometimes it doesn't.

    I will take a look at the NavigationHandler code and see if I can figure out
    how the navigation is done.

    Thanks,
    -Mark

    I have discovered that the problem I am having is caused by postbacks to the
    same JSP amd all other navigation seems to be working correctly. I'll
    probably have to come up with some other method of protecting the pages as
    there are far too many postbacks in my app ( or any typical JSF app).
    Perhaps a filter or some simple javascript.

    Thanks,
    -Mark
  • Jon Harley at Jun 17, 2005 at 11:15 am

    mfaine@knology.net 06/16/05 09:00PM wrote (10 times!):
    I have discovered that the problem I am having is caused by postbacks to the
    same JSP amd all other navigation seems to be working correctly. I'll
    probably have to come up with some other method of protecting the pages as
    there are far too many postbacks in my app ( or any typical JSF app).
    Perhaps a filter or some simple javascript.
    It is trivial to write a filter to prevent people bookmarking/hyperlinking into
    pages in your application - the filter just needs to call session.isNew(), and
    if it is a new session, send a redirect to the front page instead of
    continuing down the filter chain. The front page should also invalidate
    the session to ensure access continues to be denied except through
    the route you want.

    Relying on javascript being enabled on the client does not sound
    like a good basis for security!

    Jon

    _________________________________________________________________
    Dr JW Harley Senior Technologist
    E-lab, IT Services Department, University of Warwick, Coventry UK
    <J.W.Harley@warwick.ac.uk> www.warwick.ac.uk/staff/J.W.Harley/

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupusers @
categoriesmyfaces
postedJun 16, '05 at 4:14p
activeJun 17, '05 at 11:15a
posts5
users3
websitemyfaces.apache.org

People

Translate

site design / logo © 2019 Grokbase