I have a JSF2 (GlassFish 3.0) application which security constraints defined (example below). My problem is, I have a "sign up" link that should not be accessible when the user is logged in.
That is, if they try to hit "/signup.jsf" they should be able to access is if they are logged; so if the have any roles, they should not be able to see the page.
Is there a way to do an "inverse" security constraint like that?
Any suggestions are welcome, thanks! Rob
Example constraint from my app, in case that's useful:
<security-constraint>
<display-name>profileForm</display-name>
<web-resource-collection>
<web-resource-name>profileForm</web-resource-name>
<url-pattern>/profileForm.jsf</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>GENERAL</role-name>
<role-name>ADMIN</role-name>
<role-name>STAFF</role-name>
<role-name>INSTRUCTOR</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
Just create a
Filter
which does exactly that.There is really nothing which standard JSF offers out the box with regard to authorization/authentication. JSF is just a component based MVC framework.
See also: