Authentication in JSF 2.0
I could use some advise... I've been trying to implement authentication in a JSF 2.0 web application and I've not been completely successful. I'm using NetBeans 6.8 and GlassFish v3. Here is what I would like:
1) Use container managed security with a JDBC realm. Users who register via the web app will end up as users in the table that is used to authenticate access to the web app
2) I want to use role-base authorization that I can specify in my web.xml file as [described in the JEE 6 tutorial.|http://java.sun.com/javaee/6/docs/tutorial/doc/bnbxj.html#bnbxu]. Thus, I'd like to secure JSF pages as well as managed bean actions.
3) My web app uses EJB's that are secured using the [EJB annotations as described in the JEE 6 tutorial|http://java.sun.com/javaee/6/docs/tutorial/doc/bnbyl.html#gjgcq]. My understanding is that the credentials from the web app are propagated to the EJB's, so I should not need to do anything, other than catch exceptions whenever the EJB is being accessed by an unauthorized role.
4) Ideally, I'd like to use a JSF form to request username/password from a user. I know the JSF form cannot directly post the information to the container's security mechanism (i.e. j_security_check action). While I've found some ways to do it, none are really satisfactory, so I've had to just use a plain HTML form.
5) I could do it [authentication programmatically as explained in the JEE 6 tutorial|http://java.sun.com/javaee/6/docs/tutorial/doc/gjiie.html]. Unfortunately, the tutorial shows how to do this from a Servlet and not from JSF. In particular, I could invoke the HttpServletRequest#login method, but its result does not enter a session and thus I cannot continue to use container managed authorization past the request. If I use HttpServletRequest#authenticate, then this will force the container to present the login form I specify in web.xml and the credentials will be in the session.
6) FYI, I've tried to implement an authentication a Filter but the URL requests that come from a JSF 2.0 app just do not correspond to what I'm looking for in the filter. That is, if I have a directory named secured where I keep JSF pages to be accessed only by authenticated users, I set up a Filter to look for these requests and it does not behave as expected (or at least the way it behaves when I use it with JSP)
I hope someone here can help me find the resources so I can implement this. I've Googled many times and most of what I'm finding is incomplete. I'd greatly appreciate anyone's help and guidance in this. FYI... some students are counting on me to deliver a solution to this! I did not think it would be difficult, but it has turned out to be that way.
Thanks for reading this far!
Alvaro
Hello Ed. I have your JSF 2.0 book now. I download and tried the authentication example that you have on chapter 14. Unfortunately, authorization is not working as I would expect it. Here are the specifics:
1) I'm running it on GlassFish v3
2) According to the web.xml, you create two security constraints. One on /trainer/*** requests to be accessed only by users with role of trainer. Another on the /user/*** requests to be accessed only by users with role of user
3) Whenever I try this app, I can access that pages without ever being authenticated (i.e. without logging in). I can access them by entering the URL's, say: http://localhost:8080/formBasedLogin/faces/user/userPage.xhtml
This is the problem I've been having whenever I try to do authorization. For some reason, either the URL is not matching the pattern specified or it gets rewritten by JSF 2.0 in some way?
Update: I'll leave the above comments, but I was able to get your example working by changing the URL patterns to: /faces/user/*** and /faces/trainer/*** Is this an error in the sample code or should the pattern you provide still work?
Update 2: It seems that I've now figured out that there is a difference on whether I use an outputLink or a commandLink. I need to read more about this. In any case, the URL patterns do match requests that are specified as an outputLink, but not when they are specified by a commandLink -- in this case, JSF uses JavaScript to make the request to some resource which does not match the pattern. It looks like I was just using commandLink before whereas I should have been using outputLink.
Similar Messages
-
Standard Authentication in JSF
well i have a basic doubt of what is stanard authentication in JSF...
well i use jsf and sdo...i use data objects and check whether username exists....
i dont know what is standard authentication??
how do i do that in JSF RAD....???
how do i protect the pages based on Roles....
(i can see options for roles in web.xml in RAD) but i am not in a position to use it...
please help me to understand
thanks...I've never heard of the term 'SDO'. Don't you mean 'SSO'?
At least, what you described about the web.xml is just container based authentication. <security-constraint> and so on.
Anyway, is it a job? Talk with your manager/lead about your skills. You're really in a deep hole now. You appears to be in lack of basic Java EE knowledge. This is not a good idea. Ask him for books and courses and take time to learn the basics and concepts properly. Another hint may be: don't use the visual drag'n'drop editor of RAD. Just switch to Java EE mode and write code by hand. Otherwise you will get lost when you need to solve a simple technical problem in between all of those autogenerated code garbage. -
Form based authentication in JSF
Hi,
I am using form based authentication in JSF .
I am not able to display the JSF page.
I have this security constraint in my web.xml
<security-constraint>
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/jsp/WorkingZone.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Example Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/Login/login.jsp</form-login-page>
<form-error-page>/Login/error.jsp</form-error-page>
</form-login-config>
</login-config>
WorkingZone.jsp is a jsp page with JSF components.Which can only be invoked with faces context.
I am using JDBCRealm
For the valid user I am getting this error------>
HTTP Status 400 - Invalid direct reference to form login page
type Status report
message Invalid direct reference to form login page
description The request sent by the client was syntactically incorrect (Invalid direct reference to form login page).
Please give me the solution.How can I access my jsf page.Thank you.
Marcos
Hi,
It should help you:
http://searchsoftwarequality.techtarget.com/searchAppS
ecurity/downloads/JSF_ch15.pdf
Message was edited by:
syllepsa -
Using j_security_check container authentication with JSF
Hi All,
After quite a bit of looking around, we resorted to using a plain login JSP page with a ServletFilter on j_security_check to have container managed authentication in our JSF based web-site using IBM Websphere 5.1
So, basically every other page but the login page is JSF and just the login page is simple JSP with j_username & j_password.
Recently, I started looking in the direction of trying to directly/programmatically invoke j_security_check using URLConnection object. There are various discussions on this on google groups:
1. http://groups-beta.google.com/group/comp.lang.java.programmer/browse_thread/thread/1a2768da559e43ae/243982a33f02ab80?q=URLConnection%20j_security_check&_done=/groups?q=URLConnection%20j_security_check&hl=en&lr=&sa=N&tab=wg&&_doneTitle=Back%20to%20Search&d=&
2. http://groups-beta.google.com/group/weblogic.developer.interest.security/browse_thread/thread/a375370efec24566/b81dc8320bcbc304?q=URLConnection+j_security_check&_done=%2Fgroups%3Fq%3DURLConnection+j_security_check%26hl%3Den%26lr%3D%26sa%3DN%26tab%3Dwg%26&_doneTitle=Back+to+Search&&d#b81dc8320bcbc304
My current code snippet is as follows: public String submit(){
String retVal = "";
String j_username = getUserId().getValue().toString();
String j_password = getPassword().getValue().toString();
ExternalContext externalContext = getFacesContext().getExternalContext();
String jsessionid = ((HttpSession)externalContext.getSession(false)).getId();
// Only if sanity checks and validations on j_username & j_password pass, proceed further.
ApplicationParameter.getLogger().debug("Current jsessionid=" + jsessionid);
ApplicationParameter.getLogger().debug("submitting login details (userId: " + j_username + " & password: " + j_password + ") to /j_security_check ...");
try {
URL jSecurityCheckURL = new URL("http://localhost:9080/raweb/j_security_check;jsessionid=0000" + jsessionid + ":-1&j_username=" + j_username + "&j_password" + j_password);
HttpURLConnection jSecurityCheckURLConnection = (HttpURLConnection)jSecurityCheckURL.openConnection();
jSecurityCheckURLConnection.setRequestMethod("POST");
jSecurityCheckURLConnection.setInstanceFollowRedirects(false);
// jSecurityCheckURLConnection.addRequestProperty("j_username", j_username);
// jSecurityCheckURLConnection.addRequestProperty("j_password", j_password);
// jSecurityCheckURLConnection.setRequestProperty("j_username", j_username);
// jSecurityCheckURLConnection.setRequestProperty("j_password", j_password);
jSecurityCheckURLConnection.connect();
ApplicationParameter.getLogger().debug("j_security_check returned: " + jSecurityCheckURLConnection.getResponseCode() + ": " + jSecurityCheckURLConnection.getResponseCode());
if (null != externalContext) {
String remoteUser = externalContext.getRemoteUser();
ApplicationParameter.getLogger().debug("Authenticated username: " + remoteUser);
HttpServletRequest httpServletRequest = (HttpServletRequest)externalContext.getRequest();
Principal principal = httpServletRequest.getUserPrincipal();
if (null != principal) {
String userName = principal.getName();
ApplicationParameter.getLogger().debug("Authenticated username: " + userName);
} else {
ApplicationParameter.getLogger().debug("Unable to obtain Faces ExternalContext and hence the remote user details.");
} catch (MalformedURLException ex) {
ApplicationParameter.getLogger().error(ex);
retVal = "";
} catch (IOException ex) {
ApplicationParameter.getLogger().error(ex);
retVal = "";
return retVal;
The above code yields the following output:[DEBUG]: (Newlogin.submit:81) - Current jsessionid=H1QMk3TuyW_W8nSPnOtW-xi
[DEBUG]: (Newlogin.submit:82) - submitting login details (userId: skhanna & password: password) to /j_security_check ...
[DEBUG]: (Newlogin.submit:93) - j_security_check returned: 302: 302
[DEBUG]: (Newlogin.submit:97) - Authenticated username: null
Anyone have any idea why j_security_check returns 302 and also the authenticated username seems to be null indicating that the authentication did not go through!
-Sandeep KhannaCan you help me!
I try this for two days....
Tomcat 5.0.27
I get this:
Current jsessionid=00F61ABF316F9A1676A41A1EA05177B2
Submitting login details (userId: admin & password: admin) to /j_security_check!
java.net.ConnectException: Connection refused: connect
I have this code in backing bean:
import java.net.HttpURLConnection;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.Principal;
import javax.faces.context.ExternalContext;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
public String commandButton_action()
String retVal = "";
String j_username = inputText1.getValue().toString();
String j_password = this.inputSecret1.getValue().toString();
URL jSecurityCheckURL = null;
HttpURLConnection jSecurityCheckURLConnection = null;
ExternalContext externalContext = FacesContext.getCurrentInstance().getExternalContext();
String jsessionid = ((HttpSession)externalContext.getSession(false)).getId();
System.out.println("Current jsessionid=" + jsessionid);
System.out.println("Submitting login details (userId: " + j_username + " & password: " + j_password + ") to /j_security_check!");
try {
jSecurityCheckURL = new URL("http://localhost:9080/raweb/j_security_check;jsessionid=0000" + jsessionid + ":-1&j_username=" + j_username + "&j_password=" + j_password);
jSecurityCheckURLConnection = (HttpURLConnection)jSecurityCheckURL.openConnection();
jSecurityCheckURLConnection.setRequestMethod("POST");
jSecurityCheckURLConnection.setInstanceFollowRedirects(false);
jSecurityCheckURLConnection.connect();
System.out.println("j_security_check returned: " + jSecurityCheckURLConnection.getResponseCode());
//System.out.println("Current jsessionid=" + jsessionid);
if (null != externalContext) {
String remoteUser = externalContext.getRemoteUser();
System.out.println("Authenticated username: " + remoteUser);
HttpServletRequest httpServletRequest = (HttpServletRequest)externalContext.getRequest();
Principal principal = httpServletRequest.getUserPrincipal();
if (null != principal) {
String userName = principal.getName();
System.out.println("Authenticated username: " + userName);
} else {
System.out.println("Unable to obtain Faces ExternalContext and hence the remote user details.");
catch (MalformedURLException ex) {
System.out.println(ex);
jSecurityCheckURL = null;
jSecurityCheckURLConnection = null;
retVal = "";
catch (IOException ex) {
System.out.println(ex);
jSecurityCheckURL = null;
jSecurityCheckURLConnection = null;
retVal = "";
return retVal;
I try all this URL:
http://localhost:8080/jSecurityCheck/j_security_check?jsessionid=" + jsessionid + "&j_username=" + j_username + "&j_password=" + j_password
http://localhost:9080/raweb/j_security_check;jsessionid=0000" + jsessionid + ":-1&j_username=" + j_username + "&j_password=" + j_password
TWO DAYS ..... H E L P M E !!! -
Dynamic User Authentication in JSF, ADF BC Application
I have developed a JSF, ADF BC Application using JDeveloper 10.1.3.3. My application consists of jspx pages and I also have to integrate some existing oracle forms with it using OraFormsFaces library.
I have successfully used custom DBProcLogin Module by Frank to authenticate the users with the help of a stored procedure and user credentials stored in database tables.
During integrating Oracle Forms I realised that some of these oracle forms use get_application_property(username) to retreive connected user information. All of the users which are stored in database tables are also oracle users with the same credentials as stored in database tables. The existing oracle forms based application was connecting to Oracle every time with different provided user credentials each time and therefore returning correct (required) user name information.
Now since I have used DBProcLogin Module in new ADF application, when I run it, user is successfully authenticated but get_application_property(username) in the existing oracle forms returns the user name that application module is using to connect with the database. To make it work correctly, I want my ADF application to connect to oracle database with different user each time.
I have searched and seen topics such as, Dynamic JDBC Credentials, Database Proxy Users etc. But I am confused with the width and depth of this much information available. Therefore, I thought I may get some advice from the experts present in the forum that which of the techniques will go best with my application.
Keeping in view the scenario that I have provided, can someone please guide me to the best suitable technique and the related information/documentation?
Thanks in advance,
AmirHi,
the whitepaper you reference is written by the expert on this subject. Samples are posted by the same author: http://radio.weblogs.com/0118231/stories/2004/09/23/notYetDocumentedAdfSampleApplications.html
Note that what you try to do will create a dedicated connection for Forms and ADF, which means that 100 users will have 200 database connections open.
Frank -
Form-based authentication and JSF
I am trying to use a form-based authentication in Tomcat 6, and from what I understand the page that contains the login form can not be a JSF page.
The problem I'm having with this is that I need the client's username and password accessible from my backing bean, but I don't know how to put them there from a standard JSP.
Before all this, I had a simple login form with username/password fields that were bound to a bean, and a button that executed a bean method that would perform the login procedure, retrieve the client's data from the DB and create a Client object in the session to be accessible throughout the application. Now, I need to use container managed access control with form-based authentication, and I know how to set it up but don't know how to create the Client object if the container does all the authentication and I never even get a hold of a username/password combination let alone the rest of the client's data.
Any advice on this would be greatly appreciated.alf.redo wrote:
...following article: [j2ee_security_a_jsf_based_login_form|http://groundside.com/blog/DuncanMills.php?title=j2ee_security_a_jsf_based_login_form]
This is exactly the solution I am planning to use. It is good to know there are others who have decided to go that way.
Thanks -
JSF & Tomcat 5 session problems
I am implemeting a web application using JSF and tomcat authentication. The problem is that tomcat is losing the session when I hit refresh on any of the pages which are marked as havign a security constraint.
e.g. you go to index.html -> takes you to login.jsp (as you need to log in first), you log in successfuly and go to index.html, you hit refresh and get taken back to login.jsp.
Any help would be much appreciated.
If anyone has implementign an app using tomcat authentication and jsf, I would be grateful if they could tell me how they are managing to overcome this issue.I have a similar question, but not about session timeout, but managing the data within your session. In our previous homegrown JSP Model 2 Framework, we had various methods in place to cleanup the session for a page (essentially allowing you to cleanup the managed beans after you were done with a page). Due to constant activity, the sessions never timeout, but there is "dead" data in the session. How would you do this in JSF? For example, lets say you go through a wizard set of screens, where once complete, you don't want the managed beans to exist in the session anymore. Where would you tap into the JSF lifecycle to do this?
Thanks in advance,
Dave -
Authorization with JAAS in JSF with facelets
hi,
can u please hint me where i did mistake.. i clearly mention what i did and what i getting ..i did this in jsf1.2,tomcat6.x
i did JAAS authentication in jsf with facelets.but i am unable to do the authorization with JAAS in jsf
after getting authentication i put the subject in session. if i print the values in suject i got the following out put
Subject:
Principal: TypedPrincipal: hari [USER] // user name
Principal: TypedPrincipal: admin [GROUP] // user role.
now i want to authorization based on the role.
for this i wrote policy file --principal.policy like this
grant Principal com.alw.reports.jaas.TypedPrincipal "admin" {
permission com.alw.reports.jaas.ViewIdPermission "*";
grant Principal com.alw.reports.jaas.TypedPrincipal "hari" {
permission com.alw.reports.jaas.ViewIdPermission "*";
grant Principal com.alw.reports.jaas.TypedPrincipal "user" {
permission com.alw.reports.jaas.ViewIdPermission "/contents.jsp";
};and i set the path for this policy file like
System.setProperty("java.security.policy", "policy file location" );when i run my application i am getting login page after that i gave username and passwed. it is getting authentication .. but not able to displaying next page that is /pages/welcome.xhtml but directly it is showin /pages/error.xhtml
i am getting following error
java.security.AccessControlException: access denied (com.alw.reports.jaas.ViewIdPermission /pages/welcome.xhtml)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at com.alw.reports.jaas.JAASHelper$1.run(JAASHelper.java:87)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Unknown Source)
at com.alw.reports.jaas.JAASHelper.permitionToAccessViewId(JAASHelper.java:83)
at com.alw.reports.jaas.JAASActionListener.processAction(JAASActionListener.java:65)
at javax.faces.component.UICommand.broadcast(UICommand.java:106)
at org.ajax4jsf.component.AjaxViewRoot.processEvents(AjaxViewRoot.java:184)
at org.ajax4jsf.component.AjaxViewRoot.broadcastEvents(AjaxViewRoot.java:162)
at org.ajax4jsf.component.AjaxViewRoot.processApplication(AjaxViewRoot.java:350)
at org.apache.myfaces.lifecycle.LifecycleImpl.invokeApplication(LifecycleImpl.java:316)
at org.apache.myfaces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:86)
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:106)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:141)
at org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:281)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:263)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:584)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Unknown Source)
my faces-config.xml
<navigation-rule>
<display-name>pages/login</display-name>
<from-view-id>/pages/login.xhtml</from-view-id>
<navigation-case>
<from-outcome>loginSuccess</from-outcome>
<to-view-id>/pages/welcome.xhtml</to-view-id>
</navigation-case>
</navigation-rule>
<navigation-case>
<from-outcome>errorpage</from-outcome>
<to-view-id>
/pages/error.xhtml
</to-view-id>
</navigation-case>my command button in login.xhtml
<td align="center" colspan="2">
<h:commandButton value="Reset" type="reset"/>
<h:commandButton action="loginSuccess"
id="login" value="Login" />
</td>my actionlister
package com.alw.reports.jaas;
import javax.faces.component.UIOutput;
import javax.faces.context.FacesContext;
import javax.faces.event.AbortProcessingException;
import javax.faces.event.ActionEvent;
import javax.faces.event.ActionListener;
import javax.security.auth.Subject;
public class JAASActionListener implements ActionListener {
private ActionListener parent = null;
public JAASActionListener(javax.faces.event.ActionListener parent) {
System.out.println("-------------- in JAASActionListener ;");
this.parent = parent;
public void processAction(ActionEvent event)
throws AbortProcessingException {
System.out.println("-------------- in processAction ;");
FacesContext context = FacesContext.getCurrentInstance();
UIOutput comp = null;
String userid = null, password = null;
JAASHelper jaasHelper = new JAASHelper();
// Check to see if they are on the login page.
boolean onLoginPage = (-1 != context.getViewRoot().getViewId().lastIndexOf("login")) ? true : false;
if (onLoginPage) {
if (null != (comp = (UIOutput)
context.getViewRoot().findComponent("helloForm:username"))) {
userid = (String) comp.getValue();
if (null != (comp = (UIOutput)
context.getViewRoot().findComponent("helloForm:password"))) {
password = (String) comp.getValue();
// If JAAS authentication failed
if (!jaasHelper.authenticate(userid, password)) {
context.getApplication().getNavigationHandler().handleNavigation(context, null, "login");
return;
else {
// Subject must not be null, since authentication succeeded
System.out.println("----------- setting the subjects in context in ActionListner ");
assert(null != jaasHelper.getSubject());
// Put the authenticated subject in the session.
System.out.println("---- putting the authenicated subject in the seesion ");
context.getExternalContext().getSessionMap().put("JAASSubject",jaasHelper.getSubject());
parent.processAction(event);
Subject subject=(Subject)context.getExternalContext().getSessionMap().get("JAASSubject");
System.out.println("subject after parent process action>>>>>>>>>>>>>>>>>>>>>"+subject);
assert(null != subject);
if(!jaasHelper.permitionToAccessViewId(subject,context,context.getViewRoot().getViewId())){
context.getApplication().getNavigationHandler().handleNavigation(context, null, "errorpage");
}can u please hint me where i did mistake
thanks in advancegbabu wrote:
My doubt is based on that subject , how to write policy file and how to call doAsPrivileged() mehod on that Subject in order to navigate web pages.how to provide web pages permission for particular role in policy file..
For example i have three pages login.xhtml,user.xhtml,admin.xhtml.
1> if the logged in person is admin, then we want to display admin.xhtml
2> if the loggend is person is user , then we want to display user.xhtml
untill now i did and found who is logged in and what are his type( admin or user) .now i want configure the web.xml and faces-config.xml based on policy fileTo the best of my knowledge, there is nothing in the standard NavigationHandler which accounts for JAAS security. If you wanted, you could create a custom NavigationHandler to do this. If you think the idea is worthy enough, you could issue an enhancement request to the specification ([https://javaserverfaces-spec-public.dev.java.net/]). -
Hi,
Is there a way to get domain logged user name using NTLM authentication into JSF page.
Please provide any solution on this ?Hi,
Using the below code u can get windows username,but when i use the same code struts framework is not calling setter methods, can anyone help me.
<%
String auth = request.getHeader("Authorization");
if (auth == null) {
response.setStatus(response.SC_UNAUTHORIZED);
response.setHeader("WWW-Authenticate", "NTLM");
return;
if (auth.startsWith("NTLM ")) {
byte[] msg = new sun.misc.BASE64Decoder().decodeBuffer(auth.substring(5));
int off = 0, length, offset;
String s;
if (msg[8] == 1) {
off = 18;
byte z = 0;
byte[] msg1 = {(byte)'N', (byte)'T', (byte)'L', (byte)'M', (byte)'S',
(byte)'S', (byte)'P', z,
(byte)2, z, z, z, z, z, z, z,
(byte)40, z, z, z, (byte)1, (byte)130, z, z,
z, (byte)2, (byte)2, (byte)2, z, z, z, z, //
z, z, z, z, z, z, z, z};
response.setStatus(response.SC_UNAUTHORIZED);
response.setHeader("WWW-Authenticate", "NTLM "
+ new sun.misc.BASE64Encoder().encodeBuffer(msg1).trim());
return;
else if (msg[8] == 3) {
off = 30;
length = msg[off+17]*256 + msg[off+16];
offset = msg[off+19]*256 + msg[off+18];
s = new String(msg, offset, length);
//out.println(s + " ");
else
return;
length = msg[off+1]*256 + msg[off];
offset = msg[off+3]*256 + msg[off+2];
s = new String(msg, offset, length);
//out.println(s + " ");
length = msg[off+9]*256 + msg[off+8];
offset = msg[off+11]*256 + msg[off+10];
s = new String(msg, offset, length);
out.println("Hello <span style='position:relative; width:190;"
+ " height:10;filter:glow(Color=#009966,Strength=1)'>");
out.println(s + "</SPAN>");
%> -
Can anyone guide me how to implement window authentication in jsf application or any suggestion tutorial or website to refer to. Google search return me mostly about asp.net.
hi
you can add the parameters:
anyway lokk at this link: http://jcifs.samba.org/src/docs/ntlmhttpauth.html
<filter>
<filter-name>NtlmHttpFilter</filter-name>
<filter-class>jcifs.http.NtlmHttpFilter</filter-class>
<init-param>
<param-name>jcifs.http.domainController</param-name>
<!-- IP ADDRESS OF THE NETWORK -->Put your domain IP address
<param-value>999.99.99.99</param-value>
</init-param>
<init-param>
<param-name>jcifs.smb.client.soTimeout</param-name>
<!-- by default its going to be 5 min you can chnage it it here-->
<param-value>ITS GOING TO BE IN MILLISECONDS</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>NtlmHttpFilter</filter-name>
<!-- Here its going to authenticate the entire application-->
<url-pattern>/*</url-pattern>
</filter-mapping> -
Hi can anyone let me know how to use JDBC Realm for authentication and authorization using Glassfish Server.
Also let me know how to maintain the session after authentication in JSF.You really expect people to answer more than "read the manual" ?
You don't have a problem, you can solve this yourself. Go do it and come back when you have an actual problem that you cannot solve yourself. -
Hi
This is the situation:
I have implemented a form-based authentication against a Directory Service (OpenDS), inside the funcionality of the application i can change the password of the username, using the JNDI API:
DirContext contexto = obtenerContextoDirectorio();
ModificationItem[] modificacion = new ModificationItem[1];
modificacion[0] = new ModificationItem(DirContext.REMOVE_ATTRIBUTE,
new BasicAttribute("userPassword"));
contexto.modifyAttributes("uid=" + nombreUsuario, modificacion);
modificacion[0] = new ModificationItem(DirContext.ADD_ATTRIBUTE,
new BasicAttribute("userPassword", secretField1.getValue().toString()));
contexto.modifyAttributes("uid=" + nombreUsuario, modificacion);In any page of the application i can logout using the next instructions:
ExternalContext ectx =
FacesContext.getCurrentInstance().getExternalContext();
HttpServletResponse response =
(HttpServletResponse)ectx.getResponse();
HttpSession session = (HttpSession)ectx.getSession(false);
session.invalidate();
FacesContext.getCurrentInstance().responseComplete();
response.sendRedirect("MenuAdministrador.jsp");Ok, now this is the situation:I Login with the following credentials:
username: jperez
password: otro
Then inside de application i change the password of jperez to "algo", changing the entry in the LDAP directory service. Then I logout.
the problem is that then i can login with two password
username: jperez
pasword: otro
Or
username: jperez
password: algo
I have to redeploy de .ear in the application server to then just login with username: jperez
password: algo
Thanks for you answers...
Edited by: oashton30 on Oct 27, 2007 7:22 PMThank you very much sir.
Well, that article seems very much complex to be honest, I am not familiar with JAAS, and some other technologies described there, I have to stick to JSF only in my case.
If it's not much asking I just would like to know, If there's a way to retrieve the user and the password directly from the table, AFTER I have created an appropiate connection to the selected database which contains the USERS table.
Once I have done that, Which Objects would be neccesary to create? and what code do I need to put in the backing bean to authenticate from the Database the values in the Input Text corresponding to the user and password? -
How to Create User ,Group ,Role in Jsf and Give differ authentication to e
Hi i am working in java server faces .
i trying to create roles ,user with different abilities .
Like one is normal user, admin , they have different abilities,
i need that abilities on bases of module,form,field like Drupal like CMS they provide.
So how to do that think in JSF plz helpYou can use one of the various ways Java EE provides you, e.g. container managed authentication.
It's also all in the Java EE tutorial: [http://java.sun.com/javaee/5/docs/tutorial/doc/bncas.html].
You can configure it in the application server as well: [http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html].
Here is an example how to use it in JSF: [http://ocpsoft.com/java/acegi-spring-security-jsf-login-page/]. -
Authorization and Authentication using filters in jsf aplication
Hello,
I need some valuable suggestions to develop a jsf application for users to login where they be Authenticated and Authorized to go to other applications using filters . I am using websphere application server 6.0.
and need to share sesion data across application.
Please let me know some existing application or example to look into.
Thanks in advance. :)javafullinto wrote:
All the requests that are to a particlar folder must be authenticated and once authenticated they must be logged in until they logout or close the browser.
How can I do this using filters.Just check if the user is logged in and handle accordingly. If the user is not logged in, then redirect the request to the login page or so. If the user is logged in, then continue with request.
Pseudo:doFilter() {
if (user is not logged in) {
redirect to login page;
} else {
proceed with request;
}And map this filter on an url-pattern covering the secured pages. Fairly simple. -
Authentication / authorization in jsf
hi all!
how can I perform a authentication/authorization system in jsf?
Last time i've checked the user form and created a userBean in session scope,if the user is valid.
how can I check if the user is logged and witch page he try to retrieve,for every url?
do you know of any on line resources on this?
thanks a lot
Lucahi all!
how can I perform a authentication/authorization system in jsf?
Last time i've checked the user form and created a userBean in session scope,if the user is valid.
how can I check if the user is logged and witch page he try to retrieve,for every url?
do you know of any on line resources on this?
thanks a lot
Luca
Maybe you are looking for
-
Supplier Item Catalog - search screen query ~ tends to take 10 - 12 secs
I wanted to find out if any customer(s) out there has ever encountered this performance issue in the Supplier Item Catalog search screen. We setup an item catalog category using the supplier item but when we attempt to query on the item/supplier sear
-
hi all, any one have step by step procedure to send IDoc to External System[outbound EDI process] using EDI. how will do configuration for EDI .it is same as ALE or some thing different.If it is different then what are the T-codes for configur
-
Hyperion analyzer 7.2.5 report export
Hi I am tryinig to export a report in to excel and text file When I am trying to export to text I am getting the html code, how to export the report (not the code) to text file, do I need to do any configuration for this. Coming to excel, I gone thro
-
Hello guys, i want to check inactive Group mailboxes under an Exchange 2010 environment, because i have a auditory going on and i need to know which mailboxes are being used and which are not. Is there any way i can check the Exchange activity in ord
-
Tranx: VL10F is there any other alternate with Screen
Dear SAP Gurus.... I am creating a program for PO and Scheduling. But i could not record the transaction for VL10F as when it goes to the next screen where line items are displayed, it is displayed in List and recording does not take place. Is there