How to apply Filter before security constraint in JBoss EAP6/AS7

**Edit:** For some context, I am using a custom security-domain and manually calling request.login. I am not using the standard FORM authentication. **Edit:** It seems like what I am really looking for is a way to replicate the `` functionality using a custom `` configured in jboss instead of j_security_check. I need to be able to do two distinct things in my web app. First, I need to be able to determine if a user is authenticated, and if they are not I want to redirect them to the login page. I am using a Filter for this. Secondly, I need to determine whether a user has the right role in order to view certain pages in my webapp. It seems like the security-constraint tag in the web.xml file would be the proper tool for this job, but this rule is always applied first, before any filter. This means that the user is never given the opportunity to log in before being denied access to a page because he lacks the proper role. The only solution I have been able to think of is to manually inspect the user roles in a Filter instead of using the security-constraint, but this does not feel like a good solution. I am wondering if there is something I am missing here, as it seems like this would be a pretty common use case. For reference, my Filter and a sample security constraint are pasted below. **Edit:** The reason I am using a Filter to check for authorization is because you can only define one error page for a particular error (in this case, 403 access denied). For example, somebody with the role "customer" attempts to access the searchCustomer page. My security-constraint restricts that page to users with role "admin" or "user", and so a 403 error is generated and the user is redirected to the configured error page, error.xhtml. A second user who is NOT logged in attempts to visit main.xhtml. Because he is not logged in, he lacks one of the 3 allowed roles, and so he also receives a 403 error and is redirected to error.xhtml. However, because he is not logged in, I would prefer to redirect him to a login page instead. I do not see any way to distinguish between these two use cases using the security-constraint and error-page. SecureApplicationConstraint SecureApplication SecureApplication /main.xhtml admin user customer SearchCustomerPage SecureApplication SecureApplication /searchCustomer.xhtml admin user 403 /error.xhtml Filter: @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest req = (HttpServletRequest) request; String uri = req.getRequestURI(); if ((null != req.getUserPrincipal()) || uri.endsWith("login.xhtml") || uri.endsWith("error.xhtml") || uri.contains(ResourceHandler.RESOURCE_IDENTIFIER)) { chain.doFilter(request, response); } else { HttpServletResponse res = (HttpServletResponse) response; res.sendRedirect(req.getContextPath() + "/login.xhtml?from=" + URLEncoder.encode(uri, "UTF-8")); return; } }

以上就是How to apply Filter before security constraint in JBoss EAP6/AS7的详细内容,更多请关注web前端其它相关文章!

赞(0) 打赏
未经允许不得转载:web前端首页 » JavaScript 答疑

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址

前端开发相关广告投放 更专业 更精准