Problem with JSF forwarding and security constraint

Question

I'm making a web application in which certain pages are login-protected. I have created a JDBC security realm in glassfish for this, and used Form authentication (Similar to the method described here)

I'm using Navigation rules to redirect the user to the secured areas of the website:

<navigation-case>
        <from-outcome>showResults</from-outcome>
        <to-view-id>/SecureUser/Reservation/New/AvailableResults.xhtml</to-view-id>
        <redirect/>
</navigation-case>
(etc...)

This works fine. But if I skip the redirect tag in the navigation-case, then the URL of the page doesn't change. And in that case, an unauthenticated user is able to access the secured page.

What is the best way to go about this? Making sure that the page is redirected instead of forwarded is good enough? Should I write code in every secured page that checks whether the user is logged in or not?

Answer 1

Using POST for page-to-page navigation is considered bad practice. Don't use JSF h:commandLink or h:commandButton for simple page-to-page navigation. Both generates a POST form which is totally unnecessary and SEO-unfriendly for simple navigation. Rather use h:link or h:button instead. It renders a plain vanilla GET link and GET form respectively.

If you are submitting a POST form anyway and the result page is different from the form page, then using PRG (Post-Redirect-Get) pattern is considered good practice. You can use <redirect/> for this.