Writing an authorization filter for my web app(JSF 2.0)

Following some advice, i decided to write my own authorization filter for my web app(I am not using container managed security so i have to do it this way).

This is my first filter so i am a bit confused in how i should implement it. This is what i did so far:

package filters;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

import entities.Role;

public class RestrictPageFilter implements Filter {

    FilterConfig fc;

    public void init(FilterConfig filterConfig) throws ServletException {
        // The easiest way to initialize the filter
        fc = filterConfig;
    }

    public void doFilter(ServletRequest request, ServletResponse response,
            FilterChain chain) throws IOException, ServletException {

        HttpServletRequest req = (HttpServletRequest) request;
        HttpServletResponse resp = (HttpServletResponse) response;
        HttpSession session = req.getSession(true);
        String pageRequested = req.getRequestURL().toString();

        Role currentUser = (Role) session.getAttribute("userRole");

        //Pages that are allowed with no need to login:
        //-faq.xhtml
        //-index.jsp
        //-login.xhtml
        //-main.xhtml
        //-registration.xhtml

        //NOW pages that are restricted depending on the type of user
        //buyoffer.xhtml(Only BUYER)
        //sellerpanel.xhtml(Only SELLER)
        //adminpanel.xhtml(Only ADMINISTRATOR)

        //HOW SHOULD I IMPLEMENT THAT??
        if(currentUser != null && currentUser.getType().equals("BUYER")) {          

        }
        if(currentUser != null && currentUser.getType().equals("SELLER")) {         

        }
        if(currentUser != null && currentUser.getType().equals("ADMINISTRATOR")) {          

        }


    }

    public void destroy() {
        // Not needed
    }
}

As you see i left comments there where i got stuck. Can someone give me a hand finishing this filter or give me some pseudo code tips how should i finish it?

I saw some examples around the web, but none of them do different filtering depending on the user type.

Ill appreciate your help :)

Update

I created an xml file to help me do the filtering(It is located inside WEB-INF/classes)

<access>
    <buyer>
        <page>buyoffer.xhtml</page>
        <page>faq.xhtml</page>
        <page>index.jsp</page>
        <page>login.xhtml</page>
        <page>main.xhtml</page>
        <page>registrationSucceded.xhtml</page>     
    </buyer>
    <seller>
        <page>sellerpanel.xhtml</page>
        <page>faq.xhtml</page>
        <page>index.jsp</page>
        <page>login.xhtml</page>
        <page>main.xhtml</page>
        <page>registrationSucceded.xhtml</page>     
    </seller>
    <administrator>
        <page>sellerpanel.xhtml</page>
        <page>faq.xhtml</page>
        <page>index.jsp</page>
        <page>login.xhtml</page>
        <page>main.xhtml</page>
        <page>registrationSucceded.xhtml</page>     
    </administrator>
</access>

<!-- THE REGISTRATION PAGES SHOULD NOT BE ACCESSIBLE IF THE USER IS LOGGED IN -->

I read the file from the init() method.()

public class RestrictPageFilter implements Filter {

    private FilterConfig fc;
private InputStream in;

    public void init(FilterConfig filterConfig) throws ServletException {
        // The easiest way to initialize the filter
        fc = filterConfig;
        //Get the file that contains the allowed pages
        in = this.getClass().getResourceAsStream("/allowedpages.xml");
    }

    public void doFilter(ServletRequest request, ServletResponse response,
            FilterChain chain) throws IOException, ServletException {

        HttpServletRequest req = (HttpServletRequest) request;
        HttpServletResponse resp = (HttpServletResponse) response;
        HttpSession session = req.getSession(true);
        String pageRequested = req.getRequestURL().toString();

        //Get the value of the current logged user 
        Role currentUser = (Role) session.getAttribute("userRole");
        if (currentUser != null) {

        }
    }

    public void destroy() {
        // Not needed
    }
}

How can i do it with that XML settings you mentioned?

You can define pages that are allowed for say role ADMIN in XML now read them into map at context initialization time and use that map into Filter. SpringSecurity does this

Ok i will try that. Where should i store that XML file, can it be next to web.xml file?

Well if you define your own Filter , then you can store file anywhere, But better to put it into direct class path, if maven structure then put it in resources, or else in default package so that it should go to WEB-INF/classes

I dont use maven, i will put it directly on the class path on WEB-INF/classes. How should i access it? What would be the easiest way to access it from within the filter? Could you give me some tips?

You don't need to access it from Filter , just read it into a map or some appropriate DS from ServletContextListener on contextInitialized

The ServletContextListener is an advanced topic for me i dont understand how it works. I think i will use InputStream from inside my RestrictPageFilter class and then manually go through the file. Is that approach correct?

No, Then read it from init method of Filter which will be called when your Filter will be initialized.

Ok i will do that. Just one more question, when i call InputStream in = this.getClass().getResourceAsStream("/allowedpages.xml"); from the init method, how can i store the contents inside a list, or similar(To be able to do the filtering later)?

There are lot of parser available to parse XML,

I think i will use JAXP, it is already included in Java. Thanks for your help.