Michael Schembri

This ajax calls are made in an authetnicated page. I'm looking into this for when the session times out. the idea is that i would refresh the entire page if user gets a 403, requiring the user to login.

I tried to check for roles from a servlet that does nto fall under the security-constraint and as you pointed out it didn't work. I was going to return the 403 if a custom user session object is null.

I have setup my web.xml with a login page, however, I would like the server to return a 403 status for certain servlets that are used for async calls.

Servlets requiring authentication are all mapped as /restricted/*

I can only think of 2 options:

1. mapping async servlets outside of "restricted" and checking for the roles in the servlets

2. handling redirect to login page in servlets that forward to a page

Is there any other way I can do this and whilst keeping access control consistent throughout?

Looked into your suggestion to go for a surrogate pk, makes more sense, tnx.. the unique constraint for composite can be enforced at hibernate level using @UniqueConstraint

@Entity @Table (name="orderLine", uniqueConstraints = {@UniqueConstraint(columnNames= {"orderId", "productId"})}) public class OrderLine implements DomainObject { private Long id; private Order order; private Product product; @Id @GeneratedValue public Long getId() {return id;} public void setId(Long id) {this.id=id;} }

Thanks, I tried it out and it works

Ok: GenericDao<OrderLinePK, OrderLine>
Error: GenericDao<OrderLinePK, Customer>

My question is not related to the hibernate/database aspect, I only mentioned that to explain what I would like to achieve.

see comments in the code below

public interface DomainObject<U extends Object> extends Serializable { // <-- I solved this part by adding U U getId(); void setId(U id); } public interface GenericDao<T extends DomainObject> { public T get(Long id) ; // <-- need to get Long id to use U public void save(T object) ; public List<T> getAll() ; }

Ok, here's some background info. GenericDao is later implemented as a generic hibernate data access object that uses hibernateTemplate. the get method in hibernateTemplate accepts a serializable parameter as an ID.

The composite key OrderLinePK is a serializable class used to represent the composite key in OrderLine. I would like to amend GenericDao to support keys other than Long ids.

@SuppressWarnings("unchecked") public class GenericDaoHibernate<T extends DomainObject> extends HibernateDaoSupport implements GenericDao<T> { private Class<T> type; @Override public T get(Long id) { return (T) getHibernateTemplate().get(type, id); } // more code here } @Embeddable class OrderLinePK implements Serializable { private Order order; private Product product; @ManyToOne public Order getOrder() {return order;} public void setOrder(Order order) { this.order = order; } @ManyToOne public Product getProduct() {return product;} public void setProduct(Product product) {this.product = product;} }

I am using sample code from a spring persistence book that uses 2 interfaces: DomainObject and GenericDao
public interface GenericDao<T extends DomainObject> { public T get(T id) ; public void save(T object) ; public List<T> getAll() ; } public interface DomainObject extends Serializable { Long getId(); void setId(Long id); }
The problem is that the interfaces assume that the id of the domain object is always a long integer. In my case I have a domain object that has a composite key (OrderLinePK). I thought that I could fix this by implementing generics in DomainObject
public interface DomainObject<T extends Object> extends Serializable { T getId(); void setId(T id); }
The problem is how am I going to amend GenericDao to use DomainObject's generic parameter.

I know I could easily scrap the DomainObject and GenericDao interfaces, but would like to see how i can adapt the code for my requirements.

The problem was that I was setting the managed property with the domain object returned by the service layer. so the jsf framework was referencing a different object.

I had to use the facescontext to set the authenticatedUser managed bean.

So rather than exposing the persistance domain object, you keep an instance somewhere in the backing bean (e.g. for any possible updates to the record)?

The problem was that I (wrongly) assumed that setting the managed property would also set the managed bean injected into the property. In hindsight it makes sense that it wouldn't work.

it would have been nice to have a backing bean without jsf specific code (facesContext).. but i guess it's asking too much

RE controller, thanks for clearing it up.. is there a better naming convention?

Thanks, j2ee/Spring Security is on my to do list, I just started with a login page as it was the simplest scenario I could think of.

the authenticatedUser bean is in session scope, and the loginController is in the request scope..

it seems like it's working the other way round.. the controller instance is the same in login.jsp and welcome.jsp, whereas authenticatedUser is empty in welcome.jsf

Am I missing something?

I'm new to jsf and am trying to get started with a basic app using jsf, hibernate and spring.

basically, loginController has a method login() that sets the authenticatedUser property with the domain object returned by the service class.

in the "success" page, loginController is the same instance as in the login page, so i can access the user details using loginController.authenticatedUser, but authenticatedUser is empty..

so #{authenticatedUser.email} returns blank but #{loginController.authenticatedUser.email} returns the email for the user..

when injecting a managed bean into another, does jsf inject an object reference or a "copy" of the bean?

<application> <variable-resolver>org.springframework.web.jsf.DelegatingVariableResolver</variable-resolver> </application> <managed-bean> <managed-bean-name>authenticatedUser</managed-bean-name> <managed-bean-class>org.mike.dal.domain.User</managed-bean-class> <managed-bean-scope>session</managed-bean-scope> </managed-bean> <managed-bean> <managed-bean-name>loginController</managed-bean-name> <managed-bean-class>org.mike.presentation.controller.LoginController</managed-bean-class> <managed-bean-scope>request</managed-bean-scope> <managed-property> <property-name>UserService</property-name> <property-class>org.mike.service.UserService</property-class> <value>#{UserService}</value> </managed-property> <managed-property> <property-name>authenticatedUser</property-name> <property-class>org.mike.dal.domain.User</property-class> <value>#{authenticatedUser}</value> </managed-property> </managed-bean>