Are there some issue at inserting some check into template?

Question

Are there some issues if I insert some check into the template file? For example if I insert the user check into the template\'s xhtml file it could be some security issue i

Answer 1

I understand that you're checking the presence of the logged-in user before displaying the content. This may be okay this way, but any user who opens the page without being logged-in will receive blank content. This is not very user friendly. You'd like to redirect a non-logged-in user to the login page.

This is normally already taken into account if you're using Java EE provided container managed authentication. But if you're homegrowing authentication, you'd need to create a servlet filter for this. If you collect all restricted pages in a common folder like /app so that you can use a common URL pattern for the filter, e.g. /app/* (and put all public pages such as the login page outside this folder), then you should be able to filter out non-logged-in users as follows, assuming that #{userBean} is a session scoped JSF @ManagedBean or some session attribute which you've put in session scope yourself:

@WebFilter("/app/*")
public class LoginFilter implements Filter {

    @Override
    public void init(FilterConfig config) throws ServletException {
        // NOOP.
    }

    @Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
        HttpServletRequest request = (HttpServletRequest) req;
        HttpServletResponse response = (HttpServletResponse) res;
        HttpSession session = request.getSession(false);
        UserBean user = (session != null) ? (UserBean) session.getAttribute("userBean") : null;

        if (user == null || user.getCognome() == null) {
            response.sendRedirect(request.getContextPath() + "/login.xhtml"); // No logged-in user found, so redirect to login page.
        } else {
            chain.doFilter(req, res); // Logged-in user found, so just continue request.
        }
    }

    @Override
    public void destroy() {
        // NOOP.
    }

}

See also:

• How to handle authentication/authorization with users in a database?

Answer 2

I doubt you will have issues with security but be sure you put the templates inside the WEB-INF folder so the templates dont have visibility form the outside. I also recommend to you to use Spring-Security.