Navigation handlers and user authentication

I've implemented a system to force user logins based on the code demonstrated here: http://www.jsftutorials.net/jsfNavigation/jsf-login-navigation-redirect.html but I've come across a problem.
It seems the navigation handler is called only when JSF needs to resolve the outcome of an action and this means that in certain cases a user can view a secure page without having to log in. For example, using the example app from the above link, if a user goes to the start page of the project and clicks on the command buttons to access the protected pages, they are re-directed to the login page as expected. However, if they go to the url of the protected page directly (eg http://localhost:8080/jsf-loginRedirect/secure/editUserProfile.jsf ) it still displays the page.
Currently I've got a filter in place that re-directs the user to the login page of the web app if there isn't a valid user logged in, but as this runs outside a Faces context I can't track the user's requests.
Is there some way I can force JSF to call the navigation handler for normal get requests?

Chops,
There are 2 things related to this issue,
1. When the user goes out of the application, you must invalidate the session. So that the userid will not be present in the session.
2. You can have a phase listener that checks for User Id in session, if the user id is empty, you can re-direct the user to login page. If user id is present automatically the control will go to the navigation rule page.
Phase Listener will enforce the user authentication.
Hope this logic helps you to solve the issue.
Thanks
Prakash

Similar Messages

  • Machine Authentication and User Authentication with ACS v5.1... how?

    Hi!
    I'm having trouble setting up Machine Authentication and User Authentication on ACS v5.1 using WinXP SP3 (or SP2) as supplicant.
    This is the goal:
    On wireless (preferably on wired too) networks, get the WinXP to machine authenticate against AD using certificates so the machine is possible to reach via for example ping, and it can also get GPO Updates.
    Then, when the user actually logs in, I need User Authentication, so we can run startup scripts, map the Home Directory and so on.
    I have set up a Windows Sertificate server, and the client (WinXP) are recieving both machine and user certificates just fine.
    I have also managed to set up so Machine Authenticaton works, by setting up a policy rule that checks on certificate only:
    "Certificate Dictionary:Common Name contains .admin.testdomain.lan"
    But to achieve that, I had to set EAP Type in WinXP to Smart Card or other Certificate, and then no PEAP authentication occurs, which I assume I need for User Authentication? Or is that possible by using Certificates too?
    I just don't know how to do this, so is there a detailed guide out there for this? I would assume that this is something that all administrators using wireless and WinXP would like to achieve.
    Thank you.

    Hello again.
    I found out how to do this now..
    What I needed to do was to add a new Certificate Authentication Profile that checks against Subject Alternative Name, because that was the only thing I could find that was the same in both user certificate and machine certificate.
    After adding that profile to the Identity Store Sequences, and making tthe appropriate rule in the policy, it works.
    You must also remember to change the AuthMode option in Windows XP Registry to "1".
    What I really wanted to do was to use the "Was Machine Authenticated" condition in the policies, but I have never gotten that conditon to work, unfortunately.
    That would have plugged a few security holes for me.

  • Is it possible to do machine and user authentication in same Authorization profile?

    Hi,
    I want to know is it possible to do machine authenticaiton and user authentication happen at the same time? Some thing like this...
    Condition
    IF ( wired_802.1x and AD:externalgroup EQUAL dommain computer AND    AD:exteranalgroup EQUAL Some_domain_user_group )
    Permissions
    then Vlan x
    Basically i am trying to check a machine is part of domain and user is valid only then he should be able to have full access.
    Any help will be of great value.

    Hi,
    IF ( wired_802.1x and AD:externalgroup EQUAL dommain computer AND    AD:exteranalgroup EQUAL Some_domain_user_group )
    - Not possible
    As user and machine authentication occur at different contexts.
    ACS cannot verify the both at the same time.
    Using MAR, you can, though club the both together and achieve:
    "machine is part of domain and user is valid only then he should be able to have full access"
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1235978
    Tips for configuring MAR:
    1) Set the client to perform user or computer authentication.
    2) Create two rules in authorization, one for user and and one for machine (identity them by using group membership on AD).
    3) Enable MAR under the AD configuration page on ACS and set the aging time.
    4) In the user rule, customize and use the condition "Was machine authenticated" and set it to true.
    Rate if useful

