[JBoss] How to restrict access to JSF pages when user are not logged In ?

July 20, 2011




Dear *,

Here was the problem. One our client decided to not use Seam and do everything by himself. – Why reinvent the wheel ? –

Well, so he had an issue with the web page access which needs to have credentials. They were accessible by everyone if you knew the URL.

So the solution was to use servlet filter:

So create the Authentication filter implementation  named Authentication.java for instance :

package com.jboss.eas.project;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

public class Authentication implements Filter {
private FilterConfig customedFilterConfig;

public void doFilter(ServletRequest req, ServletResponse resp,FilterChain chain) throws IOException, ServletException {

if (((HttpServletRequest)req).getSession().getAttribute(Login.AUTH_KEY) == null) {
} else {

chain.doFilter(req, resp);

public void init(FilterConfig customedFilterConfig) throws ServletException {
this.customedFilterConfig = customedFilterConfig;

public void destroy() {
customedFilterConfig = null;

Then create a login bean or adapt yours – e.g. here Login.java –  :

package com.jboss.eas.project;

import javax.faces.application.FacesMessage;
import javax.faces.context.FacesContext;

public class Login {
public static final String AUTH_KEY = "username";
private String username;
public String getUsername() { return username; }
public void setUsername(String username) { this.username = username; }public boolean isLoggedIn() {
return FacesContext.getCurrentInstance().getExternalContext()
.getSessionMap().get(AUTH_KEY) != null;
}public String login() {
AUTH_KEY, username);
return “true”;
}public String logout() {
return null;
Then add the following stanzas in your web.xml file :

BTW, the “Authorized_Web_Pages_Access_Directory_Path" is the directory which contains all your protected web pages.

Then create a Error redirection web page in case of an access to a web page without credentials  – here Non_Authorized_login.xhtml –


You do not have access to this page. 😦 <p></p> You must be registered !

Finally create your xhtml or jsf page – here AuthenticatedLogin.xhtml –
 <h:form> Username:
  <h:panelGroup rendered="#{not login.loggedIn}">
    <h:inputText value="#{login.name}" />
    <h:commandButton value="login" action="#{login.login}" />
  </h:panelGroup> <h:commandButton value="logout" action="#{login.logout}" rendered="#{login.loggedIn}" />
Here should be the result when you try to access a page without successful logged in using its URL  :


Frederic 😉


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: