Categories
SEAM Tomcat

Restrict access to inner Facelets with SEAM

Sometimes you could have some facelets, which are no entry-sites and which should never be called directly by the user. Typical types are template-files.
Seam provides here an easy function to restrict the access to such pages. You can define this restriction in the pages.xml or the associated *.page.xml.
For the pages.xml you have to add:

1
2
3
4
5
6
7
8
< ?xml version="1.0" encoding="UTF-8"?>
<pages xmlns="http://jboss.com/products/seam/pages" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
...
	<page view-id="/templates/template.xhtml">
		<restrict />
	</page>
...
</pages>

Because you also can use wildcards, it is also possible to restrict a whole directory:

1
2
3
4
5
6
7
8
< ?xml version="1.0" encoding="UTF-8"?>
<pages xmlns="http://jboss.com/products/seam/pages" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
...
	<page view-id="/templates/*">
		<restrict />
	</page>
...
</pages>

Seam will now throw an exception, if a user will access this page, but instead we want to send the typical HTTP-error 403. So we have to define some more rules in pages.xml:

1
2
3
4
5
6
7
8
9
10
11
< ?xml version="1.0" encoding="UTF-8"?>
<pages xmlns="http://jboss.com/products/seam/pages" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
...
	<exception class="org.jboss.seam.security.NotLoggedInException">
		<http -error error-code="403" />
	</exception>
	<exception class="org.jboss.seam.security.AuthorizationException">
		<http -error error-code="403" />
	</exception>
...
</pages>

Another way would be an own Servlet or Servlet-Filter, which would send the errorcode directly.

Categories
SEAM Tomcat

Defining a ServletFilter – the SEAM way

SEAM doesn’t only extends JSF and Facelets, but also gives you a possibility to define other resources or components via annotations. To define a simple Servlet Filter you only need to annotate a class with the @Filter-annotation. There is no need to extend the web.xml or other.

One simple Filter would be:

1
2
3
4
5
6
7
8
9
10
@Scope(ScopeType.APPLICATION)
@Name("myFilter")
@Install(precedence = Install.FRAMEWORK)
@BypassInterceptors
@Filter(within = { "org.jboss.seam.web.rewriteFilter" })
public class MyFilter extends AbstractFilter {
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        chain.doFilter(request, response);
    }
}

With the parameters within or around of the @Filter annotation, you can define when you filter will be called.

Categories
Tomcat

Disable JSESSIONID in Tomcat

Like PHP also the Servlet Containers try to attach a request to a session. If the client doesn’t support cookies it is realized via an suffix ;JESSSIONID= in every URL. Unfortunately this is not good in relation to SEO. The problem is that Tomcat doesn’t provide any configuration option to disable the use of JSESSIONID in URLs. So the only way is an own Filter, which disables the behaviour. You will find an example at: http://randomcoder.com/articles/jsessionid-considered-harmful