Authentication in JSF 2.0

I could use some advise... I've been trying to implement authentication in a JSF 2.0 web application and I've not been completely successful. I'm using NetBeans 6.8 and GlassFish v3. Here is what I would like:
1) Use container managed security with a JDBC realm. Users who register via the web app will end up as users in the table that is used to authenticate access to the web app
2) I want to use role-base authorization that I can specify in my web.xml file as [described in the JEE 6 tutorial.|http://java.sun.com/javaee/6/docs/tutorial/doc/bnbxj.html#bnbxu]. Thus, I'd like to secure JSF pages as well as managed bean actions.
3) My web app uses EJB's that are secured using the [EJB annotations as described in the JEE 6 tutorial|http://java.sun.com/javaee/6/docs/tutorial/doc/bnbyl.html#gjgcq]. My understanding is that the credentials from the web app are propagated to the EJB's, so I should not need to do anything, other than catch exceptions whenever the EJB is being accessed by an unauthorized role.
4) Ideally, I'd like to use a JSF form to request username/password from a user. I know the JSF form cannot directly post the information to the container's security mechanism (i.e. j_security_check action). While I've found some ways to do it, none are really satisfactory, so I've had to just use a plain HTML form.
5) I could do it [authentication programmatically as explained in the JEE 6 tutorial|http://java.sun.com/javaee/6/docs/tutorial/doc/gjiie.html]. Unfortunately, the tutorial shows how to do this from a Servlet and not from JSF. In particular, I could invoke the HttpServletRequest#login method, but its result does not enter a session and thus I cannot continue to use container managed authorization past the request. If I use HttpServletRequest#authenticate, then this will force the container to present the login form I specify in web.xml and the credentials will be in the session.
6) FYI, I've tried to implement an authentication a Filter but the URL requests that come from a JSF 2.0 app just do not correspond to what I'm looking for in the filter. That is, if I have a directory named secured where I keep JSF pages to be accessed only by authenticated users, I set up a Filter to look for these requests and it does not behave as expected (or at least the way it behaves when I use it with JSP)
I hope someone here can help me find the resources so I can implement this. I've Googled many times and most of what I'm finding is incomplete. I'd greatly appreciate anyone's help and guidance in this. FYI... some students are counting on me to deliver a solution to this! I did not think it would be difficult, but it has turned out to be that way.
Thanks for reading this far!
Alvaro

Hello Ed. I have your JSF 2.0 book now. I download and tried the authentication example that you have on chapter 14. Unfortunately, authorization is not working as I would expect it. Here are the specifics:
1) I'm running it on GlassFish v3
2) According to the web.xml, you create two security constraints. One on /trainer/*** requests to be accessed only by users with role of trainer. Another on the /user/*** requests to be accessed only by users with role of user
3) Whenever I try this app, I can access that pages without ever being authenticated (i.e. without logging in). I can access them by entering the URL's, say: http://localhost:8080/formBasedLogin/faces/user/userPage.xhtml
This is the problem I've been having whenever I try to do authorization. For some reason, either the URL is not matching the pattern specified or it gets rewritten by JSF 2.0 in some way?
Update: I'll leave the above comments, but I was able to get your example working by changing the URL patterns to: /faces/user/*** and /faces/trainer/*** Is this an error in the sample code or should the pattern you provide still work?
Update 2: It seems that I've now figured out that there is a difference on whether I use an outputLink or a commandLink. I need to read more about this. In any case, the URL patterns do match requests that are specified as an outputLink, but not when they are specified by a commandLink -- in this case, JSF uses JavaScript to make the request to some resource which does not match the pattern. It looks like I was just using commandLink before whereas I should have been using outputLink.

Similar Messages

  • Standard Authentication in JSF

    well i have a basic doubt of what is stanard authentication in JSF...
    well i use jsf and sdo...i use data objects and check whether username exists....
    i dont know what is standard authentication??
    how do i do that in JSF RAD....???
    how do i protect the pages based on Roles....
    (i can see options for roles in web.xml in RAD) but i am not in a position to use it...
    please help me to understand
    thanks...

    I've never heard of the term 'SDO'. Don't you mean 'SSO'?
    At least, what you described about the web.xml is just container based authentication. <security-constraint> and so on.
    Anyway, is it a job? Talk with your manager/lead about your skills. You're really in a deep hole now. You appears to be in lack of basic Java EE knowledge. This is not a good idea. Ask him for books and courses and take time to learn the basics and concepts properly. Another hint may be: don't use the visual drag'n'drop editor of RAD. Just switch to Java EE mode and write code by hand. Otherwise you will get lost when you need to solve a simple technical problem in between all of those autogenerated code garbage.

  • Form based authentication in JSF

    Hi,
    I am using form based authentication in JSF .
    I am not able to display the JSF page.
    I have this security constraint in my web.xml
    <security-constraint>
    <display-name>Example Security Constraint</display-name>
    <web-resource-collection>
    <web-resource-name>Protected Area</web-resource-name>
    <url-pattern>/jsp/WorkingZone.jsp</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
    <role-name>manager</role-name>
    </auth-constraint>
    </security-constraint>
    <login-config>
    <auth-method>FORM</auth-method>
    <realm-name>Example Form-Based Authentication Area</realm-name>
    <form-login-config>
    <form-login-page>/Login/login.jsp</form-login-page>
    <form-error-page>/Login/error.jsp</form-error-page>
    </form-login-config>
    </login-config>
    WorkingZone.jsp is a jsp page with JSF components.Which can only be invoked with faces context.
    I am using JDBCRealm
    For the valid user I am getting this error------>
    HTTP Status 400 - Invalid direct reference to form login page
    type Status report
    message Invalid direct reference to form login page
    description The request sent by the client was syntactically incorrect (Invalid direct reference to form login page).
    Please give me the solution.How can I access my jsf page.

    Thank you.
    Marcos
    Hi,
    It should help you:
    http://searchsoftwarequality.techtarget.com/searchAppS
    ecurity/downloads/JSF_ch15.pdf
    Message was edited by:
    syllepsa

  • Using j_security_check container authentication with JSF

    Hi All,
    After quite a bit of looking around, we resorted to using a plain login JSP page with a ServletFilter on j_security_check to have container managed authentication in our JSF based web-site using IBM Websphere 5.1
    So, basically every other page but the login page is JSF and just the login page is simple JSP with j_username & j_password.
    Recently, I started looking in the direction of trying to directly/programmatically invoke j_security_check using URLConnection object. There are various discussions on this on google groups:
    1. http://groups-beta.google.com/group/comp.lang.java.programmer/browse_thread/thread/1a2768da559e43ae/243982a33f02ab80?q=URLConnection%20j_security_check&_done=/groups?q=URLConnection%20j_security_check&hl=en&lr=&sa=N&tab=wg&&_doneTitle=Back%20to%20Search&d=&
    2. http://groups-beta.google.com/group/weblogic.developer.interest.security/browse_thread/thread/a375370efec24566/b81dc8320bcbc304?q=URLConnection+j_security_check&_done=%2Fgroups%3Fq%3DURLConnection+j_security_check%26hl%3Den%26lr%3D%26sa%3DN%26tab%3Dwg%26&_doneTitle=Back+to+Search&&d#b81dc8320bcbc304
    My current code snippet is as follows:     public String submit(){
              String retVal = "";
              String j_username = getUserId().getValue().toString();
              String j_password = getPassword().getValue().toString();
              ExternalContext externalContext = getFacesContext().getExternalContext();
              String jsessionid = ((HttpSession)externalContext.getSession(false)).getId();          
              // Only if sanity checks and validations on j_username & j_password pass, proceed further.
              ApplicationParameter.getLogger().debug("Current jsessionid=" + jsessionid);
              ApplicationParameter.getLogger().debug("submitting login details (userId: " + j_username + " & password: " + j_password + ") to /j_security_check ...");
              try {
                   URL jSecurityCheckURL = new URL("http://localhost:9080/raweb/j_security_check;jsessionid=0000" + jsessionid + ":-1&j_username=" + j_username + "&j_password" + j_password);
                   HttpURLConnection jSecurityCheckURLConnection = (HttpURLConnection)jSecurityCheckURL.openConnection();
                   jSecurityCheckURLConnection.setRequestMethod("POST");
                   jSecurityCheckURLConnection.setInstanceFollowRedirects(false);
    //               jSecurityCheckURLConnection.addRequestProperty("j_username", j_username);
    //               jSecurityCheckURLConnection.addRequestProperty("j_password", j_password);
    //               jSecurityCheckURLConnection.setRequestProperty("j_username", j_username);
    //               jSecurityCheckURLConnection.setRequestProperty("j_password", j_password);
                   jSecurityCheckURLConnection.connect();
                   ApplicationParameter.getLogger().debug("j_security_check returned: " + jSecurityCheckURLConnection.getResponseCode() + ": " + jSecurityCheckURLConnection.getResponseCode());
                   if (null != externalContext) {
                        String remoteUser = externalContext.getRemoteUser();
                        ApplicationParameter.getLogger().debug("Authenticated username: " + remoteUser);
                        HttpServletRequest httpServletRequest = (HttpServletRequest)externalContext.getRequest();
                        Principal principal = httpServletRequest.getUserPrincipal();
                        if (null != principal) {
                             String userName = principal.getName();
                             ApplicationParameter.getLogger().debug("Authenticated username: " + userName);
                   } else {
                        ApplicationParameter.getLogger().debug("Unable to obtain Faces ExternalContext and hence the remote user details.");
              } catch (MalformedURLException ex) {
                   ApplicationParameter.getLogger().error(ex);
                   retVal = "";
              } catch (IOException ex) {
                   ApplicationParameter.getLogger().error(ex);
                   retVal = "";
              return retVal;
    The above code yields the following output:[DEBUG]: (Newlogin.submit:81) - Current jsessionid=H1QMk3TuyW_W8nSPnOtW-xi
    [DEBUG]: (Newlogin.submit:82) - submitting login details (userId: skhanna & password: password) to /j_security_check ...
    [DEBUG]: (Newlogin.submit:93) - j_security_check returned: 302: 302
    [DEBUG]: (Newlogin.submit:97) - Authenticated username: null
    Anyone have any idea why j_security_check returns 302 and also the authenticated username seems to be null indicating that the authentication did not go through!
    -Sandeep Khanna

    Can you help me!
    I try this for two days....
    Tomcat 5.0.27
    I get this:
    Current jsessionid=00F61ABF316F9A1676A41A1EA05177B2
    Submitting login details (userId: admin & password: admin) to /j_security_check!
    java.net.ConnectException: Connection refused: connect
    I have this code in backing bean:
    import java.net.HttpURLConnection;
    import java.net.MalformedURLException;
    import java.net.URL;
    import java.security.Principal;
    import javax.faces.context.ExternalContext;
    import javax.servlet.http.HttpServletRequest;
    import javax.servlet.http.HttpSession;
    public String commandButton_action()
    String retVal = "";
    String j_username = inputText1.getValue().toString();
    String j_password = this.inputSecret1.getValue().toString();
    URL jSecurityCheckURL = null;
    HttpURLConnection jSecurityCheckURLConnection = null;
    ExternalContext externalContext = FacesContext.getCurrentInstance().getExternalContext();
    String jsessionid = ((HttpSession)externalContext.getSession(false)).getId();
    System.out.println("Current jsessionid=" + jsessionid);
    System.out.println("Submitting login details (userId: " + j_username + " & password: " + j_password + ") to /j_security_check!");
    try {
    jSecurityCheckURL = new URL("http://localhost:9080/raweb/j_security_check;jsessionid=0000" + jsessionid + ":-1&j_username=" + j_username + "&j_password=" + j_password);
    jSecurityCheckURLConnection = (HttpURLConnection)jSecurityCheckURL.openConnection();
    jSecurityCheckURLConnection.setRequestMethod("POST");
    jSecurityCheckURLConnection.setInstanceFollowRedirects(false);
    jSecurityCheckURLConnection.connect();
    System.out.println("j_security_check returned: " + jSecurityCheckURLConnection.getResponseCode());
    //System.out.println("Current jsessionid=" + jsessionid);
    if (null != externalContext) {
    String remoteUser = externalContext.getRemoteUser();
    System.out.println("Authenticated username: " + remoteUser);
    HttpServletRequest httpServletRequest = (HttpServletRequest)externalContext.getRequest();
    Principal principal = httpServletRequest.getUserPrincipal();
    if (null != principal) {
    String userName = principal.getName();
    System.out.println("Authenticated username: " + userName);
    } else {
    System.out.println("Unable to obtain Faces ExternalContext and hence the remote user details.");
    catch (MalformedURLException ex) {
    System.out.println(ex);
    jSecurityCheckURL = null;
    jSecurityCheckURLConnection = null;
    retVal = "";
    catch (IOException ex) {
    System.out.println(ex);
    jSecurityCheckURL = null;
    jSecurityCheckURLConnection = null;
    retVal = "";
    return retVal;
    I try all this URL:
    http://localhost:8080/jSecurityCheck/j_security_check?jsessionid=" + jsessionid + "&j_username=" + j_username + "&j_password=" + j_password
    http://localhost:9080/raweb/j_security_check;jsessionid=0000" + jsessionid + ":-1&j_username=" + j_username + "&j_password=" + j_password
    TWO DAYS ..... H E L P M E !!!

  • Dynamic User Authentication in JSF, ADF BC Application

    I have developed a JSF, ADF BC Application using JDeveloper 10.1.3.3. My application consists of jspx pages and I also have to integrate some existing oracle forms with it using OraFormsFaces library.
    I have successfully used custom DBProcLogin Module by Frank to authenticate the users with the help of a stored procedure and user credentials stored in database tables.
    During integrating Oracle Forms I realised that some of these oracle forms use get_application_property(username) to retreive connected user information. All of the users which are stored in database tables are also oracle users with the same credentials as stored in database tables. The existing oracle forms based application was connecting to Oracle every time with different provided user credentials each time and therefore returning correct (required) user name information.
    Now since I have used DBProcLogin Module in new ADF application, when I run it, user is successfully authenticated but get_application_property(username) in the existing oracle forms returns the user name that application module is using to connect with the database. To make it work correctly, I want my ADF application to connect to oracle database with different user each time.
    I have searched and seen topics such as, Dynamic JDBC Credentials, Database Proxy Users etc. But I am confused with the width and depth of this much information available. Therefore, I thought I may get some advice from the experts present in the forum that which of the techniques will go best with my application.
    Keeping in view the scenario that I have provided, can someone please guide me to the best suitable technique and the related information/documentation?
    Thanks in advance,
    Amir

    Hi,
    the whitepaper you reference is written by the expert on this subject. Samples are posted by the same author: http://radio.weblogs.com/0118231/stories/2004/09/23/notYetDocumentedAdfSampleApplications.html
    Note that what you try to do will create a dedicated connection for Forms and ADF, which means that 100 users will have 200 database connections open.
    Frank

  • Form-based authentication and JSF

    I am trying to use a form-based authentication in Tomcat 6, and from what I understand the page that contains the login form can not be a JSF page.
    The problem I'm having with this is that I need the client's username and password accessible from my backing bean, but I don't know how to put them there from a standard JSP.
    Before all this, I had a simple login form with username/password fields that were bound to a bean, and a button that executed a bean method that would perform the login procedure, retrieve the client's data from the DB and create a Client object in the session to be accessible throughout the application. Now, I need to use container managed access control with form-based authentication, and I know how to set it up but don't know how to create the Client object if the container does all the authentication and I never even get a hold of a username/password combination let alone the rest of the client's data.
    Any advice on this would be greatly appreciated.

    alf.redo wrote:
    ...following article: [j2ee_security_a_jsf_based_login_form|http://groundside.com/blog/DuncanMills.php?title=j2ee_security_a_jsf_based_login_form]
    This is exactly the solution I am planning to use. It is good to know there are others who have decided to go that way.
    Thanks

  • JSF & Tomcat 5 session problems

    I am implemeting a web application using JSF and tomcat authentication. The problem is that tomcat is losing the session when I hit refresh on any of the pages which are marked as havign a security constraint.
    e.g. you go to index.html -> takes you to login.jsp (as you need to log in first), you log in successfuly and go to index.html, you hit refresh and get taken back to login.jsp.
    Any help would be much appreciated.
    If anyone has implementign an app using tomcat authentication and jsf, I would be grateful if they could tell me how they are managing to overcome this issue.