  • Machine and User authentication with ISE 1.2.1

    Hi ,
    Can any one tell me in machine authentication what access need to be enable DACL for machine logon?
    Can we enable the access on port level ? direct to tcp/udp or ip level what is the best practice.
    Thanks 
    Pranav

    is this what you are looking for EAP Chaining which uses a machine certificate or a machine username / password locked to the device through the Microsoft domain enrollment process. When the device boots, it is authenticated to the network using 802.1X. When the user logs onto the device, the session information from the machine authentication and the user credentials are sent up to the network as part of the same user authentication. The combination of the two indicates that the device belongs to the corporation and the user is an employee.
    http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf

  • Problems with 802.1x MS PEAP machine and user authentication

    Using Microsoft PEAP 802.1x client on Windows XP SP2, if we enable machine authentication against a Windows Domain, the machine authentication is successful and the machine gets access to the network. However, when user logon occurs to the domain, contrary to the flow given in ACS and Windows documentation, no user authentication takes place.
    We need to differentiate user access based on their identities. We need machine authentication only to allow users access to the domain controller and also GP implementation.
    Any idea why user does not get prompted when they logon. 802.1x is configured in users profile and I have tried with both integrated and non-integrated with Domain logon (i.e. "use my windows logon name and password and domain (if any) option"
    There is no record of any identity request/response in ACS after the initial machine authentication (which appears in successful authentication log)
    We are using MS-CHAPv2.

    Update...The problem of cached credentials in MS PEAP does not occur if "enable logon using Windows username and password (and domain if any) is checked. Using this option, MS PEAP always uses logged on users most current credentials.
    However, using this option sends the username as "DOMAIN\USERNAME". Since we are using ACS internal database for user authentication (even though the ACS and Windows passwords are same - using an identity management system) ACS does not recognize the user.
    I have tried proxy distribution with prefix stripping but it does not seem to work when it is pointing to the same ACS server on which proxy distribution is configured and which receives the request.
    Any idea how the domain\ can be ignored by ACS?

  • J2EE and user authentication not working

    Hi,
    has anyone gotten the basic/form based authentication to
    work in the latest version of the 9iAS?
    Oracle9iAS (9.0.2.0.0)
    I've read all the posts and articles from orionsupport.com
    BUT it still does not work.
    Support Folks from ORacle: Where is the latest documentation
    for the Server ???? Everything seems outdated??
    cheers,
    Vijay

    Hi,
    You can change User and password through SU01 through UME. and also read SNote:  Note 891614 - Login problems / Expired password
    Regards
    Thomas

  • XI and user authentication VS R/3 systems

    Hi *,
    I'm trying to configure this kind of scenario:
    1) user xyz sends a request to a web service, which is exposed by XI via its outbound interface
    2) XI performs all the necessary mapping stuff and via the routing procedure identifies the right inbound interface to contact.
    3) the inbound interface, via an RFC adapter, connects to an R/3 system in order to write a purchase order.
    4) RFC response is retrived via XI pipeline to the outbound response interface
    Problem: maybe xyz has not enough permission to create the purchase order, moreover the standard BAPI, which is involved in this procedure, performs an authorization check on the logged on user.
    how can R/3 system know that xyz is the user that would like to perform the purchase order creation and then correctly check xyz permissions?
    I have configured, since is mandatory, into the RFC adapter, a logon user but it shouldn't be the same that performs the web service request, in this case xyz.
    Any hints?
    Many thanks
    Cheers
    Roberto

    Hi Roberto,
    I think the easiest way to solve this problem is to write the user in the request messages.
    So you can check the user on XI in proxy or mapping.
    When the user has no permissions so the XI sends no request to R/3.
    Other idea is to configure for every user a Communication Channel and diffrent Business Receiver Systems. So the XI will read the user from message and send this to the Business System with the user specific Communication Channel.
    But i think the first idea is the better one
    Regards,
    Robin

  • WLC 4400 and user authentication

    I would like to know if it's possible to configure/use WLC4400 to authenticate user from LDAP database. Currently I have LDAP server with VPN 3020 box to control user access for WLAN. Is there any way that I could set up 4400 box with my existing LDAP server without using VPN 3020?
    Thanks in advance.

    You'll need a radius middle man. ACS will do it natively.

  • OCILogon function and user authentication

    I am using the OCILogon function. What I am finding is that I
    am able to login using a userid and password that's not there in
    the database. Why is this? Isn't OCILogon supposed to generate
    an error?
    Thanks.

    The OCILogon function takes the dbname and the length of the
    dbname as the last two parameters. In some code examples, I
    have seen these these parameters are 0. What does this mean?
    Even though a dbname is not being specified the sample program
    is able to login into the only database I have running.
    What does it mean to specify 0 as the dbname?
    Hope I did a better job of asking the question.

  • End-to-End user authentication with XI

    Dear community,
    we sit in a situation where the customer wants to have an end-to-end-authentication throughout an integration process.
    The setup is as follows: a dialog-user in a legacy system uses an application that triggers an integration process through XI into SAP ERP. The dialog-user in the legacy system must be used for authentication in XI as well as SAP ERP.
    To avoid having to re-create all users in XI and SAP ERP, ideally an LDAP instance would be used for authentication.
    Based on my knowledge, the above scenario is not possible with XI and there is a 2 year old thread discussing the same without any positive outcome:
    XI and user authentication VS R/3 systems
    Nevertheless I consider this requirement as a pretty standard one. Has there been any development in this area - or how have similar customer requirements been met ?
    Thanks a lot in advance !
    Jochen

    Hi Jochen,
    i've heard rumours saying that credential forwarding will be incorporated in the next XI release as it is a rather frequent requirement by customers and will make live much easier.
    Maybe you can get a statement through your clients SAP account representative on the release date and the planned feature.
    Regards
    Christine

  • Cisco ISE - EAP-TLS - Machine / User Authentication - Multiple Certificate Authentication Profiles (CAP)

    Hello,
    I'm trying to do machine and user authentication using EAP-TLS and digital certificates.  Machines have certificates where the Principal Username is SAN:DNS, user certificates (smartcards) use SAN:Other Name as the Principal Username.
    In ISE, I can define multiple Certificate Authentication Profiles (CAP).  For example CAP1 (Machine) - SAN:DNS, CAP2 (User) - SAN:Other Name
    Problem is how do you specify ISE to check both in the Authentication Policy?  The Identity Store Sequence only accepts one CAP, so if I created an authentication policy for Dot1x to check CAP1 -> AD -> Internal, it will match the machine cert, but fail on user cert.  
    Any way to resolve this?
    Thanks,
    Steve

    You need to use the AnyConnect NAM supplicant on your windows machines, and use the feature called eap-chaining for that, windows own supplicant won't work.
    an example (uses user/pass though, but same concept)
    http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf

  • EAP-TLS machine and user cert or both

    If I use machine and user certificates does that mean the machine get's an IP address, authenticates, the user then logs on which causes another DHCP renew and user authentication?  Is it better to use machine and user or just machine?

    It depends on your needs and applications, the advantage of also using machine authentication is that the machine connects, authenticates and is on the wireless network irrelevant of whether a user has logged in, which means you can remote access or monitor the machine at that point. I know alot of facilities that do it that way because they manage the machines with things like SMS, etc..   Without machine authentication the computer won't attach to the wireless until a user physically logs into the machine at which point it pass authentication.
    personally I like the machine authentication that way you can push updates and other things to the machines without having to either send a person to the machine to login or waiting for a user to login so that you can access the machine, it just needs to be on.
    in short machine authentication replicates being hardwired to the network.
    Hope this helps...  please rate useful posts.
    Thanks,
    Kayle

  • Win 7 client with machine and user auth stuck in 802.1x_REQD

    Hi everybody
    we have a WLC 5508 with 7.2.110.0 and an ACS 5.3 and do the following:
    - Win 7 client gets a GPO object with the wlan configuration for "Machine and User authentication" with PEAP
    - On ACS 5.3 I configured correctly the authentication and authorization for first machine authentication and then user authentication ("Was machine authenticated = true)
    - First when machine authentication happens, the client is configured into a quarantine VLAN, where it is only allowed to communicate with the domain controllers
    - When the user authenication happens, the client is moved into the productive client vlan with no restrictions.
    Everything works fine, except that after the user loggs in, it takes about 3 minutes until the client answers the EAP Identity Request and loggs in, see attached screenshot or the screenshot below:
    In the client status on WLC i can see that the client is stuck in the 802.1x_REQD state for these 3 minutes, until suddenly it authenticates (but then very often, about 5 times - see screenshot).
    We tried the following to find the problem spot. but we were not able to locate the problem:
    - Configure the machine and user authentication into the same vlan all the time
    - ONLY user authentication on the client
    - Played with the Win 7 settings (timers, and so on)
    - When we manually configured the WLAN profile on the Win 7 client and saved it, the Win 7 client connected to the SSID without any problems and without any delay (about 5 seconds after the save)
    Did someone ever had the same issue?
    Thanks a lot and best regards
    Dominic

