Using container managed form-based security in JSF

h1. Using container managed, form-based security in a JSF web app.
A Practical Solution
h2. {color:#993300}*But first, some background on the problem*{color}
The Form components available in JSF will not let you specify the target action, everything is a post-back. When using container security, however, you have to specifically submit to the magic action j_security_check to trigger authentication. This means that the only way to do this in a JSF page is to use an HTML form tag enclosed in verbatim tags. This has the side effect that the post is not handled by JSF at all meaning you can't take advantage of normal JSF functionality such as validators, plus you have a horrible chimera of a page containing both markup and components. This screws up things like skinning. ([credit to Duncan Mills in this 2 years old article|http://groundside.com/blog/DuncanMills.php?title=j2ee_security_a_jsf_based_login_form&more=1&c=1&tb=1&pb=1]).
In this solution, I will use a pure JSF page as the login page that the end user interacts with. This page will simply gather the input for the username and password and pass that on to a plain old jsp proxy to do the actual submit. This will avoid the whole problem of having to use verbatim tags or a mixture of JSF and JSP in the user view.
h2. {color:#993300}*Step 1: Configure the Security Realm in the Web App Container*{color}
What is a container? A container is basically a security framework that is implemented directly by whatever app server you are running, in my case Glassfish v2ur2 that comes with Netbeans 6.1. Your container can have multiple security realms. Each realm manages a definition of the security "*principles*" that are defined to interact with your application. A security principle is basically just a user of the system that is defined by three fields:
- Username
- Group
- Password
The security realm can be set up to authenticate using a simple file, or through JDBC, or LDAP, and more. In my case, I am using a "file" based realm. The users are statically defined directly through the app server interface. Here's how to do it (on Glassfish):
1. Start up your app server and log into the admin interface (http://localhost:4848)
2. Drill down into Configuration > Security > Realms.
3. Here you will see the default realms defined on the server. Drill down into the file realm.
4. There is no need to change any of the default settings. Click the Manage Users button.
5. Create a new user by entering username/password.
Note: If you enter a group name then you will be able to define permissions based on group in your app, which is much more usefull in a real app.
I entered a group named "Users" since my app will only have one set of permissions and all users should be authenticated and treated the same.
That way I will be able to set permissions to resources for the "Users" group that will apply to all users that have this group assigned.
TIP: After you get everything working, you can hook it all up to JDBC instead of "file" so that you can manage your users in a database.
h2. {color:#993300}*Step 2: Create the project*{color}
Since I'm a newbie to JSF, I am using Netbeans 6.1 so that I can play around with all of the fancy Visual Web JavaServer Faces components and the visual designer.
1. Start by creating a new Visual Web JSF project.
2. Next, create a new subfolder under your web root called "secure". This is the folder that we will define a Security Constraint for in a later step, so that any user trying to access any page in this folder will be redirected to a login page to sign in, if they haven't already.
h2. {color:#993300}*Step 3: Create the JSF and JSP files*{color}
In my very simple project I have 3 pages set up. Create the following files using the default templates in Netbeans 6.1:
1. login.jsp (A Visual Web JSF file)
2. loginproxy.jspx (A plain JSPX file)
3. secure/securepage.jsp (A Visual Web JSF file... Note that it is in the sub-folder named secure)
Code follows for each of the files:
