Restricting users from accessing pages by directly changing the URL in JSF

Question

I have two kinds of users in my application - clients and sellers. I am using a PhaseListener in JSF to prevent users from accessing pages without logging in, but after they are logged in I dont know how to prevent the user from change the URL in the location bar and accessing pages that he is not allowed too. E.g, preventing clients from accessing sellers pages.

Does anyone have an idea on how I could prevent such illegal accesses?

Answer 1

Assign the user a group/role and check on that as well inside your phase listener (which could technically better be a simple servlet filter, after all, a phase listener is under the covers namely quite clumsy for the simple purpose and doesn't run on non-JSF URLs).

E.g., allow URLs starting with /seller/ to be accessed only by users having a role of SELLER:

if (url.startsWith("/seller/") && user.getRoles().contains(Role.SELLER)) {
    // Allow access.
} else {
    // Block access.
}

Note that this functionality is provided/builtin in many authentication frameworks, such as Java EE builtin container managed authentication and the 3rd party library Apache Shiro. All you need is then a simple web.xml configuration entry <security-constraint> or some configuration file such as an INI file in Shiro.

See also:

• Protected URLs leaking unprotected components of the webapge to unauthenticated users
• JSF: How control access and rights in JSF?
• JSF2 + Apache Shiro tutorial

Answer 2

Use Filter for this. Create class which implements javax.servlet.Filter interface and in doFilter() method check the role of user and if the user doesn't have role redirect him to some custom page. In web.xml add definition and mapping for this filter:

<filter>
  <filter-name>MyFilter</filter-name>
  <filter-class>mypackage.MyFilter</filter-class>
</filter>

<filter-mapping>
  <filter-name>MyFilter</filter-name>
  <url-pattern>*.xhtml</url-pattern>
</filter-mapping>

Answer 3

You could use a file or something where you map every page with a userrole.(some pages might be accessible by more then 1 userrole example:

<entry key="acl_page_sub/page1">client,seller</entry>
<entry key="acl_page_sub2/page1">client</entry>
<entry key="acl_page_sub2/page2">seller</entry>

And you define some sort of LoginController class where you check currentuserrole and requested page (url) against that list. And if not granted then redirect to custom error page or login page or whatever.

You add this logincontroller class a phaselistener to your facesconfig.