I am about developing a web application using jsf 2.0 and netbeans 7.1
so I want to authenticate users before they can access the application
My question know is how can I be sure of that user along his "session"?
I searched and found that I have to use session beans but I didn't get
the "remedy" of my problem
thanks for help
the answer really depends on your requirements. the simplest solution would be to use container managed authentication (via JAAS). all j2ee/servlet containers support this, but some implement it "their own way", so you have to check the docs. i know for tomcat and jboss, it's very simple to turn on and (assuming you configure your web.xml properly) just trust that if they are loading your pages, the session is authorized. you might want to bulk up the question with some of your requirements. that will really spur people to give you a much more concrete answer than i'm providing.
TIA
Related
I'm working a JSF projects with beans and xhtml pages and now I've implemented a import javax.servlet.Filter; with username and password to secure the pages, except, of course, the login.xhtml. Since I want to upgrade the security mechanism, I want to insert the Oauth2 mechanism. How Can I do? I've read some spring implementations, but seems only for REST service.
You don't implement it in JSF, you implement it in a security layer which, at most, gets the username/password or token from the jsf based userinterface. Best is to not implement this from scratch but use a real good existing security framework for this. Something like Apache Shiro, JBoss Picketlink or the likes, one that can do oauth for you.
Could somebody advice me the best solution about JavaFX (JDK8) and security concept? Under security I mean authorization and authentication. Thank you in advance.
I might be a bit late in answering this, but you are very right Maryan. JavaFx doesn't seem to have good interoperability with any standard security mechanisms.
The only option is to use a 3PP to solve this. Examples are: Spring security, Apache Shiro etc. In order to eliminate the dependencies with a particular 3PP, I encourage you to wrap the 3PP implementation.
Unfortunately, This is just the beginning of a long list of issues(that are yet to come up) for you, even after you implement the security measure, you will still have to come up with ways of storing and managing security tokens(similar to browser cookies) so that your JavaFx client doesn't need to authenticate with server for every call.
If this is only the beginning of your project, I suggest you really think about whether to use JavaFx or go with web based UI.
I want to build a web application with JSF where I use JAAS for authentication.
I will run the application on Glassfish v4 and I want to use a custom realm/login module to have my user credentials stored in a database and moreover having the passwords salted and hashed. As far as I know the JDBCRealm of Glassfish does not give me possibility to have the passwords salted.
I already found resources on how build such login modules and security realms for it.
Now I reached a point where I still have too many questions open and no answers found on the web.
My first question now is more like a conceptual question.
So for me it actually seems like a disadvantage if I use JAAS since that would require me to write custom realms and login modules for each application server I want my application to be deployed to.
I mean I see the advantage to have the authentication seperated but still it seems quite a bit of extra work compared to a solution where I would do the login procedure on my own.
Since I could also do the access control using custom filter in JSF this seems to be a more universal way because there is no extra effort when I change the application server.
Do I miss something here?
This also leads me to another point. Is there a way to perform the login procedure by myself but assign the current user specific roles in the context of JAAS during my custom login?
Another question: I have seen that it is also possible to create/update/delete users with a custom realm which sounds awesome for my needs... Sorry if this is a kind of a noob question but I still could not figure out how to retrieve the JAAS realm from within my JSF application...
I have deployed two applications onto the glassfish server, each of which uses its own security realm (file, jdbc). The problem is that the glassfish allows only one default realm to be set which results in only one application to be functional at a time. I'm a newbie with the glassfish so I might be missing something fundamental or should approach this problem differently (do I need a separate domain for each of mine applications to be able to set the security with specific realm?).
Any suggestions would be appreciated.
Thank you.
It's possible to create more file Realms in the same GlassFish domain, you simply have to specify a new file name for the keyfile storing the users / passwords information. You can follow this tutorial if you wish.
Concerning the other part of the question, you can also consider to use a LDAP server, which is a scalable and more general solution, because it can be used also by other applications inside the same firm. You can use OpenLDAP or OpenDJ for example, and use JNDI API for letting your applications access the LDAP realm.
Here you can find a JNDI and OpenLDAP Tutorial, but you can easily find other tutorials around on the subject.
I have implemented some pages for my webproject. However, now I would like to add security.
I will have a couple of roles, like admin, user, other and some pages shall only be accessable for the admins, some for the users and so on.
If its intresting, Im using Hibernate for the database. I plan to store the roles and users in the database.
Can you help me to tell the best practice (if any) for a scalable solution for implementing the security in my webproject? Links, books or a good example is very grateful =)
Best regards
Apache Shiro is a new and supposedly very elegant and easy to use security framework.
Spring security may be suitable for your needs.
http://static.springsource.org/spring-security/site/features.html
BTW which IDE you are using?
You can undoubtedly visit OWASP web site..The OWASP web site provides you on every bit of information about the potential security attacks/threats to a web application..
The website will provide you all the information related to a particular attack/threat and also the possible solution to avoid the threat..
You can even download the ESAPI jar provided by OWASP which provides ample amount of functionalities to handle security attacks/threats. It will considerably reduce your development time.
Here's the link to the website
https://www.owasp.org/index.php/Main_Page
Based on the underlying technology you are using you will get relevant solutions to avoid attacks/threats.
Also you can store the names of the module or the URL in the DB and you can have a mapping between roles and the module. Based on the role of the user you can fetch the module and display respective modules to the user.
You can further visit this link for some more details on when to use SHIRO and when to use EASPI.
Apache Shiro & Java Security for Novicesenter link description here
But I am sure that after going through EASPI web site and few days of studying security attacks you can easily use EASPI to provide enhance security feature to your web application.