h3. {color:#ff6600}*First we need to add a navigation rule to faces-config.xml:*{color}
    <navigation-rule>
<from-view-id>/login.jsp</from-view-id>
        <navigation-case>
<from-outcome>loginproxy</from-outcome>
<to-view-id>/loginproxy.jspx</to-view-id>
        </navigation-case>
    </navigation-rule>
NOTE: This navigation rule simply forwards the request to loginproxy.jspx whenever the user clicks the submit button. The button1_action() method below returns the "loginproxy" case to make this happen.
h3. {color:#ff6600}*login.jsp -- A very simple Visual Web JSF file with two input fields and a button:*{color}
<?xml version="1.0" encoding="UTF-8"?>
<jsp:root version="2.1"
xmlns:f="http://java.sun.com/jsf/core"
xmlns:h="http://java.sun.com/jsf/html"
xmlns:jsp="http://java.sun.com/JSP/Page"
xmlns:webuijsf="http://www.sun.com/webui/webuijsf">
    <jsp:directive.page
contentType="text/html;charset=UTF-8"
pageEncoding="UTF-8"/>
    <f:view>
        <webuijsf:page
id="page1">
<webuijsf:html id="html1">
<webuijsf:head id="head1">
<webuijsf:link id="link1"
url="/resources/stylesheet.css"/>
</webuijsf:head>
<webuijsf:body id="body1" style="-rave-layout: grid">
<webuijsf:form id="form1">
<webuijsf:textField binding="#{login.username}"
id="username" style="position: absolute; left: 216px; top:
96px"/>
<webuijsf:passwordField binding="#{login.password}" id="password"
style="left: 216px; top: 144px; position: absolute"/>
<webuijsf:button actionExpression="#{login.button1_action}"
id="button1" style="position: absolute; left: 216px; top:
216px" text="GO"/>
</webuijsf:form>
</webuijsf:body>
</webuijsf:html>
        </webuijsf:page>
    </f:view>
</jsp:root>h3. *login.java -- implent the
button1_action() method in the login.java backing bean*
    public String button1_action() {
        setValue("#{requestScope.username}",
(String)username.getValue());
setValue("#{requestScope.password}", (String)password.getValue());
        return "loginproxy";
    }h3. {color:#ff6600}*loginproxy.jspx -- a login proxy that the user never sees. The onload="document.forms[0].submit()" automatically submits the form as soon as it is rendered in the browser.*{color}
{code}
<?xml version="1.0" encoding="UTF-8"?>
<jsp:root xmlns:jsp="http://java.sun.com/JSP/Page"
version="2.0">
<jsp:output omit-xml-declaration="true" doctype-root-element="HTML"
doctype-system="http://www.w3.org/TR/html4/loose.dtd"
doctype-public="-W3CDTD HTML 4.01 Transitional//EN"/>
<jsp:directive.page contentType="text/html"
pageEncoding="UTF-8"/>
<html>
<head> <meta
http-equiv="Content-Type" content="text/html;
charset=UTF-8"/>
<title>Logging in...</title>
</head>
<body
onload="document.forms[0].submit()">
<form
action="j_security_check" method="POST">
<input type="hidden" name="j_username"
value="${requestScope.username}" />
<input type="hidden" name="j_password"
value="${requestScope.password}" />
</form>
</body>
</html>
</jsp:root>
{code}
h3. {color:#ff6600}*secure/securepage.jsp -- A simple JSF{color}
target page, placed in the secure folder to test access*
{code}
<?xml version="1.0" encoding="UTF-8"?>
<jsp:root version="2.1"
xmlns:f="http://java.sun.com/jsf/core"
xmlns:h="http://java.sun.com/jsf/html"
xmlns:jsp="http://java.sun.com/JSP/Page" xmlns:webuijsf="http://www.sun.com/webui/webuijsf">
<jsp:directive.page
contentType="text/html;charset=UTF-8"
pageEncoding="UTF-8"/>
<f:view>
<webuijsf:page
id="page1">
<webuijsf:html id="html1">
<webuijsf:head id="head1">
<webuijsf:link id="link1"
url="/resources/stylesheet.css"/>
</webuijsf:head>
<webuijsf:body id="body1" style="-rave-layout: grid">
<webuijsf:form id="form1">
<webuijsf:staticText id="staticText1" style="position:
absolute; left: 168px; top: 144px" text="A Secure Page"/>
</webuijsf:form>
</webuijsf:body>
</webuijsf:html>
</webuijsf:page>
</f:view>
</jsp:root>
{code}
h2. {color:#993300}*_Step 4: Configure Declarative Security_*{color}
This type of security is called +declarative+ because it is not configured programatically. It is configured by declaring all of the relevant parameters in the configuration files: *web.xml* and *sun-web.xml*. Once you have it configured, the container (application server and java framework) already have the implementation to make everything work for you.
