JSF web application user logging. How to? - jsf

The administrator of the web application I am working on, asks for a 'I wanna know everything' log. He wants to track all what the other users did when they were connected (logged in) to the web app :
What pages he/she visited.
What actions he/she performed.
On what entities (JPA Entities) he/she performed actions.
At what exact time she/he performed a given action if successful.
What attribute of the a given record he/she modified.
The user principals of this user.
All I could do now, is export a CSV file where the administrator finds the user principals, the time this user logged in and logged out.
I also created an example history table in database populated by EclipseLink Customizer to track changes for a corresponding table. (The problem with this EclipseLink customizer is that it is not flexible, because database tables are changing with time (adding/removing attributes) and so are their corresponding entities. And the user does not want to modify things two times (one time in the main table and the second time in the history table)!
Could something like a third library 'log4j' do that?
Is there any alternatives, solutions, or better practices related to my issu!?
Best regards.

Look into Interceptors/Listeners - both for JSF to get page/action and JPA to get data accessed. In your interceptors/listener you could then log to file using log4j.
EclipseLink Listeners
Hibernate Interceptors (for comparison)
JSF Listeners

Related

How to track last login date for IBM Domino web user?

Does IBM Domino track the last login date for web users(UserName/Password and internet certificate)? I know the access logs contains this information but wanted to know if there may be something built into Domino (maybe in Address Book). Trying to come up with a method to disable web accounts that have not accessed a domino server in a specified time period.
Thanks,
Kev
The User Activity area in the Database Properties picks up from the log.nsf, which is where this information is stored. But, typically, the log.nsf will only have a few days' worth of information. When I've had this requirement before, I've manually captured it via a custom login page or an initUser function I've had in applications.
One of the easiest solutions is to trigger an action from a live web page that generates a database.nsf?openagent event.
like:
or
Ideally you've use the openagent to print a content type and a response, but if you don't browsers do pretty well with invalid responses from servers.
inside your "myagent" you will have the users name available to you to write it to a document.
Your next challenge will be in getting the agent to trigger, but, not too often, ideally only on login.
When a user uses a custom login form it submits the username/password and redirection url in POST method. You could change that to ...?openagent&nexturl=/blablabla.nsf
Your tiny little agent would run one and only one time upon login and update a document in a your custom logging database.
That's a developer's solution.
There are also admin solutions. The server does keep track of active web sessions, but, it does not drop them into the log.nsf like it does upon session ending for a notes session. I don't think it would be too much work from an admin standpoint to get that information there are a lot of event triggers available to you. It's just been way too long since I worked on any server that anyone cared about statistics.

Disable the edit of ?id= in url jsf

before write the question sorry for my english. My question is this:
I have an web application in jsf, the application have new, edit and delete Categories, outgoings, Budgets, users, etc.
When open the edit page i have the url like this:
http://localhost:8080/Practica3/faces/usuarios/edit.xhtml?id=2
the problem is if the user change the number 2 for another number, and the another number exists in the dababase, the page change the data of the id 2 to the data of the new id.
The problem is if the id number X is of a data of another user, and the user that change the id is not in conditions to see that data.
How disable the edit of the id, or denied to show the data to the another user?
Thanks, and i hope have a response.
Just check in service layer if the current user is allowed to edit the requested entity. If not, then throw some security exception for which you could if necessary configure a custom error page in web.xml.
The technical problem has nothing to do with HTTP/JSF. If you "fix" it alone in JSF side, then you still have a gaping security hole in service layer which would affect any other frontend using it. The frontend is not responsible for business restrictions in service layer itself.
The problem is not stopping the editing of the ID. That is on the client side/browser and you cannot stop this value from being edited.
You need to implement propery Access Security Controls. When you get any response back, you need to check if the user can perform the action they specified (read, update, delete, etc.) as well as checking to make sure they have permission to the data they want to perform the action on.
These two topics are on the OWASP Top 10:
A4-Insecure Direct Object References
A7-Missing Function Level Access Control
The pages will tell you what the problem is, mitigation stragegies, and different ways of testing for that in your application.
I would also become familiar with the other Top 10 categories (this is not an all inclusive list but a good starting point).

Liferay database table work flow?

I am new to Liferay. Now I need to create the flow chart which has the Liferay table work flow in following scenarios,
1) What are the list of table will reflect/update if we create the site admin?
2) What are the list of table will reflect/update if we create the site?
I tried by opening database tables and noticed that USER_, CONTACT_ will reflect, But I need list of all the related tables which will reflect when we create the site and siteadmin? I am using Liferay 6.2 version.
Thanks in advance.
When you want to know the internals of any system it is always best to check the relevant source-code. So in this case you can check the source-code for those classes which are used for CRUD operations on User and Site.
1) What are the list of table will reflect/update if we create the site admin?
Site-administrator is a Role, which can be applied to a User created in Liferay.
So if you want all the tables that are created from User-creation till User is assigned the Site-administrator role for a particular site, there here are some which I can recollect:
User_ (Obvious)
Contact_ (not so obvious :-) )
Group_ (Users are also created as a record in this table since Users have public and private pages)
Address (if you add an address)
Phone (if you add a Phone)
Users_Roles (Power user role is assigned by default)
UserGroupRole (user and site-role relationship, Site-administrator is a Site-role)
Users_Groups (user and site relationship)
For others you should refer the source-code for UserLocalServiceImpl, RoleLocalServiceImpl and GroupLocalServiceImpl, check the relevant methods prefixed add, update etc.
The corresponding service.xml for these module would reveal the database tables being used.
2) What are the list of table will reflect/update if we create the site?
Sites are nothing but Groups in Liferay. So its obvious Group_ table is playing a big role.
Other tables also depend upon what configuration you are doing while creating a Site.
Then there would be other tables like Layout when you start creating pages for a Site.
I would strongly encourage to go ahead and explore the source code for the classes and you would understand the flow - when and what tables are affected.
Here is some convention which might help you traverse the source-code, almost every *LocalServiceImpl is associated with a *Model like UserLocalServiceImpl with UserModel and almost every *Model has a corresponding database table with the same name.
Also the name of the functionality would in most cases hints at what service classes are being used to connect to database, like adding a User would hint at using UserLocalServiceImpl.
Hope I have understood your question and have been able to give some proper direction.
If you want to know this because you also want to write to these tables: Don't go there! You should purely use the API to change the data that Liferay stores. Otherwise you will run into disasters some time in the future - promised.
For just getting the SQL commands that Liferay actually uses, configure portal-ext.properties and change this default value:
hibernate.show_sql=false
Then go to "Server Administration/Log Levels" and add a new category "org.hibernate.SQL", configure it to the level DEBUG. Then the results show up in the logs. Note that this log configuration is transient and will be reverted on next server start. If you want the setting to be persistent, you'll need to go into Liferay's log4j configuration files.
Remember: You don't want to write to the tables ever. Promise!

check document is opened by other user xpages

I m working with xpages for following scenario.
I have one agent that will update the value to one of the field of datasource from notesview. sometimes, while one user is opening the datasource via xpage and other user run the agent in the same time. at that time, agent can run and update the field of datasource. but from the xpages side, we can catch the exception for the document is modified by other user and cannot save the xpages.
i would like to prevent this from agent side. i would like to know whether there is a way to know that document is opened by one of the user from agent side, so that agent wont update the value to that datasource.
thank for your help.
First of all: mixing agent and XPages is more trouble than it is worth, you are better off converting your agent code into a Java class (and pay the technical debt accumulated over time in the agent).
One BIG reason: an agent and XPages do not share anything other than the document in memory (if handed over) on that one user's session.
If you launch the agent from an XPage: you can use an ApplicationScope variable (e.g. a java.util.HashMap) that you fill with the unid and username when a user opens a document. Before you launch that agent, you check the scope if the unid is inside with a different username. If yes, don't run the agent.
You need to build a mechanism to expire and renew these locks otherwise you end up with dead lock entries.
If the agent is launched directly or on schedule things get a little more complicated. You could implement a web service servlet that handles the locks since both XPages and agents can talk to a web service.

How do you implement users and group security in a web application?

using php if that matters.
If you create a website that has users and groups. Where do you put this in the web application? Do you just put a function at the top of every page (pseudo):
if someone is in a group then they can see this page
or
if someone is in this group they can see this button
That sure seems wrong. I wouldn't want to edit the web app code just to change who can see what group-wise. I'm not sure what I should do or how to implement something like this.
Thanks.
In MySQL, I always create these 4 tables: users, user_groups, permissions and user_groups_permissions which are linked using Foreign Keys.
So, user A can be in a user group B, which this user group permissions are in user_groups_permissions.
Now, I just do a INNER JOIN on this 4 tables (or better, three: users, user_groups_permissions and permissions), the results are permissions that user have. all we need is selecting permissions.key by INNER JOIN.
Now, before processing request, I need to check that Client::has_permissin('send_post') returns true or not. And better, also on top of each user-group-related function.
Note: Client is a class that loads all user permissions just one time, before processing request, and then uses that permissions for whole request-life-time, without needing to access to database several times in that request. Use static methods and $permissions property for this class so you never need to send it's object over your applications classes/methods/functions :)
You can have a utility function which takes user id and group code and return true or false.
You can use that utility function as pseudo at the top of each page and the same function also be used to hide or show sections in your page.
If your web application is in MVC, embed user authorization logic in your controller.

Resources