I'm developing a Java EE application (JSF2 + richfaces+ Facelets + Tomcat).
What's the best way to perform authentication when using JSF?
Or should I make my own ?
People usually pick between ( in no specific order) :
JAAS ( wich is Java/Java EE default security framework )
Spring Security
Custom Made Security
I never used Spring Security but the documentation is huge, i gave up trying that once because of time constraint. JAAS have the advantages of being simple and work out of the box with Tomcat.
I've seen custom security built on top of JAAS too.
What you really have to do is figure out what you will especifically need in your application and check wich frameworks suits your needs better.
Without knowing your business needs, if you only need Authentication (User login) i would say JAAS is the most simple way to go as is it not application intrusive and you wont need to add Spring dependencies if you are not already using it.
Go for Spring Security
Here is how to integrate it with JSF
Edit:
http://ocpsoft.com/java/acegi-spring-security-jsf-login-page/
I think that Leonardo answered it correctly, but you could also consider Central Authentication Service(CAS) for enterprise wide security. It is a little more complex to configure, but the benefits are tremendous. It also supports an enormous number of out of the box authentication mechanisms from LDAP to NTLM. CAS also provides extension for custom authentication.
If you choose to use Java EE containers, and wish to use form based authentication, I have published a couple of examples for use with JSF 1.2 and 2.0 and j_security_check
JSF 1.2 Facelets Form Based Authentication (j_security_check)
JSF 2.x Facelets Form Based Authentication (j_security_check)
In addition, the Servlet 3.0 API provides login and authentication based on the container via the HttpServletRequest API.
JBoss Seam integrates EJB 3, Facelets, JSF, and hibernate really nicely. Also provides validation of data and some security stuff too. If you use it for all its features, it is really sweet. If you try to pick and choose only certain things out of it, then it is still cool, but you have a few work arounds. But I've been impressed with what I've seen of Seam so far.
Apart from the mentioned frameworks there's also Seam Security which integrates nicely with CDI through an Extension.
You can try Apache Shiro, which gives authentication, authorization and many other.
For simple authentication , a very simple approach is to check for valid user object in the template using JSTL, and show the login form if not.
for exmaple , assume your template is webapp/WEB-INF/templates/default.xhtml , inside the template:
<html...>
.
.
<h:body>
<c:if test="#{mbSecurity.validUser}">
.
. authenticated template sections goes here
.
</c:if>
<c:if test="#{not mbSecurity.validUser}">
<ui:include src="/WEB-INF/inc/login-form.xhtml" />
</c:if>
</h:body>
</html>
Advantages: Zero dependencies & zero-configurations, also if the session is expired, after the login, the user will back to the original page which he was in .
Related
I've started learning Spring Boot coming from a NodeJS/Express background and I'm wondering what's the difference between the server that we create ourselves in an express app that listens on a certain port, and the Tomcat server in a spring application also called a container ? Why can't we do the same in a spring boot application where we create the server ourselves ?
const app = express();
app.listen(3000, () => console.log("Server listening on port 3000"));
Welcome to the Spring Ecosystem. We hope you enjoy your stay!
My first bit of advice, forget everything you know about Express because Spring is very different. I have not used Express in a while, but I remember it had a very programmatic approach. While that is possible in Spring, the most popular approach is declarative with annotations. Or, if you are old and like old technology, you can configure everything with XML.
What's Tomcat? Tomcat is a implementation of various Jakarta EE (formally Java EE) specifications. Depending on the Spring Boot version, you may see packages that start with jakarta or javax. Tomcat implements, Jakarta Servlet, Server Pages, Expression Language, WebSocket, Annotations, and Authentications. You can read more about each specification here. Note: Spring Boot by itself does not necessary use all of these modules and mostly Spring has many abstraction layers on top of them anyway, so you rarely will work with Tomcat directly. Specifically, spring-boot-starter-tomcat is the Spring module that uses Tomcat, and is most often included as a transitive dependency through spring-boot-starter-web.
Now, to answer your question...
Spring Boot Web configures Tomcat for you. You can definitely override this behavior! One basic way is through configuration properties. Anything under server.tomcat. A good IDE should autocomplete and show you the options. You can also change the address and port of the Tomcat server with server.address and server.port. Another popular property developers change is server.error.whitelabel.enabled. They set it to false and provide their own error page. Here is a great example. By the way, Baeldung offers a lot of free Spring tutorials and guides. It is a great place to get started. They also offer paid courses with certifications.
FYI, you do not have to use Tomcat. Read more here.
I have a SPRING application running (using spring boot) either directly on Java or on a Tomcat 7 server. I need to create absolute URL's for a couple of pages (mappings) so that these links can be sent via e-mail.
I thought this would be simple, but now it seems hard. I would prefer a solution that is 100% written in Thymeleaf, but if that is not possible, I can certainly provide Thymeleaf with some variables from my Java code.
Anyone solved this before in Thymeleaf?
In my opinion, you should provide a server URL in a property file and than access it in Thymeleaf. You can do it by accessing Spring Bean in a view:
<div th:text="${#urlService.getApplicationUrl()}">...</div>
In the above example, the urlService is a Spring Bean.
Please see this answer: https://stackoverflow.com/a/675903/718515
You may be also interested in #ctx variable that gives you access to servletContext. See Thymeleaf docuementation: http://www.thymeleaf.org/doc/html/Using-Thymeleaf.html#base-objects
I hope it helps!
I just did something similar where I was using Thymeleaf to generate an HTML email (and so of course links had to be made absolute). I used Thymeleaf's built-in #{} link syntax to create the appropriate URL relative to the server (since it calls the HttpServletResponse.encodeURL() which I needed to do as I had a custom implementation to do some additional URL munging), and then uses Spring's ServletUriComponentsBuilder to make the URL absolute using the HttpServletRequest server information.
<p th:with="
relativeCustomerInfoPath=#{|/my/path/${customer.code}/info/|},
customerInfoPath=${T(org.springframework.web.servlet.support.ServletUriComponentsBuilder).fromContextPath(#httpServletRequest).replacePath(relativeCouponPath).toUriString()}">
Go see your info at
<<a th:href="${customerInfoPath}" th:text="${customerInfoPath}">Link</a>>.
</p>
There may be a better way, but this worked well for me and does the making of the URL absolute entirely within Thymeleaf (though using Spring's library).
Today I made an integration that suggested using the full Url for compatibility.
The base should change according to enviroment (I just send it as attribute).
The last #{/js/i/dyn} is to get the contextPath.
<script th:src="${'https://' + base} + #{/js/i/dyn}"></script>
ref: http://www.thymeleaf.org/doc/articles/standardurlsyntax.html
I am searching for a security framework that allows role based security for OSGi services as well as CXF webservices.
Some time ago I already used spring security but as we now switched to blueprint it is not an option anymore as far as I understood. To configure the access rules I would like to mainly use the standard #RolesAllowed annotation. So what are my best starting points? I also thought about implementing this myself as a blueprint extension but I would prefer an existing solution.
I would suggest you go with Apache Shiro instead, http://shiro.apache.org/ .
It provides easy API's for authentication, authorization, cryptography, and session management. It can also be easily deployed inside a OSGI container. Some pros of Apache Shiro are listed here Apache Shiro vs Java EE native APIs
In the mean time I created a blueprint extension for authorization based on JAAS and Java EE annoations (#RolesAllowed, #PermitAll, #DenyAll). You can add the extension to any blueprint file. It will then scan all beans for these annoations and intercept calls if they are found. It uses an existing JAAS context to get the roles of the user.
So prerequisite for this is doing a JAAS login. I have also created a CXF JAASAuthentication feature that logs in a user based on basic auth or ws security username principal. The module works together with the Apache Karaf JAAS support. So all karaf users and roles apply.
I will create a tutorial to show how to use all of this once the aries blueprint release that includes the authorization module is out. In the mean time I would be happy if you try it out and report any problems you have.
Btw. another approach for karaf is the role based access control for OSGi services that is built into karaf 3+. It does not work with annotations but is also easy to use. See
http://coderthoughts.blogspot.de/2013/10/role-based-access-control-for-karaf.html
I'm using Spring MVC v3.1.0 and HDIV (HTTP Data Integrity Validator) v2.1.0 as server-side framework and ExtJS v4.0 as client-side framework.
Now, I'm confused how to generate secure forms and links which contains HDIV state
and how to transform/convert those forms using ExtJS on client-side.
Any suggestion?
Thank you very much.
Now, I'm confused how to generate secure forms and links which contains HDIV
state and how to transform/convert those forms ....
Hdiv will do it for you if you configure spring to use hdiv.
See chapter 7.2.1.2 Modify the deployment descriptor in /WEB-INF/web.xml of the hdiv-reference.pdf
There are many Java web application frameworks available but what are my alternatives when developing JSR 168 portlets? I found a couple:
Struts
Spring
That's it Sven, I haven't tried JSF portlet bridge, but I have been working with Struts portlet bridge and spring-webmvc-portlet almost 2 years.
this is my own opinion :
I would try to avoid using Struts portlet bridge. It's a dead thing that still exists because some Portals had utilized it and it is still built in them. It's quite old, it serves its purpose, but with something like spring-webmvc-portlet - using it wouldn't be wise. Unless you are Struts enthusiast and you haven't tried Spring-mvc or JSF.
I like the principle how spring portlet environment is integrated into servlet env. There is also everyhing that developer needs already implemented, except few things like
Add multipart request support to portlet resource requests (SPR-7662)
Spring Portlet MVC - Unable to return JSON data from #ResourceMapping (SPR-7344)
With Struts bridge you end up doing tons of low level stuff to hide the fact, that after request hits the Main Portal Servlet, it becomes "portlet request". With Spring you don't care :-) Talking about portals like Liferay, JBoss or uPortal
JSF with a portlet bridge: http://jboss.org/portletbridge