How to implement a Oauth 2 mechanism in JavaEE for JSF? - jsf

I'm working a JSF projects with beans and xhtml pages and now I've implemented a import javax.servlet.Filter; with username and password to secure the pages, except, of course, the login.xhtml. Since I want to upgrade the security mechanism, I want to insert the Oauth2 mechanism. How Can I do? I've read some spring implementations, but seems only for REST service.

You don't implement it in JSF, you implement it in a security layer which, at most, gets the username/password or token from the jsf based userinterface. Best is to not implement this from scratch but use a real good existing security framework for this. Something like Apache Shiro, JBoss Picketlink or the likes, one that can do oauth for you.

Related

Advantages of using spring security vs custom filters?

This question might be naive but I would like to know what are the advantages of using Spring security (or any other security framework) versus custom filters (#WebFilter) to restrict pages in a web-app. In a custom filter I can check the session of an user, see if an user bean has been mapped within the session and then check if the user bean has the appropriate role to gain access to my restricted area. So what do I gain by using Spring security, surely it's more secure, if so then how? I'm asking because I find it harder to use than using custom filters. Thanks in advance.
Security Principle: Don't roll your own security unless you're an expert.
See https://security.stackexchange.com/questions/18197/why-shouldnt-we-roll-our-own
The Spring guys aren't sitting around making work up for themselves. They are solving real problems. You could implement all of Spring Security's features with your filters, but then you'd have Spring Security, wouldn't you?
Are you handling CSRF and making it convenient?
Are you handling session fixation?
Do your filters handle path traversal?
Are you handling RunAs functionality?
Read the docs and decide if you should use it or not.

JAAS, JSF 2 and Authentication

I want to build a web application with JSF where I use JAAS for authentication.
I will run the application on Glassfish v4 and I want to use a custom realm/login module to have my user credentials stored in a database and moreover having the passwords salted and hashed. As far as I know the JDBCRealm of Glassfish does not give me possibility to have the passwords salted.
I already found resources on how build such login modules and security realms for it.
Now I reached a point where I still have too many questions open and no answers found on the web.
My first question now is more like a conceptual question.
So for me it actually seems like a disadvantage if I use JAAS since that would require me to write custom realms and login modules for each application server I want my application to be deployed to.
I mean I see the advantage to have the authentication seperated but still it seems quite a bit of extra work compared to a solution where I would do the login procedure on my own.
Since I could also do the access control using custom filter in JSF this seems to be a more universal way because there is no extra effort when I change the application server.
Do I miss something here?
This also leads me to another point. Is there a way to perform the login procedure by myself but assign the current user specific roles in the context of JAAS during my custom login?
Another question: I have seen that it is also possible to create/update/delete users with a custom realm which sounds awesome for my needs... Sorry if this is a kind of a noob question but I still could not figure out how to retrieve the JAAS realm from within my JSF application...

How do I secure mixed content resources in Java EE 6?

I'm trying to decide how to secure a modern web application. I am relatively new to the Java EE 6 technology stack, but I've done some pet projects that didn't utilize security, so I'm looking for some general guidance on what's even possible using out of the box Java EE 6 security.
I understand that declarative security allows you to protect resources based on what role(s) have been assigned to a user attempting to access that resource. So, for example, a user requests a page at a particular URL, the Java EE server checks the user's credentials to see if they're authorized to access that page. This makes perfect sense for resources that only to be accessed by authenticated users. Good examples include administration pages, user account setting pages, restricted content areas.
So as long as I divide a website into secure and unsecured areas, that works fine and I have no questions. But how do I deal with the situation where I have a resource that I want to behave differently based on the authentication level of the user for declarative security.
For example, I may have a home page on a website that displays one view with a login prompt if the user is an unauthenticated user, but if an authenticated user visits that same resource should display some sort of control panel with account management links, etc instead of the login prompt.
How is this achieved in modern Java EE 6 applications? Declarative security doesn't seem expressive enough to allow this to happen as it's very "all or nothing". I've read a little about programmatic security, but all the guides talk about servlets and in a modern web application I would assume that JSFs would be the way to go, not raw servlets. I want to ensure that when I secure a web application with this mixed content that depends on the authentication status of the user that I don't end up spamming security code all throughout the web app because that's extremely error prone, and very messy.
Given the above requirements what solutions would you recommend? I'm not looking for a step by step, just some helpful pointers to get me started in the right direction. Both "Here's what you can use" and "here's how it's going to fulfill your goals" would be helpful!
One last thing, I'd like to avoid loading the Spring suite onto this webapp. I like using the Java EE 6 container technologies as much as possible, and I've heard there are issues making Spring managed beans and Java EE container managed beans available to each others' contexts.
Well, you should read: the Security chapter of the Java ee tutorial.
In a nutshell, either in servlets or EJBs you should:
Declare the security roles involved: #DeclareRoles("javaee6user")
In your servlets either
use #ServletSecurity(#HttpConstraint(rolesAllowed = {"javaee6user"})) for the whole servlet (declarative security)
in the servlet's methods check with request.isUserInRole("javaee6user") just as you did in 'old' servlets (programmatic security)
In your EJBs either
declare the role(s) allowed for a whole method with #RolesAllowed("javaee6user") (declarative security)
inject with #Resource SessionContext ctx; the bean context, and invoke ctx.isCallerInRole("javaee6user") inside your method, just as you did in 'old' EJBs (programmatic security)

authenticate a user in jsf 2.0

I am about developing a web application using jsf 2.0 and netbeans 7.1
so I want to authenticate users before they can access the application
My question know is how can I be sure of that user along his "session"?
I searched and found that I have to use session beans but I didn't get
the "remedy" of my problem
thanks for help
the answer really depends on your requirements. the simplest solution would be to use container managed authentication (via JAAS). all j2ee/servlet containers support this, but some implement it "their own way", so you have to check the docs. i know for tomcat and jboss, it's very simple to turn on and (assuming you configure your web.xml properly) just trust that if they are loading your pages, the session is authorized. you might want to bulk up the question with some of your requirements. that will really spur people to give you a much more concrete answer than i'm providing.
TIA

Acl mechanism for JSF

Is there some ready-to-use ACL mechanism for JSF? I know JBoss Seam comes with something like that, but switching to JBoss Seam is not an option in my case.
What I need is to easily define which pages given user is allowed to see and which actions to invoke.
If I understand correctly, you can check spring security

Resources