Servlet filter (autologin) precedence over declarative security checks

Short question. How is it possible to execute servlet filters before any declarative security check is performed?

Long question. For my web application I'm trying to manage all my security needs using server declarative security: I have set a security constraint on <url-pattern>/secure/*</url-pattern> with <auth-method>FORM</auth-method> and <form-login-page>/sign-in.xhtml</form-login-page>.

In order to provide a (cookie-based) "remember me" function, I have set a servlet filter which intercepts each request, checks if the user is not logged in, checks if he can be logged in automatically (via cookie), eventually logs him in using servlet based login.

<filter-mapping>
    <filter-name>CustomLoginFilter</filter-name>
    <url-pattern>*.xhtml</url-pattern>
</filter-mapping>

Now, if the user opens his browser and connects to mysite.com everything just works. But if the user opens his browser and makes a straight request to something like mysite.com/secure/secret.xhtml I observe the following behaviour:

  1. GET /secure/secret.xhtml
  2. the backing beans of log-in.xhtml are instantiated (FacesContext is available)
  3. the CustomLoginFilter.doFilter( ) gets called, (FacesContext is NULL)

This obviously hinders all the process. I cannot find any way to give precedence to my CustomLoginFilter over the server "declarative security filter" (or whatever); changing the web.xml order of declarations doesn't help too... any ideas? Thank you!

Answers


How is it possible to execute servlet filters before any declarative security check is performed?

That's not possible due to specification and security restrictions.

Your best bet is a hook on preRenderView event in the login page and use programmatic login by the new Servlet 3.0 HttpServletRequest#login() method.

E.g.

<f:event type="preRenderView" listener="#{authenticator.checkAutoLogin}" />

with something like

public void checkAutoLogin() throws IOException {
    ExternalContext externalContext = FacesContext.getCurrentInstance().getExternalContext();
    Cookie autoLogin = externalContext.getRequestCookieMap().get("autoLoginCookieName");

    if (autoLogin != null) {
        User user = decryptCookieValueAndExtractUser(autoLogin.getValue()); // Yes, it must be encrypted! Otherwise a too easy hack.

        if (user != null) {
            HttpServletRequest request = (HttpServletRequest) externalContext.getRequest();

            try {
                request.login(user.getName(), user.getPassword());
                String originalRequestURI = externalContext.getRequestMap().get(RequestDispatcher.FORWARD_REQUEST_URI);
                externalContext.redirect(originalRequestURI != null ? originalRequestURI : "someDefaultIndex.xhtml");
            } catch (ServletException e) {
                // Login failed. It's up to you how to handle it.
            }
        }
    }
}

Need Your Help

Removing Script Error Popups

c# javascript popup web-crawler

I am working on a security program that amongst other things tries to manipulate webpages to test them for possible Javascript Injections, Cross-Site Scripting etc.

How do I determine in parent, if the popup radWindow has closed?

asp.net telerik popupwindow radwindow

I have an application where the user clicks a button on the parent window to display a popup window. When the user closes the popup window, how can I determine (in the parent window codebehind) tha...

Eclipse (Helios) debugger - getting different Results in Debug mode and Run mode

java eclipse multithreading debugging

I am debugging RCP( multi-threaded GUI application) using Eclipse Helios.

About UNIX Resources Network

Original, collect and organize Developers related documents, information and materials, contains jQuery, Html, CSS, MySQL, .NET, ASP.NET, SQL, objective-c, iPhone, Ruby on Rails, C, SQL Server, Ruby, Arrays, Regex, ASP.NET MVC, WPF, XML, Ajax, DataBase, and so on.