Standard Authentication in JSF

Similar Messages

• "Deactivate password" for standard authentication

  Hi Guys,
  I'm trying to get more information about the "Deactivate password" option on SU01, but the only information I get says that it can be done when we are using an external authentication method like X.509.
  So, my question is :
  If I have an ABAP instance using standard authentication method (without an external authentication method), is it a good practice to lock users and deactivate their passowrd to increase the security? Does it make sense?
  Thanks in advance,
  Itamar

  Thank you Tim, for your prompt answer.
  With your comments I think it is a good practice to deactivate the password for locked users which will not have to access the system again.
  Regards,
  Itamar
  Edited by: Itamar S Marioto on Aug 9, 2011 7:42 PM

• Form based authentication in JSF

  Hi,
  I am using form based authentication in JSF .
  I am not able to display the JSF page.
  I have this security constraint in my web.xml
  <security-constraint>
  <display-name>Example Security Constraint</display-name>
  <web-resource-collection>
  <web-resource-name>Protected Area</web-resource-name>
  <url-pattern>/jsp/WorkingZone.jsp</url-pattern>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
  <role-name>manager</role-name>
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>FORM</auth-method>
  <realm-name>Example Form-Based Authentication Area</realm-name>
  <form-login-config>
  <form-login-page>/Login/login.jsp</form-login-page>
  <form-error-page>/Login/error.jsp</form-error-page>
  </form-login-config>
  </login-config>
  WorkingZone.jsp is a jsp page with JSF components.Which can only be invoked with faces context.
  I am using JDBCRealm
  For the valid user I am getting this error------>
  HTTP Status 400 - Invalid direct reference to form login page
  type Status report
  message Invalid direct reference to form login page
  description The request sent by the client was syntactically incorrect (Invalid direct reference to form login page).
  Please give me the solution.How can I access my jsf page.

  Thank you.
  Marcos
  Hi,
  It should help you:
  http://searchsoftwarequality.techtarget.com/searchAppS
  ecurity/downloads/JSF_ch15.pdf
  Message was edited by:
  syllepsa

• Form-based authentication and JSF

  I am trying to use a form-based authentication in Tomcat 6, and from what I understand the page that contains the login form can not be a JSF page.
  The problem I'm having with this is that I need the client's username and password accessible from my backing bean, but I don't know how to put them there from a standard JSP.
  Before all this, I had a simple login form with username/password fields that were bound to a bean, and a button that executed a bean method that would perform the login procedure, retrieve the client's data from the DB and create a Client object in the session to be accessible throughout the application. Now, I need to use container managed access control with form-based authentication, and I know how to set it up but don't know how to create the Client object if the container does all the authentication and I never even get a hold of a username/password combination let alone the rest of the client's data.
  Any advice on this would be greatly appreciated.

  alf.redo wrote:
  ...following article: [j2ee_security_a_jsf_based_login_form|http://groundside.com/blog/DuncanMills.php?title=j2ee_security_a_jsf_based_login_form]
  This is exactly the solution I am planning to use. It is good to know there are others who have decided to go that way.
  Thanks

• Authentication in JSF 2.0

  I could use some advise... I've been trying to implement authentication in a JSF 2.0 web application and I've not been completely successful. I'm using NetBeans 6.8 and GlassFish v3. Here is what I would like:
  1) Use container managed security with a JDBC realm. Users who register via the web app will end up as users in the table that is used to authenticate access to the web app
  2) I want to use role-base authorization that I can specify in my web.xml file as [described in the JEE 6 tutorial.|http://java.sun.com/javaee/6/docs/tutorial/doc/bnbxj.html#bnbxu]. Thus, I'd like to secure JSF pages as well as managed bean actions.
  3) My web app uses EJB's that are secured using the [EJB annotations as described in the JEE 6 tutorial|http://java.sun.com/javaee/6/docs/tutorial/doc/bnbyl.html#gjgcq]. My understanding is that the credentials from the web app are propagated to the EJB's, so I should not need to do anything, other than catch exceptions whenever the EJB is being accessed by an unauthorized role.
  4) Ideally, I'd like to use a JSF form to request username/password from a user. I know the JSF form cannot directly post the information to the container's security mechanism (i.e. j_security_check action). While I've found some ways to do it, none are really satisfactory, so I've had to just use a plain HTML form.
  5) I could do it [authentication programmatically as explained in the JEE 6 tutorial|http://java.sun.com/javaee/6/docs/tutorial/doc/gjiie.html]. Unfortunately, the tutorial shows how to do this from a Servlet and not from JSF. In particular, I could invoke the HttpServletRequest#login method, but its result does not enter a session and thus I cannot continue to use container managed authorization past the request. If I use HttpServletRequest#authenticate, then this will force the container to present the login form I specify in web.xml and the credentials will be in the session.
  6) FYI, I've tried to implement an authentication a Filter but the URL requests that come from a JSF 2.0 app just do not correspond to what I'm looking for in the filter. That is, if I have a directory named secured where I keep JSF pages to be accessed only by authenticated users, I set up a Filter to look for these requests and it does not behave as expected (or at least the way it behaves when I use it with JSP)
  I hope someone here can help me find the resources so I can implement this. I've Googled many times and most of what I'm finding is incomplete. I'd greatly appreciate anyone's help and guidance in this. FYI... some students are counting on me to deliver a solution to this! I did not think it would be difficult, but it has turned out to be that way.
  Thanks for reading this far!
  Alvaro

  Hello Ed. I have your JSF 2.0 book now. I download and tried the authentication example that you have on chapter 14. Unfortunately, authorization is not working as I would expect it. Here are the specifics:
  1) I'm running it on GlassFish v3
  2) According to the web.xml, you create two security constraints. One on /trainer/*** requests to be accessed only by users with role of trainer. Another on the /user/*** requests to be accessed only by users with role of user
  3) Whenever I try this app, I can access that pages without ever being authenticated (i.e. without logging in). I can access them by entering the URL's, say: http://localhost:8080/formBasedLogin/faces/user/userPage.xhtml
  This is the problem I've been having whenever I try to do authorization. For some reason, either the URL is not matching the pattern specified or it gets rewritten by JSF 2.0 in some way?
  Update: I'll leave the above comments, but I was able to get your example working by changing the URL patterns to: /faces/user/*** and /faces/trainer/*** Is this an error in the sample code or should the pattern you provide still work?
  Update 2: It seems that I've now figured out that there is a difference on whether I use an outputLink or a commandLink. I need to read more about this. In any case, the URL patterns do match requests that are specified as an outputLink, but not when they are specified by a commandLink -- in this case, JSF uses JavaScript to make the request to some resource which does not match the pattern. It looks like I was just using commandLink before whereas I should have been using outputLink.

• Using j_security_check container authentication with JSF

  Hi All,
  After quite a bit of looking around, we resorted to using a plain login JSP page with a ServletFilter on j_security_check to have container managed authentication in our JSF based web-site using IBM Websphere 5.1
  So, basically every other page but the login page is JSF and just the login page is simple JSP with j_username & j_password.
  Recently, I started looking in the direction of trying to directly/programmatically invoke j_security_check using URLConnection object. There are various discussions on this on google groups:
  1. http://groups-beta.google.com/group/comp.lang.java.programmer/browse_thread/thread/1a2768da559e43ae/243982a33f02ab80?q=URLConnection%20j_security_check&_done=/groups?q=URLConnection%20j_security_check&hl=en&lr=&sa=N&tab=wg&&_doneTitle=Back%20to%20Search&d=&
  2. http://groups-beta.google.com/group/weblogic.developer.interest.security/browse_thread/thread/a375370efec24566/b81dc8320bcbc304?q=URLConnection+j_security_check&_done=%2Fgroups%3Fq%3DURLConnection+j_security_check%26hl%3Den%26lr%3D%26sa%3DN%26tab%3Dwg%26&_doneTitle=Back+to+Search&&d#b81dc8320bcbc304
  My current code snippet is as follows:     public String submit(){
            String retVal = "";
            String j_username = getUserId().getValue().toString();
            String j_password = getPassword().getValue().toString();
            ExternalContext externalContext = getFacesContext().getExternalContext();
            String jsessionid = ((HttpSession)externalContext.getSession(false)).getId();          
            // Only if sanity checks and validations on j_username & j_password pass, proceed further.
            ApplicationParameter.getLogger().debug("Current jsessionid=" + jsessionid);
            ApplicationParameter.getLogger().debug("submitting login details (userId: " + j_username + " & password: " + j_password + ") to /j_security_check ...");
            try {
                 URL jSecurityCheckURL = new URL("http://localhost:9080/raweb/j_security_check;jsessionid=0000" + jsessionid + ":-1&j_username=" + j_username + "&j_password" + j_password);
                 HttpURLConnection jSecurityCheckURLConnection = (HttpURLConnection)jSecurityCheckURL.openConnection();
                 jSecurityCheckURLConnection.setRequestMethod("POST");
                 jSecurityCheckURLConnection.setInstanceFollowRedirects(false);
  //               jSecurityCheckURLConnection.addRequestProperty("j_username", j_username);
  //               jSecurityCheckURLConnection.addRequestProperty("j_password", j_password);
  //               jSecurityCheckURLConnection.setRequestProperty("j_username", j_username);
  //               jSecurityCheckURLConnection.setRequestProperty("j_password", j_password);
                 jSecurityCheckURLConnection.connect();
                 ApplicationParameter.getLogger().debug("j_security_check returned: " + jSecurityCheckURLConnection.getResponseCode() + ": " + jSecurityCheckURLConnection.getResponseCode());
                 if (null != externalContext) {
                      String remoteUser = externalContext.getRemoteUser();
                      ApplicationParameter.getLogger().debug("Authenticated username: " + remoteUser);
                      HttpServletRequest httpServletRequest = (HttpServletRequest)externalContext.getRequest();
                      Principal principal = httpServletRequest.getUserPrincipal();
                      if (null != principal) {
                           String userName = principal.getName();
                           ApplicationParameter.getLogger().debug("Authenticated username: " + userName);
                 } else {
                      ApplicationParameter.getLogger().debug("Unable to obtain Faces ExternalContext and hence the remote user details.");
            } catch (MalformedURLException ex) {
                 ApplicationParameter.getLogger().error(ex);
                 retVal = "";
            } catch (IOException ex) {
                 ApplicationParameter.getLogger().error(ex);
                 retVal = "";
            return retVal;
  The above code yields the following output:[DEBUG]: (Newlogin.submit:81) - Current jsessionid=H1QMk3TuyW_W8nSPnOtW-xi
  [DEBUG]: (Newlogin.submit:82) - submitting login details (userId: skhanna & password: password) to /j_security_check ...
  [DEBUG]: (Newlogin.submit:93) - j_security_check returned: 302: 302
  [DEBUG]: (Newlogin.submit:97) - Authenticated username: null
  Anyone have any idea why j_security_check returns 302 and also the authenticated username seems to be null indicating that the authentication did not go through!
  -Sandeep Khanna

  Can you help me!
  I try this for two days....
  Tomcat 5.0.27
  I get this:
  Current jsessionid=00F61ABF316F9A1676A41A1EA05177B2
  Submitting login details (userId: admin & password: admin) to /j_security_check!
  java.net.ConnectException: Connection refused: connect
  I have this code in backing bean:
  import java.net.HttpURLConnection;
  import java.net.MalformedURLException;
  import java.net.URL;
  import java.security.Principal;
  import javax.faces.context.ExternalContext;
  import javax.servlet.http.HttpServletRequest;
  import javax.servlet.http.HttpSession;
  public String commandButton_action()
  String retVal = "";
  String j_username = inputText1.getValue().toString();
  String j_password = this.inputSecret1.getValue().toString();
  URL jSecurityCheckURL = null;
  HttpURLConnection jSecurityCheckURLConnection = null;
  ExternalContext externalContext = FacesContext.getCurrentInstance().getExternalContext();
  String jsessionid = ((HttpSession)externalContext.getSession(false)).getId();
  System.out.println("Current jsessionid=" + jsessionid);
  System.out.println("Submitting login details (userId: " + j_username + " & password: " + j_password + ") to /j_security_check!");
  try {
  jSecurityCheckURL = new URL("http://localhost:9080/raweb/j_security_check;jsessionid=0000" + jsessionid + ":-1&j_username=" + j_username + "&j_password=" + j_password);
  jSecurityCheckURLConnection = (HttpURLConnection)jSecurityCheckURL.openConnection();
  jSecurityCheckURLConnection.setRequestMethod("POST");
  jSecurityCheckURLConnection.setInstanceFollowRedirects(false);
  jSecurityCheckURLConnection.connect();
  System.out.println("j_security_check returned: " + jSecurityCheckURLConnection.getResponseCode());
  //System.out.println("Current jsessionid=" + jsessionid);
  if (null != externalContext) {
  String remoteUser = externalContext.getRemoteUser();
  System.out.println("Authenticated username: " + remoteUser);
  HttpServletRequest httpServletRequest = (HttpServletRequest)externalContext.getRequest();
  Principal principal = httpServletRequest.getUserPrincipal();
  if (null != principal) {
  String userName = principal.getName();
  System.out.println("Authenticated username: " + userName);
  } else {
  System.out.println("Unable to obtain Faces ExternalContext and hence the remote user details.");
  catch (MalformedURLException ex) {
  System.out.println(ex);
  jSecurityCheckURL = null;
  jSecurityCheckURLConnection = null;
  retVal = "";
  catch (IOException ex) {
  System.out.println(ex);
  jSecurityCheckURL = null;
  jSecurityCheckURLConnection = null;
  retVal = "";
  return retVal;
  I try all this URL:
  http://localhost:8080/jSecurityCheck/j_security_check?jsessionid=" + jsessionid + "&j_username=" + j_username + "&j_password=" + j_password
  http://localhost:9080/raweb/j_security_check;jsessionid=0000" + jsessionid + ":-1&j_username=" + j_username + "&j_password=" + j_password
  TWO DAYS ..... H E L P M E !!!

• Dynamic User Authentication in JSF, ADF BC Application

  I have developed a JSF, ADF BC Application using JDeveloper 10.1.3.3. My application consists of jspx pages and I also have to integrate some existing oracle forms with it using OraFormsFaces library.
  I have successfully used custom DBProcLogin Module by Frank to authenticate the users with the help of a stored procedure and user credentials stored in database tables.
  During integrating Oracle Forms I realised that some of these oracle forms use get_application_property(username) to retreive connected user information. All of the users which are stored in database tables are also oracle users with the same credentials as stored in database tables. The existing oracle forms based application was connecting to Oracle every time with different provided user credentials each time and therefore returning correct (required) user name information.
  Now since I have used DBProcLogin Module in new ADF application, when I run it, user is successfully authenticated but get_application_property(username) in the existing oracle forms returns the user name that application module is using to connect with the database. To make it work correctly, I want my ADF application to connect to oracle database with different user each time.
  I have searched and seen topics such as, Dynamic JDBC Credentials, Database Proxy Users etc. But I am confused with the width and depth of this much information available. Therefore, I thought I may get some advice from the experts present in the forum that which of the techniques will go best with my application.
  Keeping in view the scenario that I have provided, can someone please guide me to the best suitable technique and the related information/documentation?
  Thanks in advance,
  Amir

  Hi,
  the whitepaper you reference is written by the expert on this subject. Samples are posted by the same author: http://radio.weblogs.com/0118231/stories/2004/09/23/notYetDocumentedAdfSampleApplications.html
  Note that what you try to do will create a dedicated connection for Forms and ADF, which means that 100 users will have 200 database connections open.
  Frank

• Is there a standard way to plug in custom authentication code

  Is there a standard way to plug in use my own custom authentication code using forms authentication when I am using servlets/jsp for my website. I read the spec and found that the spec requires servlet containers to support forms authentication, but, the process seems to be transparent to the developer. This restricts me to store user information in the format imposed by the container provider. I cannot use, MS Active directory for example, to store user attributes and use it for forms authentication. Also, I could not find any standard way in which HttpServletRequest.getRemoteUser() works. Shouldn't there be a set of interfaces abstracting authentication process, which developers can implement for customized authentication mechanisms.
  Thanks
  Nikhil.

  Greetings,
  Is there a standard way to plug in use my own custom authentication code using formsNo. There are standard "authentication mechanisms" but that's not quite the same thing. Like most things in J2EE, the "what" of things are specified but the "how" them are left to the vendor. Consult your vendor docs.
  authentication when I am using servlets/jsp for my website. I read the spec and found that the spec
  requires servlet containers to support forms authentication, but, the process seems to be transparent
  to the developer. This restricts meFor the most part, "forms" authentication is transparent to the developer - at least, with respect to directly responding to and handling the request. The developer, however, does have some significant work to do with regard to the form itself and any associated error "pages". The point of the "standard authentication schemes", however, is to delegate the work of actual authentication processing to the container and, thereby, make it transparent to the developer (one of the many "application services" provided by the application server ;).
  to store user information in the format imposed by the container provider. I cannot use, MS Active
  directory for example, to store user attributes and use it for forms authentication. Also, I could notAgain read your vendor docs on how to "plug in" your own authentication handler(s). Most support it in some fashion which typically involves implementing some interface(s) and/or abstract class(es). Many also support it through their own "standard" component handlers, like an EJB invoker, where the invoked component is expected to function in a pre-determined way.
  Of course, there's nothing in the specification that says authentication must be handled by the container (only that it must be supported)! You're free to implement a login mechanism through your own proprietary JSP page and/or servlet (and/or EJB), and bypass the container entirely. ;)
  find any standard way in which HttpServletRequest.getRemoteUser() works.Regardless of the standard authentication scheme used (i.e. handled by the container), the user's authenticated login ID is returned by the method. Unfortunately, this means the method is useless if your own "authentication system" is used in lieu of the container - but, of course, in such a case the method should also be un-needed. ;)
  Shouldn't there be a set of interfaces abstracting authentication process, which developers can
  implement for customized authentication mechanisms.It's a matter of debate.
  Thanks
  Nikhil.Regards,
  Tony "Vee Schade" Cook

• Authorization with JAAS in JSF with facelets

  hi,
  can u please hint me where i did mistake.. i clearly mention what i did and what i getting ..i did this in jsf1.2,tomcat6.x
  i did JAAS authentication in jsf with facelets.but i am unable to do the authorization with JAAS in jsf
  after getting authentication i put the subject in session. if i print the values in suject i got the following out put
  Subject:
  Principal: TypedPrincipal: hari [USER] // user name
  Principal: TypedPrincipal: admin [GROUP] // user role.
  now i want to authorization based on the role.
  for this i wrote policy file --principal.policy like this
  grant Principal com.alw.reports.jaas.TypedPrincipal "admin" {
      permission com.alw.reports.jaas.ViewIdPermission "*";
  grant Principal com.alw.reports.jaas.TypedPrincipal "hari" {
      permission com.alw.reports.jaas.ViewIdPermission "*";
  grant Principal com.alw.reports.jaas.TypedPrincipal "user" {
      permission com.alw.reports.jaas.ViewIdPermission "/contents.jsp";
  };and i set the path for this policy file like
                System.setProperty("java.security.policy", "policy file location" );when i run my application i am getting login page after that i gave username and passwed. it is getting authentication .. but not able to displaying next page that is /pages/welcome.xhtml but directly it is showin /pages/error.xhtml
  i am getting following error
  java.security.AccessControlException: access denied (com.alw.reports.jaas.ViewIdPermission /pages/welcome.xhtml)
       at java.security.AccessControlContext.checkPermission(Unknown Source)
       at java.security.AccessController.checkPermission(Unknown Source)
       at java.lang.SecurityManager.checkPermission(Unknown Source)
       at com.alw.reports.jaas.JAASHelper$1.run(JAASHelper.java:87)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.Subject.doAsPrivileged(Unknown Source)
       at com.alw.reports.jaas.JAASHelper.permitionToAccessViewId(JAASHelper.java:83)
       at com.alw.reports.jaas.JAASActionListener.processAction(JAASActionListener.java:65)
       at javax.faces.component.UICommand.broadcast(UICommand.java:106)
       at org.ajax4jsf.component.AjaxViewRoot.processEvents(AjaxViewRoot.java:184)
       at org.ajax4jsf.component.AjaxViewRoot.broadcastEvents(AjaxViewRoot.java:162)
       at org.ajax4jsf.component.AjaxViewRoot.processApplication(AjaxViewRoot.java:350)
       at org.apache.myfaces.lifecycle.LifecycleImpl.invokeApplication(LifecycleImpl.java:316)
       at org.apache.myfaces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:86)
       at javax.faces.webapp.FacesServlet.service(FacesServlet.java:106)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
       at org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:141)
       at org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:281)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
       at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
       at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
       at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
       at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
       at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:263)
       at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
       at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:584)
       at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
       at java.lang.Thread.run(Unknown Source)
  my faces-config.xml
  <navigation-rule>
            <display-name>pages/login</display-name>
            <from-view-id>/pages/login.xhtml</from-view-id>
            <navigation-case>
                 <from-outcome>loginSuccess</from-outcome>
                 <to-view-id>/pages/welcome.xhtml</to-view-id>
            </navigation-case>
       </navigation-rule>
  <navigation-case>
                 <from-outcome>errorpage</from-outcome>
                 <to-view-id>
                      /pages/error.xhtml
                 </to-view-id>
            </navigation-case>my command button in login.xhtml
                           <td align="center" colspan="2">
                                <h:commandButton value="Reset" type="reset"/>
                                <h:commandButton   action="loginSuccess"
                                     id="login" value="Login" />
                           </td>my actionlister
  package com.alw.reports.jaas;
  import javax.faces.component.UIOutput;
  import javax.faces.context.FacesContext;
  import javax.faces.event.AbortProcessingException;
  import javax.faces.event.ActionEvent;
  import javax.faces.event.ActionListener;
  import javax.security.auth.Subject;
  public class JAASActionListener implements ActionListener   {
       private ActionListener parent = null;
       public JAASActionListener(javax.faces.event.ActionListener parent) {
            System.out.println("-------------- in JAASActionListener ;");
         this.parent = parent;
       public void processAction(ActionEvent event)
         throws AbortProcessingException {
            System.out.println("-------------- in processAction ;");
         FacesContext context = FacesContext.getCurrentInstance();
         UIOutput comp = null;
         String userid = null, password = null;
         JAASHelper jaasHelper = new JAASHelper();
         // Check to see if they are on the login page.
         boolean onLoginPage = (-1 != context.getViewRoot().getViewId().lastIndexOf("login")) ? true : false;
         if (onLoginPage) {
           if (null != (comp = (UIOutput)
             context.getViewRoot().findComponent("helloForm:username"))) {
             userid = (String) comp.getValue();
           if (null != (comp = (UIOutput)
             context.getViewRoot().findComponent("helloForm:password"))) {
             password = (String) comp.getValue();
           // If JAAS authentication failed
           if (!jaasHelper.authenticate(userid, password)) {
             context.getApplication().getNavigationHandler().handleNavigation(context, null, "login");
             return;
           else {
             // Subject must not be null, since authentication succeeded
                System.out.println("----------- setting the subjects in context in  ActionListner ");
             assert(null != jaasHelper.getSubject());
             // Put the authenticated subject in the session.
             System.out.println("---- putting the authenicated subject in the seesion ");
             context.getExternalContext().getSessionMap().put("JAASSubject",jaasHelper.getSubject());
         parent.processAction(event);
         Subject subject=(Subject)context.getExternalContext().getSessionMap().get("JAASSubject");
        System.out.println("subject after parent process action>>>>>>>>>>>>>>>>>>>>>"+subject);
        assert(null != subject);
        if(!jaasHelper.permitionToAccessViewId(subject,context,context.getViewRoot().getViewId())){
            context.getApplication().getNavigationHandler().handleNavigation(context, null, "errorpage");
  }can u please hint me where i did mistake
  thanks in advance

  gbabu wrote:
  My doubt is based on that subject , how to write policy file and how to call doAsPrivileged() mehod on that Subject in order to navigate web pages.how to provide web pages permission for particular role in policy file..
  For example i have three pages login.xhtml,user.xhtml,admin.xhtml.
  1> if the logged in person is admin, then we want to display admin.xhtml
  2> if the loggend is person is user , then we want to display user.xhtml
  untill now i did and found who is logged in and what are his type( admin or user) .now i want configure the web.xml and faces-config.xml based on policy fileTo the best of my knowledge, there is nothing in the standard NavigationHandler which accounts for JAAS security. If you wanted, you could create a custom NavigationHandler to do this. If you think the idea is worthy enough, you could issue an enhancement request to the specification ([https://javaserverfaces-spec-public.dev.java.net/]).

• How do I protect my JNLP, my JARs etc. (with Basic Authentication)???

  hi all,
  i know that there is a FAQ ( [see here|http://lopica.sourceforge.net/faq.html#obfuscate] ) answering a related question with "You can use an obfuscator...". ok, but is there really no other solution?
  this is the simplified folder structure of my application on the server:
  [application]
    [etc]
      xyz.xml
    [jars]
      myapp.jar
    launch.jnlp
  website.jsp
  initial start and basic authentication:*
  my first idea was to secure everything underneath "application" with basic authentication via my web.xml (yes, i'm aware of the security concerns). this means everybody can access my website (here: website.jsp) which contains a start button that links to "launch.jnlp". as soon as the user clicks on it, the browser opens its standard authentication dialog since launch.jsp is in a protected area. after entering the correct credentials the jnlp-file is downloaded and java web start takes over control. first of all it seems as it tries to access the same jnlp-file again (??? --> probably in order to check for changes in the jnlp file --> this is certainly not the case for the initial startup) and then wants to download the relevant jar (myapp.jar). because both resources are protected jws opens its own basic authentication dialog where i have to enter the same credentials the second time. as far as i know, there is no solution to pass the credentials between the browser and the jvm.
  second start and basic authentication:*
  if the user starts my application for the 2nd, 3rd, ... time via desktop-link (set in jnlp-file) there is no need for accessing my website with a browser. therefore only the authentication dialog of jws gets displayed. so far, so good!
  and now the actual problem:*
  during runtime my application (signed with verisign certificate and having all permissions) uses commons-vfs and commons-httpclient to access resources on the same server (e.g. etc/xyz.xml). since they're underneath the protected "application" directory as well, my application needs the same credentials the user already entered in the authentication dialog of jws. now i could retrieve these credentials by calling Authenticator.requestPasswordAuthentication() within my application and passing them to vfs and httpclient. however, doing so opens up jws' authentication dialog again. grrr!!! is there a way to prevent this?
  related thougts:*
  i know i could disable jws' default Authenticatior and set my own Authenticator which might be able to return already entered credentials without opening the dialog a second time. however, it seems that even with <property name="javaws.cfg.jauthenticator" value="none" /> jws still opens its own dialog when acessing the JNLP file and the relevant JARs during the startup/download phase. of course, who else if not jws could handle that phase? my application might not even be downloaded at this point. so i guess setting my own Authenticator would not be a solution either (at least not if i want to secure my jnlp and my jars, too). quite the contrary, it would have to open another dialog... :-(
  my current solution:*
  for the moment i use jws' default Authenticatior which allows me to easily protect all my stuff on the server side (jnlp, jar, etc). i can live with the two login dialogs at the initial startup. and instead of querying the credentials from jws' default Authenticatior at runtime, i set two system properties for username and password in the (protected) jnlp-file, query them at runtime and hand it to vfs and httpclient. this prevents the 2nd (or 3rd) dialog but is definitely not a great solution. most of all i'm not happy with the fact that this somehow "destroys" the container-based security advantage of easily configuring authorized users via a separate mechanism e.g. tomcat-users.xml. now there has to be one master-password that has to be set in the jnlp-file! grrr!
  a possible alternative:*
  i'm not sure but would it be better to secure everything with form-based authentication on the website, and dynamically generate username and password into the jnlp-file? but what happens when the admin changes the password on the server and the user starts its application via desktop-link??? in case of basic authentication i think jws would popup the login dialog again. however, if i use the old username and password generated into the jnlp it won't work. i think the user then has to access the website again. this is not good at all! :-(
  the only real solution:*
  should i write a small application which can be downloaded by everybody and on startup queries the user's credentials, validates them with the help of our server, and uses the javax.jnlp-api to download the secured JARs of my real application? this seems so much overkill! does anybody have experiences with this approach? how difficult is it to implement the whole download/update stuff with javax.jnlp?
  WHAT HAVE I MISSED???
  AM I COMPLETELY WRONG???
  WHAT IS THE EASIEST WAY???
  AND WHAT IS THE BEST WAY???
  thank you so much,
  stephan

  Not sure, whether I understood correctly, what you wanna do - but up to now I can't see any problem.
  if you have a structure like this:
  /ctxroot/
         launch.jnlp
         /app/
             *.jar
             *.whateveryou may use in your web.xml:
       <servlet>
            <servlet-name>JnlpDownloadServlet</servlet-name>
            <servlet-class>jnlp.sample.servlet.JnlpDownloadServlet</servlet-class>
       </servlet>
       <servlet-mapping>
            <servlet-name>JnlpDownloadServlet</servlet-name>
            <url-pattern>*.jnlp</url-pattern>
            <url-pattern>/app/*</url-pattern>
       </servlet-mapping>
       <security-constraint>
            <web-resource-collection>
                 <web-resource-name>Application</web-resource-name>
                 <url-pattern>/app/*</url-pattern>
                 <http-method>GET</http-method>
                 <http-method>POST</http-method>
            </web-resource-collection>
            <auth-constraint>
                 <role-name>bla</role-name>
                 <role-name>fahsel</role-name>
            </auth-constraint>
            <user-data-constraint>
                 <transport-guarantee>CONFIDENTIAL</transport-guarantee>
            </user-data-constraint>
       </security-constraint>
       <security-constraint>
            <web-resource-collection>
                 <web-resource-name>Subscription</web-resource-name>
                 <url-pattern>*.jnlp</url-pattern>
            </web-resource-collection>
            <user-data-constraint>
                 <transport-guarantee>CONFIDENTIAL</transport-guarantee>
            </user-data-constraint>
       </security-constraint>
       <login-config>
            <auth-method>BASIC</auth-method>
            <realm-name>whatever-realm</realm-name>
       </login-config>
       <security-role><role-name>bla</role-name></security-role>
       <security-role><role-name>fahsel</role-name></security-role>
  ...Than you may use the Service stuff like:
       BasicService bs = (BasicService)ServiceManager.lookup("javax.jnlp.BasicService");
       URL codeBase = bs.getCodeBase();
       URL pu = new URL(codeBase.toString() + "whatever.bla");
       HttpURLConnection res = (HttpURLConnection) pu.openConnection();
       res.setInstanceFollowRedirects(true);
       res.setRequestMethod("GET");
       res.setConnectTimeout(10 * 60 * 1000);
       res.connect();
       String enc = res.getContentType();
  ...Where is the problem? If you wanna intercept certain "calls" to an app resource, just use a filter, which decides, whether to answer the request directly by itself or to pass it to the JnlpDownloadServlet ...

• [JSF 2.0] and HTML 5? How things are planned?

  Hello,
  How far is JSF 2.0 from handling HTML 5?
  Of course, it surely can't handle it today, but maybe next year some of us will find the need of starting their new web site with this new HTML version.
  How is it planned? Will HTML 5 be a standard feature of JSF 2 (or JSF 3?) or will it require the download of a special project: an additional component having its own lifecycle?
  How things are roughly planned?
  Regards,
  Grunt.

  I predict it will be implemented as a new component library by someone, but on the server side it will probably retain the same Faces servlet (i.e. same lifecycle) making extensive use of the AJAX capabilities. What will be interesting to see is if any new server side interfaces intended to be implemented by UIComponents will show up and what they would look like.
  Of course one thing very nice to have is automatic detection and backwards compatibility with non HTML-5 browsers. I predict also that will be there but not work very well.

• Weblogic Portal 10.3.5 using JSF 1.2 portlets with ADF faces

  We are developing Portal site using Weblogic Portal 10.3.5 with JSF portlet 1.2 and ADF faces (ADF Application runtime 11.1.1.5 ). But the JSF portlets not supporting ADF faces. Please let me know how we use ADF faces in JSF portlet 1.2 in Weblogic Portal.

  Hi Murthy,
  We did a detailed analysis.
  (1) How do we add ADF taskflows, JSF in to weblogic portal desktop/pages? Do we create portlet out of JSF, and display on desktop/page? If this is the case, what about ADf task flows?
  --> Taskflows can be deployed as WSRP2.0 portlets. Note 2 options are there JSF page as portlet or taskflow itself as portlets.
  (2) How do we integrate weblogic user profiles and UUP (unified user profiles) with ADF and JSF?
  --> ADF Security can use Weblogic Server realm as the security provider. Entitlements in WLP will have to be provided based on Weblogic Server roles. In case you are using external LDAP then both can be integrated withe external LDAP
  (3) Can anybody shed some light which this better?
  (a) weblogic portal with JPF (Java page flows), NetUI --Legacy approach
  Pros:
  -Easy Development
  -Well tested integrated
  Cons:
  -Future support
  -Enhancements may not be available
  -Not really portable or standards based
  (b) weblogic portal with ADF, JSF?
  Pros:
  -If your on Oracle stack then great
  -Standards based
  Cons:
  -JSF Portlet bridge issues
  -ADF Faces does not work on IE6!
  Well what we are going for is JSR 286, Trinidad components (Supports IE6), JSF.
  Difficult choice.
  Venkat

• ADF, JSF in Weblogic Portal 10.3.2

  Hi,
  We are designing new portal application on weblogic portal.
  Per Oracle recommendations, use ADF, JSF instead of using legacy JPF, NetUI (BEA technologies).
  If we use ADF, JSF; My questions are
  (1) How do we add ADF taskflows, JSF in to weblogic portal desktop/pages? Do we create portlet out of JSF, and display on desktop/page? If this is the case, what about ADf task flows?
  (2) How do we integrate weblogic user profiles and UUP (unified user profiles) with ADF and JSF?
  (3) Can anybody shed some light which this better?
  (a) weblogic portal with JPF (Java page flows), NetUI --Legacy approach
  or (b) weblogic portal with ADF, JSF?
  Thanks,
  Murthy

  Hi Murthy,
  We did a detailed analysis.
  (1) How do we add ADF taskflows, JSF in to weblogic portal desktop/pages? Do we create portlet out of JSF, and display on desktop/page? If this is the case, what about ADf task flows?
  --> Taskflows can be deployed as WSRP2.0 portlets. Note 2 options are there JSF page as portlet or taskflow itself as portlets.
  (2) How do we integrate weblogic user profiles and UUP (unified user profiles) with ADF and JSF?
  --> ADF Security can use Weblogic Server realm as the security provider. Entitlements in WLP will have to be provided based on Weblogic Server roles. In case you are using external LDAP then both can be integrated withe external LDAP
  (3) Can anybody shed some light which this better?
  (a) weblogic portal with JPF (Java page flows), NetUI --Legacy approach
  Pros:
  -Easy Development
  -Well tested integrated
  Cons:
  -Future support
  -Enhancements may not be available
  -Not really portable or standards based
  (b) weblogic portal with ADF, JSF?
  Pros:
  -If your on Oracle stack then great
  -Standards based
  Cons:
  -JSF Portlet bridge issues
  -ADF Faces does not work on IE6!
  Well what we are going for is JSR 286, Trinidad components (Supports IE6), JSF.
  Difficult choice.
  Venkat

• Authentication Web Services for Java applications

  Hi All,
  We are building Java based SAP applications for mobile devices such as Blackberry, iPhone etc. The applications are browser based (thin client) to be deployed on SAP Netweaver WAS and would interface with SAP backends such as SAP ECC, SAP BW using SAP Web Services (converted from BAPIs).
  For certain reasons we do not want to use Mobile Webdynpro Java using JCO/BAPIs as we would be using a Java based middleware which is built in-house for rendering on multiple devices and it does not go well with Mobile Webdynpro with Java. We are NOT using SAP Enterprise Portal as well.
  What I would like to know is are there any standard Authentication Web Services that can be used to authenticate the user, when he tries to login to the application through the mobile browser. Also does SAP Netweaver WAS provide authentication mechanism for a Java based web application by default.
  Any pointers would be appreciated and thanks in advance for the same.
  Suresh

  Hi All,
  We are building Java based SAP applications for mobile devices such as Blackberry, iPhone etc. The applications are browser based (thin client) to be deployed on SAP Netweaver WAS and would interface with SAP backends such as SAP ECC, SAP BW using SAP Web Services (converted from BAPIs).
  For certain reasons we do not want to use Mobile Webdynpro Java using JCO/BAPIs as we would be using a Java based middleware which is built in-house for rendering on multiple devices and it does not go well with Mobile Webdynpro with Java. We are NOT using SAP Enterprise Portal as well.
  What I would like to know is are there any standard Authentication Web Services that can be used to authenticate the user, when he tries to login to the application through the mobile browser. Also does SAP Netweaver WAS provide authentication mechanism for a Java based web application by default.
  Any pointers would be appreciated and thanks in advance for the same.
  Suresh

• JSF & Tomcat 5 session problems

  I am implemeting a web application using JSF and tomcat authentication. The problem is that tomcat is losing the session when I hit refresh on any of the pages which are marked as havign a security constraint.
  e.g. you go to index.html -> takes you to login.jsp (as you need to log in first), you log in successfuly and go to index.html, you hit refresh and get taken back to login.jsp.
  Any help would be much appreciated.
  If anyone has implementign an app using tomcat authentication and jsf, I would be grateful if they could tell me how they are managing to overcome this issue.

  I have a similar question, but not about session timeout, but managing the data within your session. In our previous homegrown JSP Model 2 Framework, we had various methods in place to cleanup the session for a page (essentially allowing you to cleanup the managed beans after you were done with a page). Due to constant activity, the sessions never timeout, but there is "dead" data in the session. How would you do this in JSF? For example, lets say you go through a wizard set of screens, where once complete, you don't want the managed beans to exist in the session anymore. Where would you tap into the JSF lifecycle to do this?
  Thanks in advance,
  Dave