[Logo] OLD FORUM - Use new one: https://www.CaptainCasa.online/forum
  [Search] Search   [Recent Topics] Recent Topics   [Members]  Member Listing   [Groups] Back to home page 
[Register] Register /  [Login] Login 
Best Practices - Security [German only]  XML
Forum Index -> Development - Code Snippets
Author Message
[Post New]07/09/2011 14:12:40
    Subject: Best Practices - Security [German only]
[Up]
mreich

Power User
[Avatar]

Joined: 30/01/2009 08:34:23
Messages: 750
Offline
I wrote a best practice paper concerning security, e.g. redirect to a logon page etc.

https://docs.google.com/document/d/1J1nHdT_38IV3OUaTgEO_TYRZvfZsVmhuXTW39UfmbcM/edit?hl=en_US
[WWW]
[Post New]19/11/2011 00:31:07
    Subject: Re:Best Practices - Security [German only]
[Up]
cvieira

Power User

Joined: 08/07/2010 21:46:40
Messages: 59
Offline
Hi, thanks for sharing!

I successfully implemented the login action, maintaining relevant session information, but i'm having a problem with the redirect to logon page, when there is no user logged in... i have a surrounding page, and after login i change the content of surrounding page to a page "test.jsp", for example. Works fine... but if a user enters directly in "test.jsp" page, i want to redirect user to logon page again... but i'm not getting the way to redirect to logon page...

How can we do a simple redirect to a specific page? Eventually this is something basic in CC, but i'm can not find a way to do so... any help would be appreciated...

Thanks,
--
Carlos Vieira
[Post New]19/11/2011 08:34:22
    Subject: Aw:Best Practices - Security [German only]
[Up]
mreich

Power User
[Avatar]

Joined: 30/01/2009 08:34:23
Messages: 750
Offline
Hi,

you're right it

I had now another way, but without still no possibility of redirection.

I had an own WorkpageDispatchedPageBean class where I check if a page should be secure or not. I mark my not secure pages e.g. Around and Logon page with an Unsercure annotation.

In the constructor I do following check:
Code:
public WorkpageDispatchedPageBean(IWorkpageDispatcher dispatcher) {
 		super(dispatcher);
 		Annotation unsecure = this.getClass().getAnnotation(Unsecure.class);
 		if(unsecure == null) checkAuthorization();
 	}


Code:
private void checkAuthorization() {
 		// return if viewed in editor
 		if(HttpSessionAccess.checkIfInLayoutEditorPreview()) return;
 		// check user
 		String user = UserAccessMgr.getCurrentUser();
 		if(StringUtils.isEmpty(user) || UserAccess.USER_UNDEFINED.equals(user)) {			
 			try {
 				HttpSessionAccess.getCurrentResponse().sendError(403);
 			} catch (IOException e) { 
 				FacesContext.getCurrentInstance().getExternalContext().invalidateSession();
 			}
 		}
 	}


I just send a 403 (Forbidden) HTTP Status to the client. If an error occures I invalidate the session just to be sure that no access is possible in cause of problem with IOException.

The annotation class:
Code:
@Retention(RetentionPolicy.RUNTIME)
 @Target(ElementType.TYPE)
 public @interface Unsecure {
 
 }


I think there should be a possibility in CC so that a redirect work?
Code:
FacesContext.getCurrentInstance().getExternalContext().redirect(arg0)


regard
Markus
[WWW]
[Post New]21/11/2011 23:54:52
    Subject: Re:Best Practices - Security [German only]
[Up]
cvieira

Power User

Joined: 08/07/2010 21:46:40
Messages: 59
Offline
Hi Markus,

Your solution is pretty clever works fine and it's the solution for the most user purposes on this scope.

Many thanks for your valuable help!

Regards,
Carlos
--
Carlos Vieira
 
Forum Index -> Development - Code Snippets
Go to:   
Powered by JForum 2.1.6 © JForum Team