Writing an authorization filter for my web app(JSF 2.0)
If you need to allow the access simply call the
// it will process request normally, means it will leave the control from Filter
chain.doFilter(request, response);
if you want to restrict user then call
//take some action
response.sendRedirect("URL to some page");//it will simply make user redirected
Some Suggestion
Make it configurable using some sort of XML of properties file , your code seems hard to me, tomorrow there might be another page added so you need to re compile your Filter.
If allowed then Simply use Spring Security it has got nice features. Also you won't be re inventing the wheel
javing
Enthusiastic java developer based in London, I love stackoverflow, I use it regularly for many years and is a great way of helping and ask for help. Also i love blogging about software. Please visit my Blogs: Javing (Medium) Javing (Blogger)
Updated on June 04, 2022Comments
-
javing almost 2 years
Following some advice, i decided to write my own authorization filter for my web app(I am not using container managed security so i have to do it this way).
This is my first filter so i am a bit confused in how i should implement it. This is what i did so far:
package filters; import java.io.IOException; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; import entities.Role; public class RestrictPageFilter implements Filter { FilterConfig fc; public void init(FilterConfig filterConfig) throws ServletException { // The easiest way to initialize the filter fc = filterConfig; } public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest req = (HttpServletRequest) request; HttpServletResponse resp = (HttpServletResponse) response; HttpSession session = req.getSession(true); String pageRequested = req.getRequestURL().toString(); Role currentUser = (Role) session.getAttribute("userRole"); //Pages that are allowed with no need to login: //-faq.xhtml //-index.jsp //-login.xhtml //-main.xhtml //-registration.xhtml //NOW pages that are restricted depending on the type of user //buyoffer.xhtml(Only BUYER) //sellerpanel.xhtml(Only SELLER) //adminpanel.xhtml(Only ADMINISTRATOR) //HOW SHOULD I IMPLEMENT THAT?? if(currentUser != null && currentUser.getType().equals("BUYER")) { } if(currentUser != null && currentUser.getType().equals("SELLER")) { } if(currentUser != null && currentUser.getType().equals("ADMINISTRATOR")) { } } public void destroy() { // Not needed } }
As you see i left comments there where i got stuck. Can someone give me a hand finishing this filter or give me some pseudo code tips how should i finish it?
I saw some examples around the web, but none of them do different filtering depending on the user type.
Ill appreciate your help :)
Update
I created an xml file to help me do the filtering(It is located inside WEB-INF/classes)
<access> <buyer> <page>buyoffer.xhtml</page> <page>faq.xhtml</page> <page>index.jsp</page> <page>login.xhtml</page> <page>main.xhtml</page> <page>registrationSucceded.xhtml</page> </buyer> <seller> <page>sellerpanel.xhtml</page> <page>faq.xhtml</page> <page>index.jsp</page> <page>login.xhtml</page> <page>main.xhtml</page> <page>registrationSucceded.xhtml</page> </seller> <administrator> <page>sellerpanel.xhtml</page> <page>faq.xhtml</page> <page>index.jsp</page> <page>login.xhtml</page> <page>main.xhtml</page> <page>registrationSucceded.xhtml</page> </administrator> </access> <!-- THE REGISTRATION PAGES SHOULD NOT BE ACCESSIBLE IF THE USER IS LOGGED IN -->
I read the file from the init() method.()
public class RestrictPageFilter implements Filter { private FilterConfig fc; private InputStream in; public void init(FilterConfig filterConfig) throws ServletException { // The easiest way to initialize the filter fc = filterConfig; //Get the file that contains the allowed pages in = this.getClass().getResourceAsStream("/allowedpages.xml"); } public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest req = (HttpServletRequest) request; HttpServletResponse resp = (HttpServletResponse) response; HttpSession session = req.getSession(true); String pageRequested = req.getRequestURL().toString(); //Get the value of the current logged user Role currentUser = (Role) session.getAttribute("userRole"); if (currentUser != null) { } } public void destroy() { // Not needed } }
-
javing about 13 yearsHow can i do it with that XML settings you mentioned?
-
jmj about 13 yearsYou can define pages that are allowed for say role ADMIN in XML now read them into map at context initialization time and use that map into Filter. SpringSecurity does this
-
javing about 13 yearsOk i will try that. Where should i store that XML file, can it be next to web.xml file?
-
jmj about 13 yearsWell if you define your own Filter , then you can store file anywhere, But better to put it into direct class path, if maven structure then put it in resources, or else in default package so that it should go to
WEB-INF/classes
-
javing about 13 yearsI dont use maven, i will put it directly on the class path on WEB-INF/classes. How should i access it? What would be the easiest way to access it from within the filter? Could you give me some tips?
-
jmj about 13 yearsYou don't need to access it from Filter , just read it into a map or some appropriate DS from ServletContextListener on
contextInitialized
-
javing about 13 yearsThe ServletContextListener is an advanced topic for me i dont understand how it works. I think i will use InputStream from inside my RestrictPageFilter class and then manually go through the file. Is that approach correct?
-
jmj about 13 yearsNo, Then read it from
init
method of Filter which will be called when your Filter will be initialized. -
javing about 13 yearsOk i will do that. Just one more question, when i call InputStream in = this.getClass().getResourceAsStream("/allowedpages.xml"); from the init method, how can i store the contents inside a list, or similar(To be able to do the filtering later)?
-
jmj about 13 yearsThere are lot of parser available to parse XML,
-
javing about 13 yearsI think i will use JAXP, it is already included in Java. Thanks for your help.