background image

Protecting the Web Client

<< The NavigationEnumBean Class | JavaServer Faces Custom Component >>
<< The NavigationEnumBean Class | JavaServer Faces Custom Component >>

Protecting the Web Client

The action attribute has the expression #{navigation.logout.action} to invoke the action
method of the Navigation enum. This returns the enum constant, representing the logical
outcome, logout.
The following piece of a navigation rule configuration in the faces-config.xml file
corresponds to the action attribute expression of the preceding commandLink tag. It causes the
logoff.jsp
page to open if the logout logical outcome is returned.
<navigation-rule>
...
<navigation-case>
<description>
Any action that returns
"logout" should go to the
logoff page and invalidate the session.
</description>
<from-action>logout</from-action>
<to-view-id>/logoff.jsp</to-view-id>
</navigation-rule>
When a page in the application is rendered, it is constructed with the aid of a template
mechanism. Every page includes the template.jsp page, which in turn includes certain
subcomponents, such as banner.jsp, into the page depending on which page is being rendered.
The screendefinitions.jspf page, included in template.jsp, determines which page to
render based on the current view ID, which identifies the UI component tree that represents the
page to be rendered. The screendefinitions.jspf page accesses the view ID with this
expression from its definition tag:
<tt:definition name=
"bank"
screen=
"${facesContext.viewRoot.viewId}">
Based on the view ID, the templating mechanism will include specific components into the
page.
Protecting the Web Client Resources
In the JavaEE platform, you protect a web resource from anonymous access by specifying which
security roles can access the resource. The web container guarantees that only certain users
acting in those roles can access the resource. For the web container to enforce the security
constraint, the application must specify a means for users to identify themselves, and the web
container must support mapping a role to a user.
In the Duke's Bank web client, you restrict all the URLs listed in
Table 37­2
to the security role
bankCustomer
. The application requires users to identify themselves by means of the
form-based login mechanism. When a customer tries to access a web client URL and has not
been authenticated, the web container displays the JSP page logon.jsp. This page contains an
Web Client
Chapter 37 · The Duke's Bank Application
1073