*web.xml will be used to define:*
- Type of security - We will be using "form based". The loginpage.jsp we created will be set as both the login and error page.
- Security Roles - The security role defined here will be mapped (in sun-web.xml) to users or groups.
- Security Constraints - A security constraint defines the resource(s) that is being secured, and which Roles are able to authenticate to them.
*sun-web.xml will be used to define:*
- This is where you map a Role to the Users or Groups that are allowed to use it.
+I know this is confusing the first time, but basically it works like this:+
*Security Constraint for a URL* -> mapped to -> *Role* -> mapped to -> *Users & Groups*
h3. {color:#ff6600}*web.xml -- here's the relevant section:*{color}
{code}
<security-constraint>
<display-name>SecurityConstraint</display-name>
<web-resource-collection>
<web-resource-name>SecurePages</web-resource-name>
<description/>
<url-pattern>/faces/secure/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>User</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name/>
<form-login-config>
<form-login-page>/faces/login.jsp</form-login-page>
<form-error-page>/faces/login.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description/>
<role-name>User</role-name>
</security-role>
{code}
h3. {color:#ff6600}*sun-web.xml -- here's the relevant section:*{color}
{code}
<security-role-mapping>
<role-name>User</role-name>
<group-name>Users</group-name>
</security-role-mapping>
{code}
h3. {color:#ff6600}*Almost done!!!*{color}
h2. {color:#993300}*_Step 5: A couple of minor "Gotcha's"_ *{color}
h3. {color:#ff6600}*_Gotcha #1_*{color}
You need to configure the "welcome page" in web.xml to point to faces/secure/securepage.jsp ... Note that there is *_no_* leading / ... If you put a / in there it will barf all over itself .
h3. {color:#ff6600}*_Gotcha #2_*{color}
Note that we set the <form-login-page> in web.xml to /faces/login.jsp ... Note the leading / ... This time, you NEED the leading slash, or the server will gag.
*DONE!!!*
h2. {color:#993300}*_Here's how it works:_*{color}
1. The user requests the a page from your context (http://localhost/MyLogin/)
2. The servlet forwards the request to the welcome page: faces/secure/securepage.jsp
3. faces/secure/securepage.jsp has a security constraint defined, so the servlet checks to see if the user is authenticated for the session.
4. Of course the user is not authenticated since this is the first request, so the servlet forwards the request to the login page we configured in web.xml (/faces/login.jsp).
5. The user enters username and password and clicks a button to submit.
6. The button's action method stores away the username and password in the request scope.
7. The button returns "loginproxy" navigation case which tells the navigation handler to forward the request to loginproxy.jspx
8. loginproxy.jspx renders a blank page to the user which has hidden username and password fields.
9. The hidden username and password fields grab the username and password variables from the request scope.
10. The loginproxy page is automatically submitted with the magic action "j_security_check"
11. j_security_check notifies the container that authentication needs to be intercepted and handled.
12. The container authenticates the user credentials.
13. If the credentials fail, the container forwards the request to the login.jsp page.
14. If the credentials pass, the container forwards the request to *+the last protected resource that was attempted.+*
+Note the last point! I don't know how, but no matter how many times you fail authentication, the container remembers the last page that triggered authentication and once you finally succeed the container forwards your request there!!!!+
+The user is now at the secure welcome page.+
If you have read this far, I thank you for your time, and I seriously question your ability to ration your time pragmatically.
Kerry Randolph

If you want login security on your web app, this is one way to do it. (the easiest way i have seen).
This method allows you to create a custom login form and error page using JSF.
The container handles the actual authentication and protection of the resources based on what you declare in web.xml and sun-web.xml.
This example uses a statically defined user/password, stored in a file, but you can also configure JDBC realm in Glassfish, so that that users can register for access and your program can store the username/passwrod in a database.
I'm new to programming, so none of this may be a good practice, or may not be secure at all.
I really don't know what I'm doing, but I'm learning, and this has been the easiest way that I have found to add authentication to a web app, without having to write the login modules yourself.
Another benefit, and I think this is key ***You don't have to include any extra code in the pages that you want to protect*** The container manages this for you, based on the constraints you declare in web.xml.
So basically you set it up to protect certain folders, then when any user tries to access pages in that folder, they are required to authenticate.
--Kerry                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   

Similar Messages

  • Form-Based Security

    I cannot seem to get container-managed security to work with Java Studio Creator.
    I have a standard jsp page as the logon form, submitting to j_security_check. Authentication works correctly, but then, when the protected page is rendered, I keep getting the "Faces Context cannot be found" exception. Is this because I have a non-faces page between two faces pages?
    Here are the steps:
    1). Access the main page
    2). Main faces page gets rendered correctly.
    3). Access a link which sends the user to a protected page
    4). Logon page gets rendered. (plain JSP or HTML file)
    All is well so far
    5). User credentials are submitted
    6). Authentication works correctly
    7). Forward user to the protected faces page
    8). "Cannot find Faces Context" exception.
    Obviously, I cannot create a "standard" jsp page in Creator, as Creator creates the faces context and the java backend automatically. I had to create the JSP page through a text editor, and save it to the Creator project directory.
    The same thing happens if I create a regular HTML file in Creator with the same form submitting to j_security_check.
    Anyone run into this? Has anyone gotten container-managed, forms-based security working with Creator?
    Thanks.

    Ummmm.... okay, I feel really foolish and stupid. I guess I was getting tunnel vision, staring at this project so much.
    Sheesh! Thanks for the reply, j.f.brown! Had you not made the reply, who knows how long I would have stared at this problem.
    I'm never going to live this down. heh heh.

  • Adding an External Application that uses J2EE Form Based Security

    I'm trying to add an External application that uses the J2EE Form based security. i.e. uses j_username, j_password and posts to j_security_check.
    I don't really see how Oracle SSO will support this. The container needs to take control of a clients request and determines when the "Login" page is presented to establish credentials. Posting directly to j_security_check isn't working for me.
    I'm using Sybase EAServer 4.12 as the external application.
    Is this supported in Oracle SSO?
    Do I need to provide a different mechanism for logging user's in?
    Also, can someone explain what the benefit would be if I configured the EAServer app as a "Partner" app? I would still have to provide an interface for login. The input would be different but the end result would be the same I guess. What advantages does a Partner app have?
    Lastly, is there an NNTP server for these forums?
    Thanks.
    Darrell

    The cure for the symtops described below was to simply add a welcome-file-list
    element with appropriate welcome pages to the web.xml descriptor. It makes sense
    now that I have worked it out.
    Todd
    "Todd Gould" <[email protected]> wrote:
    >
    I have an application comprised of several JSPs that are protected via
    Form based
    security and enforce an SSL connection via the appropriate declarations
    in the
    web.xml. This aspect of the application seems to be working with the
    exception
    of one small quirk.
    If a user presses that back button until such time as the receive the
    container
    provided login page once again, and subsequently provide a valid user
    id and password,
    they are NOT successfully logged in. Rather, they receive the ugly 403
    Forbidden
    error that states that the server understood the request, but is refusing
    to fufill
    it. This only seems to happen given the above course of events involving
    the
    use of a back button in the browser (or selection of an item from the
    history
    list). I suspect that this has something to do with the session id being
    cached
    or something, but I'm not sure? Can anyone offer any assistance on this
    one?
    Also, does anyone know of a way of preventing the user from bookmarking
    this container
    provided login page as this also seems to be causing problems for users.
    If they
    bookmark the first protected page of the application all is fine, but
    if they
    bookmark the login page they receive the 403 error.
    Thanks in advance!

  • Form based authentication in JSF

    Hi,
    I am using form based authentication in JSF .
    I am not able to display the JSF page.
    I have this security constraint in my web.xml
    <security-constraint>
    <display-name>Example Security Constraint</display-name>
    <web-resource-collection>
    <web-resource-name>Protected Area</web-resource-name>
    <url-pattern>/jsp/WorkingZone.jsp</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
    <role-name>manager</role-name>
    </auth-constraint>
    </security-constraint>
    <login-config>
    <auth-method>FORM</auth-method>
    <realm-name>Example Form-Based Authentication Area</realm-name>
    <form-login-config>
    <form-login-page>/Login/login.jsp</form-login-page>
    <form-error-page>/Login/error.jsp</form-error-page>
    </form-login-config>
    </login-config>
    WorkingZone.jsp is a jsp page with JSF components.Which can only be invoked with faces context.
    I am using JDBCRealm
    For the valid user I am getting this error------>
    HTTP Status 400 - Invalid direct reference to form login page
    type Status report
    message Invalid direct reference to form login page
    description The request sent by the client was syntactically incorrect (Invalid direct reference to form login page).
    Please give me the solution.How can I access my jsf page.

    Thank you.
    Marcos
    Hi,
    It should help you:
    http://searchsoftwarequality.techtarget.com/searchAppS
    ecurity/downloads/JSF_ch15.pdf
    Message was edited by:
    syllepsa

  • Form-based authentication and JSF

    I am trying to use a form-based authentication in Tomcat 6, and from what I understand the page that contains the login form can not be a JSF page.
    The problem I'm having with this is that I need the client's username and password accessible from my backing bean, but I don't know how to put them there from a standard JSP.
    Before all this, I had a simple login form with username/password fields that were bound to a bean, and a button that executed a bean method that would perform the login procedure, retrieve the client's data from the DB and create a Client object in the session to be accessible throughout the application. Now, I need to use container managed access control with form-based authentication, and I know how to set it up but don't know how to create the Client object if the container does all the authentication and I never even get a hold of a username/password combination let alone the rest of the client's data.
    Any advice on this would be greatly appreciated.

    alf.redo wrote:
    ...following article: [j2ee_security_a_jsf_based_login_form|http://groundside.com/blog/DuncanMills.php?title=j2ee_security_a_jsf_based_login_form]
    This is exactly the solution I am planning to use. It is good to know there are others who have decided to go that way.
    Thanks

  • Form based security in WebLogic 7.0 - back button quirk

    I have an application comprised of several JSPs that are protected via Form based
    security and enforce an SSL connection via the appropriate declarations in the
    web.xml. This aspect of the application seems to be working with the exception
    of one small quirk.
    If a user presses that back button until such time as the receive the container
    provided login page once again, and subsequently provide a valid user id and password,
    they are NOT successfully logged in. Rather, they receive the ugly 403 Forbidden
    error that states that the server understood the request, but is refusing to fufill
    it. This only seems to happen given the above course of events involving the
    use of a back button in the browser (or selection of an item from the history
    list). I suspect that this has something to do with the session id being cached
    or something, but I'm not sure? Can anyone offer any assistance on this one?
    Also, does anyone know of a way of preventing the user from bookmarking this container
    provided login page as this also seems to be causing problems for users. If they
    bookmark the first protected page of the application all is fine, but if they
    bookmark the login page they receive the 403 error.
    Thanks in advance!

    The cure for the symtops described below was to simply add a welcome-file-list
    element with appropriate welcome pages to the web.xml descriptor. It makes sense
    now that I have worked it out.
    Todd
    "Todd Gould" <[email protected]> wrote:
    >
    I have an application comprised of several JSPs that are protected via
    Form based
    security and enforce an SSL connection via the appropriate declarations
    in the
    web.xml. This aspect of the application seems to be working with the
    exception
    of one small quirk.
    If a user presses that back button until such time as the receive the
    container
    provided login page once again, and subsequently provide a valid user
    id and password,
    they are NOT successfully logged in. Rather, they receive the ugly 403
    Forbidden
    error that states that the server understood the request, but is refusing
    to fufill
    it. This only seems to happen given the above course of events involving
    the
    use of a back button in the browser (or selection of an item from the
    history
    list). I suspect that this has something to do with the session id being
    cached
    or something, but I'm not sure? Can anyone offer any assistance on this
    one?
    Also, does anyone know of a way of preventing the user from bookmarking
    this container
    provided login page as this also seems to be causing problems for users.
    If they
    bookmark the first protected page of the application all is fine, but
    if they
    bookmark the login page they receive the 403 error.
    Thanks in advance!

