0

I am using JDBCRealm to do authentication and authorization in my web app. In regard to authentication, I am using FORM with j_security_check service. I have configured everything including a HTTP Status 403 error page where the user is going to be redirected if he/she does not have the required permissions to access a resource. Up to this far, everything is working fine. The problem comes in when a HTTP Status 403 error is returned. It seems to me that despite the user not having been authorized, a JSF session is still created for this user as long as he/she has been successfully authenticated. Now when I try going back to the login page and enter the password and username of a user who has permission to access the resource, it fails to authorize because authorization is still being applied to the user holding the current session who apparently does not have the required permission. Now what I need to know is how to destroy or invalidate such a session created when a HTTP Status 403 is returned. thanks

UPDATE: I think its important to mention that when the session is timed out, I am now able to login user who has the required permissions. just a tip...

DonKariro
  • 61
  • 6
  • Why is the session created in first place? By default, JSF doesn't do that as long as it's not necessary. Do you have a form in your error page and/or are you referencing view/session scoped beans in your error page? If so, why exactly? If unsure, implement `HttpSessionListener#sessionCreated()`, put a breakpoint and run a debugger to see in call stack who invoked it and why. – BalusC Sep 16 '13 at 11:03
  • @BalusC thank you very much for responding, I have no form in my error page neither do I reference any bean from it. Let me do what you have proposed above and I will get back to you, thanks.. – DonKariro Sep 16 '13 at 12:28
  • @BalusC after doing the above, HttpSessionListener#sessionCreated() does not show any caller in the call hierachy, but it seems the event originates from org.apache.catalina.session.StandardSessionFacade – DonKariro Sep 19 '13 at 14:54

2 Answers2

1

Simple !!...you can configure it in Web.xml

Just define the error code in Web.xml , so what will happen is when your view page is loaded If the 403 is thrown means the defined error page will be called automatically.

Code:

<error-code>403</error-code>
         <location>/error.xhtml</location>
</error-page>

In error page ..you can do the stuffs what you want..

To kill the current session the best method is invalidate session through FacesContext

HttpServletRequest request=HttpServletRequest)FacesContext.getCurrentInstance().getExternalContext().getRequest();
FacesContext.getCurrentInstance().getExternalContext().invalidateSession();

After this execution of code , the currect session will be terminated

Community
  • 1
  • 1
kark
  • 4,363
  • 6
  • 28
  • 43
  • please revisit my question. I have already done this successfully, what I want to know is how to destroy the session created after this. – DonKariro Sep 16 '13 at 10:50
0

I had the same problem, but I'm using wicket. So defined the following JSP as error page:

<!DOCTYPE html>
<html>
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
        <title>User Authorization Error (403)</title>
    </head>
    <body>
        <% 
            String userName    = "<No User>";
            String contextPath = request.getContextPath ();
            java.security.Principal principal = request.getUserPrincipal ();
            if (principal != null) userName = principal.getName ();
            request.getSession ().invalidate ();
        %>
        <h2>The user '<%=userName %>' is not authorized to access the page</h2>
        <p>
            <a href="<%= contextPath %>/protected">Login again with an authorized user</a>
        </p>
    </body>
</html>
thmayr
  • 47
  • 5
  • @thymayr: JSP for recent versions of JSF is 'deprecated', so in that regard the answer is 'not good'. – Kukeltje Mar 24 '16 at 11:05