0

Good morning everyone! I have an application that has access control, it is working ok But the user can write the URL in the browser and access pages that he does not have access to

Could someone help me solve this?

Below is the implementation of Filter

@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain filter) throws IOException, ServletException {
    HttpServletRequest req = (HttpServletRequest) request;
    HttpSession session = req.getSession();

    if (session.getAttribute("sessionUser") != null
            || req.getRequestURI().endsWith("Login.xhtml")) {
        System.out.println("if");
        filter.doFilter(request, response);
    } else {
        System.out.println("else");
        HttpServletResponse res = (HttpServletResponse) response;
        res.sendRedirect(req.getContextPath()+"/Login.xhtml");
    }
}
BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
Gustavo Menezes
  • 41
  • 6
  • Seems like a situation where you need a Filter to handle the security by URL access. Check out [this question](https://stackoverflow.com/questions/8480100/how-implement-a-login-filter-in-jsf) for more information. – Bonifacio Aug 21 '17 at 20:42
  • How is your access control implemented? What framework did you use? Your problem is more related to those questions than your filter itself – Jorge Campos Aug 21 '17 at 20:50
  • My filter works when the screens are called through menus and buttons. But it is not working when I take the url from a page and paste it into the browser. How do I know if the page was called through a button/ menu or if it was through a url pasted in the browser? – Gustavo Menezes Aug 21 '17 at 21:02
  • Hi Jorge! I use JSF 2.0 with primefaces – Gustavo Menezes Aug 21 '17 at 21:04

1 Answers1

0

Before answer i suggest you to use one security framework to control access of pages. something powerfull like spring security.

But in this case you checked only that user session is validated or not but nothing related to page or page name added to session. You should add all user accessed page (name for example), to session as attributes after successful login and then in this filter, check what page user requested to access? If session attributes contains that page dofilter called else redirect to access denied page.

Moodi
  • 125
  • 9