    I have a similar question, but not about session timeout, but managing the data within your session. In our previous homegrown JSP Model 2 Framework, we had various methods in place to cleanup the session for a page (essentially allowing you to cleanup the managed beans after you were done with a page). Due to constant activity, the sessions never timeout, but there is "dead" data in the session. How would you do this in JSF? For example, lets say you go through a wizard set of screens, where once complete, you don't want the managed beans to exist in the session anymore. Where would you tap into the JSF lifecycle to do this?
    Thanks in advance,
    Dave

  • Authorization with JAAS in JSF with facelets

    hi,
    can u please hint me where i did mistake.. i clearly mention what i did and what i getting ..i did this in jsf1.2,tomcat6.x
    i did JAAS authentication in jsf with facelets.but i am unable to do the authorization with JAAS in jsf
    after getting authentication i put the subject in session. if i print the values in suject i got the following out put
    Subject:
    Principal: TypedPrincipal: hari [USER] // user name
    Principal: TypedPrincipal: admin [GROUP] // user role.
    now i want to authorization based on the role.
    for this i wrote policy file --principal.policy like this
    grant Principal com.alw.reports.jaas.TypedPrincipal "admin" {
        permission com.alw.reports.jaas.ViewIdPermission "*";
    grant Principal com.alw.reports.jaas.TypedPrincipal "hari" {
        permission com.alw.reports.jaas.ViewIdPermission "*";
    grant Principal com.alw.reports.jaas.TypedPrincipal "user" {
        permission com.alw.reports.jaas.ViewIdPermission "/contents.jsp";
    };and i set the path for this policy file like
                  System.setProperty("java.security.policy", "policy file location" );when i run my application i am getting login page after that i gave username and passwed. it is getting authentication .. but not able to displaying next page that is /pages/welcome.xhtml but directly it is showin /pages/error.xhtml
    i am getting following error
    java.security.AccessControlException: access denied (com.alw.reports.jaas.ViewIdPermission /pages/welcome.xhtml)
         at java.security.AccessControlContext.checkPermission(Unknown Source)
         at java.security.AccessController.checkPermission(Unknown Source)
         at java.lang.SecurityManager.checkPermission(Unknown Source)
         at com.alw.reports.jaas.JAASHelper$1.run(JAASHelper.java:87)
         at java.security.AccessController.doPrivileged(Native Method)
         at javax.security.auth.Subject.doAsPrivileged(Unknown Source)
         at com.alw.reports.jaas.JAASHelper.permitionToAccessViewId(JAASHelper.java:83)
         at com.alw.reports.jaas.JAASActionListener.processAction(JAASActionListener.java:65)
         at javax.faces.component.UICommand.broadcast(UICommand.java:106)
         at org.ajax4jsf.component.AjaxViewRoot.processEvents(AjaxViewRoot.java:184)
         at org.ajax4jsf.component.AjaxViewRoot.broadcastEvents(AjaxViewRoot.java:162)
         at org.ajax4jsf.component.AjaxViewRoot.processApplication(AjaxViewRoot.java:350)
         at org.apache.myfaces.lifecycle.LifecycleImpl.invokeApplication(LifecycleImpl.java:316)
         at org.apache.myfaces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:86)
         at javax.faces.webapp.FacesServlet.service(FacesServlet.java:106)
         at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
         at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
         at org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:141)
         at org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:281)
         at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
         at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
         at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
         at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
         at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
         at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
         at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
         at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:263)
         at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
         at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:584)
         at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
         at java.lang.Thread.run(Unknown Source)
    my faces-config.xml
    <navigation-rule>
              <display-name>pages/login</display-name>
              <from-view-id>/pages/login.xhtml</from-view-id>
              <navigation-case>
                   <from-outcome>loginSuccess</from-outcome>
                   <to-view-id>/pages/welcome.xhtml</to-view-id>
              </navigation-case>
         </navigation-rule>
    <navigation-case>
                   <from-outcome>errorpage</from-outcome>
                   <to-view-id>
                        /pages/error.xhtml
                   </to-view-id>
              </navigation-case>my command button in login.xhtml
                             <td align="center" colspan="2">
                                  <h:commandButton value="Reset" type="reset"/>
                                  <h:commandButton   action="loginSuccess"
                                       id="login" value="Login" />
                             </td>my actionlister
    package com.alw.reports.jaas;
    import javax.faces.component.UIOutput;
    import javax.faces.context.FacesContext;
    import javax.faces.event.AbortProcessingException;
    import javax.faces.event.ActionEvent;
    import javax.faces.event.ActionListener;
    import javax.security.auth.Subject;
    public class JAASActionListener implements ActionListener   {
         private ActionListener parent = null;
         public JAASActionListener(javax.faces.event.ActionListener parent) {
              System.out.println("-------------- in JAASActionListener ;");
           this.parent = parent;
         public void processAction(ActionEvent event)
           throws AbortProcessingException {
              System.out.println("-------------- in processAction ;");
           FacesContext context = FacesContext.getCurrentInstance();
           UIOutput comp = null;
           String userid = null, password = null;
           JAASHelper jaasHelper = new JAASHelper();
           // Check to see if they are on the login page.
           boolean onLoginPage = (-1 != context.getViewRoot().getViewId().lastIndexOf("login")) ? true : false;
           if (onLoginPage) {
             if (null != (comp = (UIOutput)
               context.getViewRoot().findComponent("helloForm:username"))) {
               userid = (String) comp.getValue();
             if (null != (comp = (UIOutput)
               context.getViewRoot().findComponent("helloForm:password"))) {
               password = (String) comp.getValue();
             // If JAAS authentication failed
             if (!jaasHelper.authenticate(userid, password)) {
               context.getApplication().getNavigationHandler().handleNavigation(context, null, "login");
               return;
             else {
               // Subject must not be null, since authentication succeeded
                  System.out.println("----------- setting the subjects in context in  ActionListner ");
               assert(null != jaasHelper.getSubject());
               // Put the authenticated subject in the session.
               System.out.println("---- putting the authenicated subject in the seesion ");
               context.getExternalContext().getSessionMap().put("JAASSubject",jaasHelper.getSubject());
           parent.processAction(event);
           Subject subject=(Subject)context.getExternalContext().getSessionMap().get("JAASSubject");
          System.out.println("subject after parent process action>>>>>>>>>>>>>>>>>>>>>"+subject);
          assert(null != subject);
          if(!jaasHelper.permitionToAccessViewId(subject,context,context.getViewRoot().getViewId())){
              context.getApplication().getNavigationHandler().handleNavigation(context, null, "errorpage");
    }can u please hint me where i did mistake
    thanks in advance

    gbabu wrote:
    My doubt is based on that subject , how to write policy file and how to call doAsPrivileged() mehod on that Subject in order to navigate web pages.how to provide web pages permission for particular role in policy file..
    For example i have three pages login.xhtml,user.xhtml,admin.xhtml.
    1> if the logged in person is admin, then we want to display admin.xhtml
    2> if the loggend is person is user , then we want to display user.xhtml
    untill now i did and found who is logged in and what are his type( admin or user) .now i want configure the web.xml and faces-config.xml based on policy fileTo the best of my knowledge, there is nothing in the standard NavigationHandler which accounts for JAAS security. If you wanted, you could create a custom NavigationHandler to do this. If you think the idea is worthy enough, you could issue an enhancement request to the specification ([https://javaserverfaces-spec-public.dev.java.net/]).

  • Using NTLM authentication

    Hi,
    Is there a way to get domain logged user name using NTLM authentication into JSF page.
    Please provide any solution on this ?

    Hi,
    Using the below code u can get windows username,but when i use the same code struts framework is not calling setter methods, can anyone help me.
    <%
    String auth = request.getHeader("Authorization");
    if (auth == null) {
    response.setStatus(response.SC_UNAUTHORIZED);
    response.setHeader("WWW-Authenticate", "NTLM");
    return;
    if (auth.startsWith("NTLM ")) {
    byte[] msg = new sun.misc.BASE64Decoder().decodeBuffer(auth.substring(5));
    int off = 0, length, offset;
    String s;
    if (msg[8] == 1) {
    off = 18;
    byte z = 0;
    byte[] msg1 = {(byte)'N', (byte)'T', (byte)'L', (byte)'M', (byte)'S',
    (byte)'S', (byte)'P', z,
    (byte)2, z, z, z, z, z, z, z,
    (byte)40, z, z, z, (byte)1, (byte)130, z, z,
    z, (byte)2, (byte)2, (byte)2, z, z, z, z, //
    z, z, z, z, z, z, z, z};
    response.setStatus(response.SC_UNAUTHORIZED);
    response.setHeader("WWW-Authenticate", "NTLM "
    + new sun.misc.BASE64Encoder().encodeBuffer(msg1).trim());
    return;
    else if (msg[8] == 3) {
    off = 30;
    length = msg[off+17]*256 + msg[off+16];
    offset = msg[off+19]*256 + msg[off+18];
    s = new String(msg, offset, length);
    //out.println(s + " ");
    else
    return;
    length = msg[off+1]*256 + msg[off];
    offset = msg[off+3]*256 + msg[off+2];
    s = new String(msg, offset, length);
    //out.println(s + " ");
    length = msg[off+9]*256 + msg[off+8];
    offset = msg[off+11]*256 + msg[off+10];
    s = new String(msg, offset, length);
    out.println("Hello <span style='position:relative; width:190;"
    + " height:10;filter:glow(Color=#009966,Strength=1)'>");
    out.println(s + "</SPAN>");
    %>

  • Window Authentication

    Can anyone guide me how to implement window authentication in jsf application or any suggestion tutorial or website to refer to. Google search return me mostly about asp.net.

    hi
    you can add the parameters:
    anyway lokk at this link: http://jcifs.samba.org/src/docs/ntlmhttpauth.html
    <filter>
              <filter-name>NtlmHttpFilter</filter-name>
              <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
              <init-param>
                   <param-name>jcifs.http.domainController</param-name>
                   <!-- IP ADDRESS OF THE NETWORK -->Put your domain IP address
                   <param-value>999.99.99.99</param-value>
              </init-param>
                                    <init-param>
                   <param-name>jcifs.smb.client.soTimeout</param-name>
                   <!-- by default its going to be 5 min you can chnage it it here-->
                   <param-value>ITS  GOING TO BE IN MILLISECONDS</param-value>
              </init-param>
         </filter>
         <filter-mapping>
              <filter-name>NtlmHttpFilter</filter-name>
                              <!-- Here its going to authenticate the entire application-->
              <url-pattern>/*</url-pattern>
         </filter-mapping>

  • Security with JSF2

    Hi can anyone let me know how to use JDBC Realm for authentication and authorization using Glassfish Server.
    Also let me know how to maintain the session after authentication in JSF.

    You really expect people to answer more than "read the manual" ?
    You don't have a problem, you can solve this yourself. Go do it and come back when you have an actual problem that you cannot solve yourself.

  • JSF authentication

    Hi
    This is the situation:
    I have implemented a form-based authentication against a Directory Service (OpenDS), inside the funcionality of the application i can change the password of the username, using the JNDI API:
    DirContext contexto = obtenerContextoDirectorio();
                ModificationItem[] modificacion = new ModificationItem[1];
                modificacion[0] = new ModificationItem(DirContext.REMOVE_ATTRIBUTE,
                        new BasicAttribute("userPassword"));
                contexto.modifyAttributes("uid=" + nombreUsuario, modificacion);
                modificacion[0] = new ModificationItem(DirContext.ADD_ATTRIBUTE,
                        new BasicAttribute("userPassword", secretField1.getValue().toString()));
                contexto.modifyAttributes("uid=" + nombreUsuario, modificacion);In any page of the application i can logout using the next instructions:
    ExternalContext ectx =
                    FacesContext.getCurrentInstance().getExternalContext();
            HttpServletResponse response =
                    (HttpServletResponse)ectx.getResponse();
            HttpSession session = (HttpSession)ectx.getSession(false);
            session.invalidate();
            FacesContext.getCurrentInstance().responseComplete();
            response.sendRedirect("MenuAdministrador.jsp");Ok, now this is the situation:I Login with the following credentials:
    username: jperez
    password: otro
    Then inside de application i change the password of jperez to "algo", changing the entry in the LDAP directory service. Then I logout.
    the problem is that then i can login with two password
    username: jperez
    pasword: otro
    Or
    username: jperez
    password: algo
    I have to redeploy de .ear in the application server to then just login with username: jperez
    password: algo
    Thanks for you answers...
    Edited by: oashton30 on Oct 27, 2007 7:22 PM

    Thank you very much sir.
    Well, that article seems very much complex to be honest, I am not familiar with JAAS, and some other technologies described there, I have to stick to JSF only in my case.
    If it's not much asking I just would like to know, If there's a way to retrieve the user and the password directly from the table, AFTER I have created an appropiate connection to the selected database which contains the USERS table.
    Once I have done that, Which Objects would be neccesary to create? and what code do I need to put in the backing bean to authenticate from the Database the values in the Input Text corresponding to the user and password?

  • How to Create User ,Group ,Role in Jsf and Give  differ authentication to e

    Hi i am working in java server faces .
    i trying to create roles ,user with different abilities .
    Like one is normal user, admin , they have different abilities,
    i need that abilities on bases of module,form,field like Drupal like CMS they provide.
    So how to do that think in JSF plz help

    You can use one of the various ways Java EE provides you, e.g. container managed authentication.
    It's also all in the Java EE tutorial: [http://java.sun.com/javaee/5/docs/tutorial/doc/bncas.html].
    You can configure it in the application server as well: [http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html].
    Here is an example how to use it in JSF: [http://ocpsoft.com/java/acegi-spring-security-jsf-login-page/].

  • Authorization and Authentication using filters in jsf aplication

    Hello,
    I need some valuable suggestions to develop a jsf application for users to login where they be Authenticated and Authorized to go to other applications using filters . I am using websphere application server 6.0.
    and need to share sesion data across application.
    Please let me know some existing application or example to look into.
    Thanks in advance. :)

    javafullinto wrote:
    All the requests that are to a particlar folder must be authenticated and once authenticated they must be logged in until they logout or close the browser.
    How can I do this using filters.Just check if the user is logged in and handle accordingly. If the user is not logged in, then redirect the request to the login page or so. If the user is logged in, then continue with request.
    Pseudo:doFilter() {
        if (user is not logged in) {
            redirect to login page;
        } else {
            proceed with request;
    }And map this filter on an url-pattern covering the secured pages. Fairly simple.

  • Authentication / authorization in jsf

    hi all!
    how can I perform a authentication/authorization system in jsf?
    Last time i've checked the user form and created a userBean in session scope,if the user is valid.
    how can I check if the user is logged and witch page he try to retrieve,for every url?
    do you know of any on line resources on this?
    thanks a lot
    Luca

    hi all!
    how can I perform a authentication/authorization system in jsf?
    Last time i've checked the user form and created a userBean in session scope,if the user is valid.
    how can I check if the user is logged and witch page he try to retrieve,for every url?
    do you know of any on line resources on this?
    thanks a lot
    Luca

Maybe you are looking for

  • Supplier Item Catalog - search screen query ~ tends to take 10 - 12 secs

    I wanted to find out if any customer(s) out there has ever encountered this performance issue in the Supplier Item Catalog search screen. We setup an item catalog category using the supplier item but when we attempt to query on the item/supplier sear

  • EDI setting

    hi all,   any one have step by step procedure to send IDoc  to External System[outbound  EDI process]   using EDI. how will do configuration  for EDI .it is same as ALE or some thing different.If it is different then what are the T-codes for configur

  • Hyperion analyzer 7.2.5 report export

    Hi I am tryinig to export a report in to excel and text file When I am trying to export to text I am getting the html code, how to export the report (not the code) to text file, do I need to do any configuration for this. Coming to excel, I gone thro

  • Exchange 2010 activity

    Hello guys, i want to check inactive Group mailboxes under an Exchange 2010 environment, because i have a auditory going on and i need to know which mailboxes are being used and which are not. Is there any way i can check the Exchange activity in ord

  • Tranx: VL10F is there any other alternate with Screen

    Dear SAP Gurus.... I am creating a program for PO and Scheduling. But i could not record the transaction for VL10F as when it goes to the next screen where line items are displayed, it is displayed in List and recording does not take place. Is there