JSF Login control, integration with Access Manager

StackOverflow https://stackoverflow.com/questions/18671043

Question

We use access manager in our company, access manager authenticate user and send to us information about user in http header. In my JSF application, I need username when to session begin, and with this username I determine the user role from my database and hidden some component on the page. When I must the username info and which with mechanism. SessionListener, PhaseListener?

So far;

I created a sessionScoped managedbean UserData, and i try to set this managed bean phaseListener afterPhase

@Override
public void beforePhase(PhaseEvent event) {

}

@Override
public void afterPhase(PhaseEvent event) {

    HttpServletRequest request = (HttpServletRequest)    FacesContext
                          .getCurrentInstance().getExternalContext().getRequest();

     accessManagerUser.setUserName((String) request
             .getHeader("LOGINNAME"));*/
}

But in this scenario when a request done to page, this function run, ı want a function runs once and before the everything and set the Username of SessionScopeManaged Bean.

I try to achieve this.

  1. Read from header when the request come and get the userName.
  2. Ask database with this username and get role of the user.
  3. Store this roles in SessionScoped ManagedBean.
  4. Use this role until session end.
Était-ce utile?

La solution

Just add an if check which checks if the roles are already stored in the session.

if (roles are not stored in session) {
    read from header;
    get user+roles from database;
    store roles in session;
}

Unrelated to the concrete problem, a phase listener is the wrong tool for the job of HTTP request authentication. Consider a servlet filter instead. Therein you can just access the HTTP request and session without the need to extact them from the depths of the JSF API. Note that session scoped JSF managed beans are basically stored as attibute of HttpSession.

By the way, unless you're using a restrictive (intranet) proxy, are you well aware that the enduser has full control over what s/he can send via request headers?

Licencié sous: CC-BY-SA avec attribution
Non affilié à StackOverflow
scroll top