Redirecting to two different welcome-pages depending on the users role in Java EE 6/Glassfish

Question

I have implemented FORM based authetication with Glassfish 3.1 + JDBCRealm + MySQL (MD5). I've got only two roles, user and admin. Everything is going great, I can see from the log that authentication is working in both cases as an uset and as an admin (Watch log below)

Q1: Is it possible to make two different index-files so that when user is admin, he/she goes to /admin/index.xhtml and when user is in role user he goes direct to faces/user/index.xhtml?

Q2: Now when I logged in as an user, I can still go to "admin side" with just writting the whole link straight to address field in a browser, why ja how to avoid that?

Q3: When I logged in as a user and I have ONLY faces/admin/index.xhtml in welcome file list, it redirects me to that file even if xml file tells something else, why?

<welcome-file-list>
        <welcome-file>faces/admin/index.xhtml</welcome-file> *?? ----> it goes always here, cause it is the first one I think?*
       <welcome-file>faces/user/index.xhtml</welcome-file>
    </welcome-file-list>

    <security-constraint>
        <display-name>Admin Pages</display-name>
        <web-resource-collection>
            <web-resource-name>Protected Admin Area</web-resource-name>
            <description/>
            <url-pattern>/faces/admin/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
            <http-method>HEAD</http-method>
            <http-method>PUT</http-method>
            <http-method>OPTIONS</http-method>
            <http-method>TRACE</http-method>
            <http-method>DELETE</http-method>
        </web-resource-collection>
        <auth-constraint>
            <description/>
            <role-name>admin</role-name>
        </auth-constraint>
    </security-constraint>
    <security-constraint>
        <display-name>User Pages</display-name>
        <web-resource-collection>
            <web-resource-name>Protected Users Area</web-resource-name>
            <description/>
            <url-pattern>/faces/users/*</url-pattern>
            <!--url-pattern>/faces/users/index.xhtml</url-pattern-->
            <http-method>GET</http-method>
            <http-method>POST</http-method>
            <http-method>HEAD</http-method>
            <http-method>PUT</http-method>
            <http-method>OPTIONS</http-method>
            <http-method>TRACE</http-method>
            <http-method>DELETE</http-method>
        </web-resource-collection>
        <auth-constraint>
            <description/>
            <role-name>user</role-name>
        </auth-constraint>
    </security-constraint>

    <login-config>
        <auth-method>FORM</auth-method>
        <realm-name>JDBCRealm</realm-name>
        <form-login-config>
            <form-login-page>/faces/loginForm.xhtml</form-login-page>
            <form-error-page>/faces/loginError.xhtml</form-error-page>
        </form-login-config>

    </login-config>
</web-app>

LOG:

FINE: Login module initialized: class com.sun.enterprise.security.auth.login.JDBCLoginModule
FINEST: JDBC login succeeded for: admin groups:[admin, user]
FINE: JAAS login complete.
FINE: JAAS authentication committed.
FINE: Password login succeeded for : admin
FINE: Set security context as user: admin
FINE: [Web-Security] Setting Policy Context ID: old = null ctxID = jdbcrealm/jdbcrealm
FINE: [Web-Security] hasUserDataPermission perm: (javax.security.jacc.WebUserDataPermission  GET)
FINE: [Web-Security] hasUserDataPermission isGranted: true
FINE: [Web-Security] Policy Context ID was: jdbcrealm/jdbcrealm
FINE: [Web-Security] Codesource with Web URL: file:/jdbcrealm/jdbcrealm
FINE: [Web-Security] Checking Web Permission with Principals : null

(Edit after myfear's answer) -----In glassfish-web.xml I have roles like that. If I understood it correctly it means that admin belongs to groups: admin, customer and user. Customer belongs to groups: customer and user and User belongs to group user. Did I understand it correctly?

    <security-role-mapping>
    <role-name>admin</role-name>
    <group-name>admin</group-name>
    <group-name>customer</group-name>
    <group-name>user</group-name>
  </security-role-mapping>
  <security-role-mapping>
    <role-name>customer</role-name>
    <group-name>customer</group-name>
    <group-name>user</group-name>
  </security-role-mapping>
  <security-role-mapping>
    <role-name>user</role-name>
    <group-name>user</group-name>
  </security-role-mapping>

</glassfish-web-app>

Thank you! Sami

Answer 1

A1) Welcome files aren't related to roles. If you need to do any kind of logic for dispatching users, you need to think about using boolean HttpServletRequest.isUserInRole(String role) or something similar to find out in which role the user is in.

A2) That shouldn't happen. You need to check the roles you have in your JDBCRealm. To what I see here, everything is configured the right way.

A3) I am not sure if I understand your remark "XML" file the right way. But welcome-files aren't bound to roles and .. see A1)

Thanks, M

Answer 2

For your question 1: use the filter from where you can redirect the user to the specific page either userlogin.xhtml or adminlogin.xhtml

public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
    String userName = SecurityAssociation.getPrincipal().getName();
    String userNameSubject = SecurityAssociation.getSubject().toString();

    System.out.println("Yeeey! Get me here and find me in the database: " + userName+ " Subject : "+userNameSubject);

    filterChain.doFilter(servletRequest, servletResponse);
}