JSF Filter not redirecting After Initial Redirect [closed]

Question

I am trying to setup a webfilter and need some help. My filter works fine on the initial login but when the session has timed out, and I click on any link, it fires my redirect statement but the webpage in the browser never gets redirected. Can anyone assist with this issue? Much appreciated.

Filter

/*
 * To change this template, choose Tools | Templates
 * and open the template in the editor.
 */
package src;

import java.io.IOException;
import javax.faces.application.NavigationHandler;
import javax.faces.context.FacesContext;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

/**
 *
 * @author Bernard
 */
@WebFilter(filterName = "LoginFilter", urlPatterns = {"/*"})
public class LoginFilter implements Filter {

    //FilterConfig fc;

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
        //fc = filterConfig;
    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        HttpServletRequest req = (HttpServletRequest) request;
        HttpServletResponse res = (HttpServletResponse) response;
        HttpSession session = req.getSession(true);
        String pageRequested = req.getRequestURL().toString();
        Boolean authenticated = (Boolean) session.getAttribute("authenticated");

        if (authenticated == null) {
            authenticated = false;
        }
        if (!authenticated && !pageRequested.contains("login")) {     
            res.setStatus(301);
            res.sendRedirect(req.getContextPath() + "/login/login.xhtml");                        
        } else {
            chain.doFilter(request, response);
        }
    }

    @Override
    public void destroy() {
        //fc = null;
    }
}

Faces-config.xml

<?xml version='1.0' encoding='UTF-8'?>

<!-- =========== FULL CONFIGURATION FILE ================================== -->

<faces-config version="2.1"
              xmlns="http://java.sun.com/xml/ns/javaee"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-facesconfig_2_1.xsd">

    <navigation-rule>
        <from-view-id>/*</from-view-id>

        <navigation-case>
            <from-outcome>success</from-outcome>
            <to-view-id>/index.xhtml</to-view-id>
            <redirect/>
        </navigation-case>

        <navigation-case>
            <from-outcome>failure</from-outcome>
            <to-view-id>/login/login.xhtml</to-view-id>
            <redirect/>
        </navigation-case>
    </navigation-rule>
</faces-config>

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
    <context-param>
        <param-name>javax.faces.PROJECT_STAGE</param-name>
        <param-value>Development</param-value>
    </context-param>
    <servlet>
        <servlet-name>FacesServlet</servlet-name>
        <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>FacesServlet</servlet-name>
        <url-pattern>*.xhtml</url-pattern>
    </servlet-mapping>
    <session-config>
        <session-timeout>
            30
        </session-timeout>
    </session-config>
    <welcome-file-list>
        <welcome-file>/index.xhtml</welcome-file>
    </welcome-file-list>
    <filter>
        <filter-name>restrict</filter-name>
        <filter-class>src.LoginFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>restrict</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>  
</web-app>

Authenticate Bean

/*
 * To change this template, choose Tools | Templates
 * and open the template in the editor.
 */
package src;

import java.math.BigInteger;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.faces.bean.ManagedBean;
import javax.faces.bean.SessionScoped;
import javax.faces.context.ExternalContext;
import javax.faces.context.FacesContext;
import javax.servlet.ServletRequest;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;

/**
 *
 * @author Bernard
 */
@ManagedBean
@SessionScoped
public class Authenticator {

    private String username;
    private String password;

    public String getUsername() {
        return username;
    }

    public void setUsername(String username) {
        this.username = username;
    }

    public String getPassword() {
        return password;
    }

    public void setPassword(String password) {
        this.password = password;
    }

    public String authenticateUser(ServletRequest request) {
        HttpServletRequest req = (HttpServletRequest) request;
        HttpSession session = req.getSession(true);
        session.setMaxInactiveInterval(30);
        Boolean authenticated = (Boolean) session.getAttribute("authenticated");

        Database pgDatabase = new Database();
        Admin foundAdmin = null;
        try {
            foundAdmin = (Admin) pgDatabase.findAdminByUsername(username);
        } catch (ClassNotFoundException ex) {
            Logger.getLogger(Authenticator.class.getName()).log(Level.SEVERE, null, ex);
        }

        Admin currentAdmin = new Admin();
        currentAdmin.userName = username;
        currentAdmin.password = this.hashPassword((password));
        if (authenticated != null && authenticated != true) {
            if (foundAdmin != null) {
                if (currentAdmin.equals(foundAdmin)) {
                    authenticated = true;
                    session.setAttribute("authenticated", true);
                    return "success";
                } else {
                    authenticated = false;
                    session.setAttribute("authenticated", false);
                    return "failure";
                }
            } else {
                authenticated = false;
                session.setAttribute("authenticated", false);
                return "failure";
            }
        } else {
            session.setAttribute("authenticated", true);
            authenticated = true;
            return "success";
        }
    }

    public String logOut() {
        FacesContext ctx = FacesContext.getCurrentInstance();
        ExternalContext extCtx = ctx.getExternalContext();
        Map<String, Object> sessionMap = extCtx.getSessionMap();
        sessionMap.put("authenticated", false);
        return "failure";
    }

    public String hashPassword(String passwordToHash) {
        String hashword = null;
        try {
            MessageDigest md5 = MessageDigest.getInstance("MD5");
            md5.update(password.getBytes());
            BigInteger hash = new BigInteger(1, md5.digest());
            hashword = hash.toString(16);
        } catch (NoSuchAlgorithmException nsae) {
        }
        return hashword;
    }
}

Answer 1

Your filter looks fine (apart from the very weak url.contains("login") test and the in 2 ways incorrect attempt to set the response status to 301 and the a bit poor way of checking a logged-in user).

I think that your concrete problem is caused that you're performing navigaiton by ajax links instead of normal links. You can't send a redirect on an ajax response this way. Neither the JSF ajax engine nor the webbrowser follows 302 redirects on JSF ajax responses. The client ends up with an ajax response which is totally ignored.

Instead, you should be sending a special XML response which instructs the JSF ajax engine to send a redirect. It's exactly that XML response as is been sent when inside the JSF context the ExternalContext#redirect() is been used during an ajax request.

<?xml version="1.0" encoding="UTF-8"?>
<partial-response>
    <redirect url="/contextpath/login/login.xhtml"></redirect>
</partial-response>

Inside the servlet filter, you should thus first check if the request concerns a JSF ajax request and if so, then return the above XML response, otherwise just invoke HttpServletResponse#sendRedirect() the usual way. You can do that by checking if the Faces-Request request header is present and equals to partial/ajax.

if ("partial/ajax".equals(request.getHeader("Faces-Request"))) {
    // It's a JSF ajax request.
}

So, all with all, your doFilter() should look now like this:

String loginURL = req.getContextPath() + "/login/login.xhtml";

if (!authenticated && !req.getRequestURI().equals(loginURL)) {
    if ("partial/ajax".equals(request.getHeader("Faces-Request"))) {
        res.setContentType("text/xml");
        res.getWriter()
            .append("<?xml version=\"1.0\" encoding=\"UTF-8\"?>")
            .printf("<partial-response><redirect url=\"%s\"></redirect></partial-response>", loginURL);
    } else {
        res.sendRedirect(loginURL);
    }
} else {
    chain.doFilter(request, response);
}