I created a simple app where only logged in users are able to view the page. So :
1st, I implemented a filter that checks every page if the login session is alive before continue , else it will be redirected to the login page.
2nd, To prevent users from using back button to get the previous page without login, I implemented a phase listener that will set the page header using pragma no cache.
But then I found a security flaw when testing my app using FF3.0+ browser. At first, it worked as expected where pages couldn't be accessed using back button, but after 5 trials of clicking the back button, surprisingly I was able to go back to the previous page and called the action method! When I debugged it, it did go through the filter check but the login session was alive again even though it was before null and invalidated using the session.invalidate() when logout.
I did a guess that it has something to do with the default JSF 2 behavior where URL is not updated in the URL bar even though the server forwarded the navigation URL since my filter depends on the page URL to check the login session. So I added faces-redirect=true parameter at the end of the navigation URL and it solved the problem.
But another problem came. My request scope bean didn't work since adding faces-redirect=true will make the server called twice where request scope only survives a call. To solve this problem I used flash scope where it survives 2 calls - a complete redirect with URL gets updated in the URL bar.
reference:
http://www.jsfsummit.com/blog/max_katz/2010/07/learning_jsf2_using_flash_scope
Subscribe to:
Post Comments (Atom)
To have secure login system regardless of browser back button and almost all other tricks It is the best to use container built-in security(e.g. FORM based authentication). Instead of HttpServletRequest.login(name,password), just declare correctly web.xml and map app roles to server groups. The rest is done by container and user never gets to secured page without being authenticated by Container (not by application).
ReplyDeletefaces-redirect=true should be attached to all
urls that redirect to secured pages.
thanks for your comment.I agreed that It's better to use container managed authentication than then bean authentication or servlet filter with httpSession. And also it's easier to support other authentication realm such as LDAP if using container because it's already built-in.
Delete