Strange trouble with HttpFilter while authorize the login

StackOverflow https://stackoverflow.com/questions/21222019

Question

I am using Omnifaces in my web application and currently use HttpFilter to authorize the login.

Here is my filter class

@WebFilter("/backend/*")
public class AuthorizationFilter extends HttpFilter {

    @Override
    public void doFilter(HttpServletRequest request, HttpServletResponse response,
            HttpSession session, FilterChain chain) throws ServletException, IOException {
        if (session != null && session.getAttribute("userManagedBean") != null) {
            chain.doFilter(request, response);
        } else {
            response.sendRedirect(request.getContextPath() + "/frontend/login.xhtml?faces-redirect=true");
        }
    }
}

The application is still running without any issues. And I also can access to /backend/*.xhtml without login too.

There is no error log, nothing.

Anyone have any idea about this strange trouble?

EDIT

Here is the UserManagedBean class:

@ManagedBean
@SessionScoped
public class UserManagedBean extends TblStaff implements Serializable {

    private TblStaff staff = null;
    private String currentLogin;
    private String username;
    private String password;
    private boolean loggedIn;
    private ExternalContext ec;

    @ManagedProperty(value="#{navigationBean}")
    private NavigationBean navigationBean;

    public UserManagedBean() {
        super();
    }

    public String login() {
        int isValid = doLogin();

        if (isValid == 1) {
            StaffBLL staffBLL = new StaffBLL();
            staff = staffBLL.getStaffByUsername(username);
            String destinationUrl = null;

            if (staff.getRoleId() == 1) {
                loggedIn = true;
                setCurrentLogin("admin");
                destinationUrl = navigationBean.redirectToBackend();
            } else if (staff.getRoleId() == 2) {
                loggedIn = true;
                setCurrentLogin("manager");
                destinationUrl = navigationBean.redirectToManager();
            } else if (staff.getRoleId() == 3) {
                loggedIn = true;
                setCurrentLogin("faculty");
                destinationUrl = navigationBean.redirectToFaculty();
            }

            return destinationUrl;
        } else {
            return navigationBean.toLogin();
        }
    }

    public static void setSession(String key, Object value) {
        HttpSession session = (HttpSession) FacesContext.getCurrentInstance().getExternalContext().getSession(true);
        session.setAttribute(key, value);
    }

    public static Object getSession(String key) {
        HttpSession session = (HttpSession) FacesContext.getCurrentInstance().getExternalContext().getSession(true);
        return session.getAttribute(key);
    }

    public String logout() {
        loggedIn = false;

        ec = FacesContext.getCurrentInstance().getExternalContext();
        ec.invalidateSession();

        setCurrentLogin(null);

        return navigationBean.toFrontend();
    }

    public void logoutAdmin(ActionEvent actionEvent) throws IOException {
        loggedIn = false;

        ec = FacesContext.getCurrentInstance().getExternalContext();
        ec.invalidateSession();

        setCurrentLogin(null);

        ec.redirect(ec.getRequestContextPath() + "/frontend/index.xhtml?faces-redirect=true");
    }

    public int doLogin() {
        CallableStatement objCall;
        SHAConverter hash = new SHAConverter();
        int result = -1;
        String[] params = new String[3];
        params[0] = username;
        params[1] = hash.hashBasic(password);
        params[2] = null;

        try {
            objCall = SQLHelper.execute("procLogin", params);
            result = objCall.getInt("Result");
        } catch (SQLException ex) {
            System.out.println("Error: " + ex.getMessage());
        }

        return result;
    }
Was it helpful?

Solution

You've declared the UserManagedBean class as a session scoped JSF managed bean. So JSF will autocreate it and put it in the session on the very first occurrence of #{userManagedBean} in any page. This means that the session.getAttribute("userManagedBean") is never null once that happens, even though the user hasn't logged in yet.

Instead, you want to check its loggedIn property.

UserManagedBean bean = session != null ? (UserManagedBean) session.getAttribute("userManagedBean") : null;

if (bean != null && bean.isLoggedIn()) {
    chain.doFilter(request, response);
}

// ...

Note that the concrete problem has nothing to do with OmniFaces. You'd still face exactly the same problem when not using OmniFaces.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top