{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 孤独寂梦人 的问题《How to handle authentication/authorization with us》','https://www.manongdao.com/q-11402.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
Currently, I am working on a web project using JSF 2.0, Tomcat 7 and MongoDB. I have a big question of how to handle the session management and authentication/authorization with users in a database.
The structure I want is as follows: only logged in users can create events and everyone can see the created events.
create.xhtml--> only for logged in users.events.xhtml--> public for everyone.
The basic structure I'm planning is:
- Check if the page requires logged in user (e.g.
create.xhtml) - If yes, check if user is logged in
- If user is not logged in, go to
login.xhtml - If successfully logged in, come back to requested page
- Keep the "User is logged in" information unless user clicks log out
button. (there I guess
@SessionScopedgets into play)
The question is:
- What is the less complicated way of doing this?
- Where should I use the
@SessionScopedannotation? InCreate.javaorLoginManager.java? - Spring security looks kind of complicated for my issue, do I really need it? if yes, can you explain a little bit of how the implementation works together with JSF 2.0 and Mongo DB?
There are several options. Which to choose is fully up to you. Just objectively weigh the concrete advantages and disadvantages conform your own situation.
1. Use Java EE provided container managed authentication
Just declare a
<security-constraint>inweb.xmlwhich refers a security realm which is configured in servletcontainer. You can for your webapp specify URL pattern(s) which should be checked for login and/or role(s), e.g./secured/*,/app/*,/private/*, etc.Before Java EE 8, you unfortunately still need to configure a security real in a servletcontainer-specific way. It's usually described in servletconainer-specific documentation. In case of Tomcat 8, that's the Realm HOW-TO. For example, a database based realm based on users/roles tables is described in section "JDBCRealm".
Since Java EE 8, there will finally be a standard API based on JSR-375.
Advantages:
Disadvantages:
See also:
2. Homegrow a servlet filter
This allows for much more fine grained control, but you're going to need to write all the code yourself and you should really know/understand how you should implement such a filter to avoid potential security holes. In JSF side, you could for example just put the logged-in user as a session attribute by
sessionMap.put("user", user)and check in the filter ifsession.getAttribute("user")is notnull.Advantages:
Disadvantages:
See also:
3. Adapt a 3rd party framework
For example, Apache Shiro, Spring Security, etc. This offers usually much more fine grained configuration options than standard container managed authentication and you don't need to write any code for this yourself, expect of the login page and some (XML) configuration of course.
Advantages:
Disadvantages:
See also: