Restricting users from accessing pages by directly changing the URL in JSF

Question

I have two kinds of users in my application - clients and sellers. I am using a PhaseListener in JSF to prevent users from accessing pages without logging in, but a

Answer 1

Assign the user a group/role and check on that as well inside your phase listener (which could technically better be a simple servlet filter, after all, a phase listener is under the covers namely quite clumsy for the simple purpose and doesn't run on non-JSF URLs).

E.g., allow URLs starting with /seller/ to be accessed only by users having a role of SELLER:

if (url.startsWith("/seller/") && user.getRoles().contains(Role.SELLER)) {
    // Allow access.
} else {
    // Block access.
}

Note that this functionality is provided/builtin in many authentication frameworks, such as Java EE builtin container managed authentication and the 3rd party library Apache Shiro. All you need is then a simple web.xml configuration entry or some configuration file such as an INI file in Shiro.

See also:

• Protected URLs leaking unprotected components of the webapge to unauthenticated users
• JSF: How control access and rights in JSF?
• JSF2 + Apache Shiro tutorial