JSF Security: Page Redirection and Page Forward

Question

JSF Security: Page Redirection and Page Forward

I am new to JSF and I would like to understand why page redirection and page redirection do not create the same security rendering.

I have a JSF button that calls the support method:

<h:form> <!-- content... --> <p:commandButton action="#{login.play}" ... /> </h:form>

Bean login

 public String play() { ... //forward implementation return "play"; } public String play() { ... //redirect implementation return "play?faces-redirect=true"; }

My play.xhtml page play.xhtml protected. Only admin or user roles can access it, but with my first play method, the security restriction is not enabled, I can access it. Why is it different?

+4

security jsf

Olivier J. Jan 25 '13 at 14:50

source share

1 answer

Balusc · Accepted Answer · 2013-01-25T15:36:40+0000

Security is available upon request. Forwarding repeats the response of the current request to another view. Forwarding creates a new request, the response of which is used for another view. You can easily see this by looking at the request URL in the address bar of the browser. In the event of a transition, it remains unchanged.

Due to unrelated recording, navigating through POST is bad practice. You must either conditionally display the results on one page, or navigate the GET using either a regular link or a redirect after POST.

JSF Security: Page Redirection and Page Forward

More articles: