I'm wondering what the current approach is regarding user authentication for a web application making use of JSF 2.0 (and if any components do exist) and Java EE 6 core mechanisms (login/check permissions/logouts) with user information hold in a JPA entity. The Oracle Java EE tutorial is a bit sparse on this (only handles servlets).
This is without making use of a whole other framework, like Spring-Security (acegi), or Seam, but trying to stick hopefully with the new Java EE 6 platform (web profile) if possible.
After searching the Web and trying many different ways, here's what I'd suggest for Java EE 6 authentication:
Set up the security realm:
In my case, I had the users in the database. So I followed this blog post to create a JDBC Realm that could authenticate users based on username and MD5-hashed passwords in my database table:
http://blog.gamatam.com/2009/11/jdbc-realm-setup-with-glassfish-v3.html
Note: the post talks about a user and a group table in the database. I had a User class with a UserType enum attribute mapped via javax.persistence annotations to the database. I configured the realm with the same table for users and groups, using the userType column as the group column and it worked fine.
Use form authentication:
Still following the above blog post, configure your web.xml and sun-web.xml, but instead of using BASIC authentication, use FORM (actually, it doesn't matter which one you use, but I ended up using FORM). Use the standard HTML , not the JSF .
Then use BalusC's tip above on lazy initializing the user information from the database. He suggested doing it in a managed bean getting the principal from the faces context. I used, instead, a stateful session bean to store session information for each user, so I injected the session context:
With the principal, I can check the username and, using the EJB Entity Manager, get the User information from the database and store in my
SessionInformation
EJB.Logout:
I also looked around for the best way to logout. The best one that I've found is using a Servlet:
Although my answer is really late considering the date of the question, I hope this helps other people that end up here from Google, just like I did.
Ciao,
Vítor Souza
I suppose you want form based authentication using deployment descriptors and
j_security_check
.You can also do this in JSF by just using the same predefinied field names
j_username
andj_password
as demonstrated in the tutorial.E.g.
You could do lazy loading in the
User
getter to check if theUser
is already logged in and if not, then check if thePrincipal
is present in the request and if so, then get theUser
associated withj_username
.The
User
is obviously accessible in JSF EL by#{auth.user}
.To logout do a
HttpServletRequest#logout()
(and setUser
to null!). You can get a handle of theHttpServletRequest
in JSF byExternalContext#getRequest()
. You can also just invalidate the session altogether.For the remnant (defining users, roles and constraints in deployment descriptor and realm), just follow the Java EE 6 tutorial and the servletcontainer documentation the usual way.
Update: you can also use the new Servlet 3.0
HttpServletRequest#login()
to do a programmatic login instead of usingj_security_check
which may not per-se be reachable by a dispatcher in some servletcontainers. In this case you can use a fullworthy JSF form and a bean withusername
andpassword
properties and alogin
method which look like this:And this view scoped managed bean which also remembers the initially requested page:
This way the
User
is accessible in JSF EL by#{user}
.The issue HttpServletRequest.login does not set authentication state in session has been fixed in 3.0.1. Update glassfish to the latest version and you're done.
Updating is quite straightforward:
It should be mentioned that it is an option to completely leave authentication issues to the front controller, e.g. an Apache Webserver and evaluate the HttpServletRequest.getRemoteUser() instead, which is the JAVA representation for the REMOTE_USER environment variable. This allows also sophisticated log in designs such as Shibboleth authentication. Filtering Requests to a servlet container through a web server is a good design for production environments, often mod_jk is used to do so.