    Hi Amjad
    very good point on this, thanks a lot. In this case, I did not even think about the client firmware side, thought that I should be the WLC or the client settings, but not the driver. We will give a shot on this next week, maybe this will help us to solve the problem.
    It is normal to have the clietn in 802.1x_REQD if it is not yet authenticated and that is the expected state to be at in your situation untlil the client fully authenticates.
    Absolutely correct that the client is associated and in the 802.1x_REQD state as long as the authenticator did not get the EAP identity Response, but that the client takes such a long time to answer is not normal ;-)
    - What is the supplicant that is used on the windows machines? default WLAN supplicant? or you use some commercial supplicants?
    WZC.
    - what is the result when testing with user auth only?
    The same, it takes such a long time.
    - what ist he result when testing with machine auth only?
    Machine authentication works as expected, fast and as soon as the client is booted, the client gets authenticated.
    Regards and have a nice weekend
    Dominic

  • OS-X - 802.1x and machine authentication

    Hi all
    I have a customer with a large installed base of MacBooks Pro running MAC OS-X, connected via WLAN to a centralized Cisco WLC 5508. He also has installed a Cisco ACS 5.x as RADIUS server and Open LDAP as directory services.
    The customer wants to do machine authentication based on cthe lients MAC addresses, which means that the ACS 5.x has to check the clients MAC address against the LDAP.
    Obviously MACs are not able to send "host/" to differentiate between client- and user-authentication, which by the way works perfect.
    - Does anybody have made the same experiences ?
    - Has anyone managed to get this running ?
    - Can anyone provide me config examples, hint or tipps ?
    Everything is very much appreciated since this is an urgent request.
    Many thanks in advance
    Best regards
    Roman

    Hi Danny. Older thread here, but I can confirm 10.8.4 did indeed resolve a very specific bug in circumstances where the netbios name did not match the domain name. We worked with Apple's engineers on resolution for this fix and can confirm that until we got our Macs to 10.8.4, we experienced similar issues with machine-based configuration profiles failing to authenticate as a result of incorrectly passing the wrong domain.
    Glad you found resolution with a later version of the OS.
    Reference: http://lists.psu.edu/cgi-bin/wa?A2=MACENTERPRISE;Zrq7fg;201303271647570400

  • 802.1x machine vs user authentication

    In the process of depolying 802.1x on wired LAN. What is the difference between machine authentication and user authentication? Thanks in advance.

    OK, so assuming we're still talking the MSFT supplicant, you have some options:
    1) USe EAP-TLS and mark any certs deployed to your corporate-owned assets and non-exportable. This solves the issue by brute force. You don't exactly need machine-authentication to do this. You may need machine-auth for other reasons (as I believe we've discussed here).
    2) If PEAP is in use, use the machine-auth and the Machine-Access-Restriction feature in ACS. What this does is a coupling of the notions of machine-auth as a preceeding policy decision for user-auth. Example: It is technically possible that anyone with a valid NT account may be able to 802.1x-authenticate from "any" machine. But with the machine-access-restriction feature, they will only be able to do so if ACS has also authenticated a valid machine-auth session prior to the login attempt.
    3) Use a NAR in ACS. A NAR is a Network Access Restriction. If for example, you have a database of all the MAC Addresses you have (or an OID wildcard) you can configure further checking of a MAC address from an otherwise valid 802.1x authentication attempt. This effectively tells ACS to only allow authentication attempts from MAC Addresses it knows about.
    Hope this helps.

Maybe you are looking for

  • Purchasing and downloading photoshop cs5 education help.

    I am looking to purchase and download photoshop cs5 education version direct from adobe australia. However i would like to know if once i have downloaded whether i am able to install it on both my computers imac and macbook pro? Or am i limited to th

  • P6 and Bar Code Schedule

    I'm in the process of converting P3 to P6 and need to create a P6 schedule with bar codes in the gantt chart area. Is this possible at all? If not, does anyone have a work around?

  • How to prepare FI-GL for Consolidation in SEM BCS

    Hello together, can somebody tell me in a few steps how to activate the FI-GL (0FI_GL_6) that it can be used for consolidation in SEM BCS. My problem is that FI_GL_6 (and also FIGL_C10 for new FI-GL) have not all required fields for consolidation in

  • Macbook not compatable with iPhone 4

    I got the iPhone 4 in December, and cannot use it with my Macbook. I need to download the newest version of iTunes-but am still only running Mac OS X 10.4.11. I bought the snow leopard software-but my computer doesn't have enough memory to install it

  • FM for inser bseg and bkpf

    Is there is any functional module avaibale to insert bkpf and bseg table very urgent please Thanks Ramki