I need to create a webapp that has a login system.
the user should authenticate against a database.
I want to save the userrole in session - or are there other (better) ways?
Furthermore there are areas for user access.
Guest area,
user area,
admin area.
The question now is.
How can I easily implement the authorization with jsf2.0?
I don't want to test on each site, if the user is permitted to acces the site or not.
Is there a configuration in web.xml or faces-config.xml that test the cases?
Can someone show me a tutorial or sample code?
Thanks and best regards
veote
You can also look at options (Framewroks)
Spring Security
Apache Shiro
Java EE Security Tutorial
As already suggested Application Server provided Authentication/Authorization.
Implement a Filter (Custom home grown logic for Authentication/Authorization)
Blogs covering AnA in JSF
User session filter
Access Control in JSF using a PhaseListener
Hope this helps
I am not familiar with Websphere, but since it is a Java EE 6 compliant application server, you can create a JDBCRealm for this purpose. See this chapter of the Java EE 6 tutorial.
You can try this approach, it uses PhaseListener to check if user has rights for accessing current site during the RESTORE_VIEW phase. It is quite easy to implement it and it's portable between different servers(opposite from realms)
Related
I have the following architecture:
front-end = AngularJS
back-end = Java EE7/REST-API
Both are deployed on Wildfly 8.2 using Undertow as application server.
My first question is regarding the authentication mechanism:
Should I use form based authentication and having a web.xml that protect my pages with security constraint ? same for REST-API, they will be protected by a security constraint.
I can have then a j_security_check with j_username and j_password on a simple login page.
On server side, I can do a JAAS login then.
Should I use JSON token authentication, so login and logout will use REST web services and generate some access token, those tokens will be saved into a database with a specific time-limit.
That is all regarding security.
Now I am talking about the $scope object in Angular, as you know it will disappear on Angular 2.0, so I am trying to avoid it as much as possible but then how to replace these:
$scope.$apply()
$rootScope
$broadcast
I know that Angular 2.0 encourage web components development with directives as controllers but I have no idea how to replace these specific objets.
Thank you for your help !
Security:
Let me ask you this in a different way. Is your back end going to be
a) Web layer for all the front end applications
b) API layer that has consumers outside of web pages.
If you answered a) Then you may probably go for form based/container based security.
If you answered b) Then you may think of token based authentication
Angular $scope
Try to follow some common style guide like https://github.com/johnpapa/angular-styleguide#controllers. This might not be a complete solution but will help you avoid $scope.
BTW: Here is my generator that is based on the style-guide that can help you getting the code cleaner and have best practices. http://reflexdemon.github.io/slush-angular-gulp/
I was following this tutorial to create form-based authentication in for my jboss java EE 6 application.
However it has no code for the login servlet. After searching other resources I found that the login servlet code is not mentioned anywhere.
Where can I find the code for the login servlet? Maybe its very basic, but I am new to Java and I can't write it myself.
The tutorial doesn't have servlet code because the security is provided by the container itself and container security is configured using the deployment descriptor.
You may read this article for further information and decide whether you use the container security or a custom implementation.
At Stormpath, we have a ready-to-use login Servlet that you could use. The only caveat is that it requires Servlet 3.0 or later and it is coupled to our own User Management service.
Our Login Servlet will automate all user registration, login, authentication and authorization workloads.
Take a look at this one page long quickstart: https://docs.stormpath.com/java/servlet-plugin/quickstart.html. It will describe the few steps that you need to carry out to integrate it into your app.
BTW, the Servlet Plugin is completely open source; the code is here in case you want to take a look at it.
I want to have authorization in my Java EE application.
Online it describes how you should define the roles in sun-web.xml. However I would like to have all my roles, and groups defined in a database table.
That means, when I access a method for my application, the request needs to be intercepted to see if the user is allowed in the role.
Do I need to
create some kind of interceptor class that checks auth as user makes call to my web service method
create a custom Login Module that fishes out the group and role data from the database when a user first logs on
Any pointers would be really helpful.
First of all: I would strongly suggest using standard authorization mechanisms.
But for your use-case these standard mechanisms won't work, see this post: dynamic roles on a Java EE server
Roles have to be declared in the web.xml or sun-web.xml.
Frameworks
The next thing I would look into are frameworks, that could help you with that. The link will provide you with two suggested frameworks.
Building your own
If you don't need it for productive purposes, I would suggest the following:
use Filters to check for authorization and authentication: Filters a fairly easy to use ,very powerful and often used for security purposes: See http://docs.oracle.com/javaee/6/tutorial/doc/bnagb.html for more information about filter.
For the login, you could probably just stick with the standard form-based login.
I have a couple of Java-based web applications developed. Both the applications have separate Authentication logic based on some ActiveX directory implementation.
Now, I need to change this to Windows authentication so that whenever the user hits the URLs of my web applications, instead of redirecting him to login page I need to check his Windows credentials.
I do not want to store his windows credentials in URL.
Is there any good way to do this ?
Depending on the level of integration you want your web application to have, Spring Security should have you covered in just about all aspects of what you are after.
If redirecting to a login page and authenticating the entered credentials against an Active Directory server via LDAP is acceptable, then the LDAP extension is the way to go.
If you want more of a Single Sign On (SSO) flow and your users are already authenticated against the authoritative Active Directory server in question (eg. they are logged in to the domain), then the Kerberos plugin for Spring Security may be more appealing, since your users will simply have to go to the web application and won't have to go through any other authentication steps. The systems will take care of it behind the scenes.
You can also combine / layer these approaches if you which and try Kerberos-based authentication first and if that falls through, fall back to a login form and LDAP-based authentication.
If you need to go beyond that, Spring Security is flexible enough to allow you to use OpenID or in-app authentication as well if needed.
I'd recommending using Active Directory to expose it's windows authentication layer over LDAP, which can then be hit by something like Spring Security.
This would effectively force anyone using your application to use their windows login.
I have a java web application (running on JBoss), which need to authorizate users by their domain objects, without asking any usernames and passwords.
Users are running windows, authorization with LDAP server.
WEB application is based on SPRING, so i hope that there is already implemented same functionality, but i didn't fount it.
Is it possible to authorizate user without asking username and password?
Some links on samples would be great :)
Found some solutions. Links below:
http://rgagnon.com/javadetails/java-0441.html - old sample throught JSP
http://blog.springsource.org/2009/09/28/spring-security-kerberos - a bit harder, but more actual sample of spring Kerberos/SPNEGO extention (that's what I was looking for).