JSF authentication and authorization

Asked 27/7, 2009 at 12:37 Answered 3/6, 2011 at 9:11

java authentication jsf authorization jaas

What is the best way to go about implementing authentication and authorization for a JSF web application? Preferrably I'd still want to use container-based security, as I need to call EJBs that require the principal.

I realize form-based authentication is a major struggle with JSF, but can I perhaps use a PhaseListener or something similar together with programmatic logon to authenticate the user?

Any other methods I should rather have a look at?

Yajairayajurveda answered 27/7, 2009 at 12:37 Comment(2)

Can you let us know what was your pick? – Silicon 26/11, 2009 at 20:38

Related: #2207411 and #6190036 – Sennet 3/6, 2011 at 13:47

Try to check out the blog for using JAAS with JSF. This is the example of how to deploy the JAAS with JSF for authentication and authorization.

I hope it helps.

Tiger

Planetstruck answered 27/7, 2009 at 16:11 Comment(2)

Thanks for the link. I'm uncertain of a few things, however. I assume that this will replace form-based authentication, but how does it interact with my JAAS login module (in Glassfish a realm). I'm using a JDBC realm. Also, isn't a PhaseListener a better fit for this than an ActionListener? – Yajairayajurveda 28/7, 2009 at 9:29

@Tiger: Would you like to say something about when it is good to move from container based security to alternatives like shiro or others? See more focussed question here:#7783220 – Heroine 16/10, 2011 at 7:35

You can use the Spring Security framework, see instructions here http://ocpsoft.com/java/acegi-spring-security-jsf-login-page/

Silicon answered 27/7, 2009 at 12:56 Comment(4)

Thanks for the suggestion. Can Spring Security be used outside of the Spring Framework? Currently I have straight-forward JSF with Facelets, and I'd like to avoid an extra dependency on Spring. – Yajairayajurveda 28/7, 2009 at 9:29

It depends on several spring modules - web, core, and several others (for example jdbc if you keep your user data in a database). You do not have to base your application on spring however, just treat it as an external library. – Silicon 28/7, 2009 at 10:33

@David: Hi David, Would you like to say something about when it is good to move from container based security to alternatives like spring security or others? See more focussed question here:#7783220 – Heroine 16/10, 2011 at 7:34

@Marcos I guess it pretty much depends on your needs (how complicated your authentication), how easy the container configuration is and whether you can add 3rd party authentication library, which may not be the case in some scenarios (IT applications for examples). Our application has users authenticating using web forms for parts of the site, HTTP basic for mobile web pages and custom authentication headers and formats for mobile API (like the AWS custom headers), so we needed a flexible solution. Also, by now we are spring only web app, no JSF remained due to many issues we had with it. – Silicon 21/10, 2011 at 19:23

I use JSF Seam and have used Seam's built-in authentication and authorization and find it extremely easy to use.

For authentication, you simply implement 1 method, public boolean login(String username, a String password) { ... } and returns boolean. Then you can mark pages as "login-required" and seam takes care of the rest.

For authorization, Seam gives you a @Restrict Annotation that you can put on your Controller or Service methods and again, Seam takes care of the rest.

Advanced authorization: You can also handle more advanced authorization with Seam where roles are dynamic - e.g. in a bulletin board you are "author" of some posts, but "reader" or other posts, by simply delegating your @Restrict annotation to a Java method.

I would encourage you to take a look at Seam. Seam is just a layer on top of JSF so technically you would still be running on JSF . If for some reason you cannot use Seam, maybe you can borrow some ideas from how Seam handles Authorization and Authentication in JSF.

Jun answered 31/7, 2009 at 19:2 Comment(0)

You could use the Servlet 3.0 HttpServletRequest API as shown in this answer to a JSF 2.0 question:

JSF 2.0 Simple login page

Heffner answered 3/6, 2011 at 9:11 Comment(1)

This is not part of JSF 2. This is part of Servlet 3.0. So this works only when running JSF 1.x/2.x/whatever on Tomcat 7, Glassfish 3, JBoss AS 6, etc or newer. – Sennet 3/6, 2011 at 11:44

Recommended topics

Hot tags