  • Form based security in WebLogic 7.0

    I'm sorry for the beginner level question, but I seem to be missing a critical step
    in getting Form based security to work. I have a Web application comprised of several
    JSPs. I want to attache simple FORM based security contrainsts to all pages in the
    app. Here are the exceprts from my web.xml:
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>DTSTAT</web-resource-name>
    <url-pattern>/StateServlet/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <role-name>Sysops</role-name>
    </auth-constraint>
    <user-data-constraint>
    <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
    </security-constraint>
    <login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
    <form-login-page>/StateServlet/login.html</form-login-page>
    <form-error-page>/StateServlet/login-error.html</form-error-page>
    </form-login-config>
    </login-config>
    <security-role>
    <role-name>Sysops</role-name>
    </security-role>
    The app deploys correctly and I have verified that the constrinsts, etc. are recognized
    by WebLogic by inspecting the content displayed from the Admin console under the
    "Edit Web Apllication Deployment Descriptor" link - all looks as I had expected and
    matches the XML configuration above.
    I then use the "Define Resources and Roles for Web Resource Collections" link. Under
    the "Define Policies" section I see the constraints as defined above. I then use
    the "Define Roles" link to define the "Sysops" role for this application and add
    the condition "Caller is a member of the group" and use Administrators as the Group.
    From this point, I invoke one of the JSPS in the app and presented with the Login
    page as expected. However, no matter what I enter for user and password, I always
    get the login-error page back. I'm purposely trying to keep this simple so that
    I can use the system user as a test case (who is a member of the Administartors group).
    However, I have also created an additional separate user and added them to the Administartors
    group as well with the same unsuccessful results.
    Can anyone help me out please? I've been reading the docs and seem to be missing
    a key element somewhere.
    Thanks in advance,
    Todd

              Try to refer to the documentation for
              Configuring Security in Web Applications at
              http://e-docs.bea.com/wls/docs70///webapp/security.html
              Does the weblogic.log file contain any error or warning
              messages corresponding to your problem ?
              If you have a test case to reproduce the problem, you
              can contact BEA support at [email protected]
              Thanks
              Developer Relations Engineer
              

  • How To Use HttpUnit With FORM-based Authentication?

    I'm just getting started with HttpUnit, and I'm having a problem:
    How does one use HttpUnit with FORM-based authentication?
    I have a Web app where I specify a number of protected URLs. When a user tries to invoke one of them in a browser, Tomcat 4.1.30 brings up a login page that I specified and asks for a username and password. The values given by the user is checked against the tomcat-users.xml file. If the user is valid, Tomcat
    forwards the response from the original request. If invalid, an error page is displayed. The user is considered valid until either the session times out or the browser is closed.
    Does HttpUnit have to log into the app every time I run a test? How does it manage subsequent pages after login?

    I don't think that's true. HttpUnit is 100% Java and based on JUnit. HttpUnit has nothing to do with Apache, AFAIK. HttpUnit is for unit testing servlets and JSPs. Apache is a Web server. It doesn't have a servlet/JSP engine, unless you bolt Tomcat on top of it.
    Perhaps we're talking about two different packages. - %

  • Entity Bean can only use container-managed transaction demarcation?

    In <<Designing Enterprise Application with J2EE 2nd>>
    Section 2.3.3.3 Enterprise Bean Transactions,it says:Entity beans can only use container-managed transaction demarcation.
    That means,i can not get UserTransaction from EJBContext.
    Is that true?

    Yes this is the requirement of the specs. Your ejb code generator should give you the error if you use usertransaction.
    --Ashwani                                                                                                                                                                                                                                                                   

  • Is it possible to use two diff forms in same jsp/jsf page?

    Hi all,
    My requirement is to submit the form based on selection of radio button.
    since half part needs to be jsp based which is not using any tags etc.
    But i am trying to use some jsf based component which requires to be inside <f:view><h:form> of
    <%@ taglib prefix="f" uri="http://java.sun.com/jsf/core" %>
    <%@ taglib prefix="h" uri="http://java.sun.com/jsf/html" %>
    i.e. some <c:comboBox>
    </h:form> </f:view>
    Now earlier i was submitting the form as
    <form action="/techstacks-v2_1/reportAction.do" method="post" name=doSearch id='doSearch'>
    But now i found, in order to use combo box component which is entirely jsf based i need to use <f:view><h:form> which is kind of taking over the previous form submission mechiansm.
    I am trying to keep them separate as two differnt forms.
    one entirely jsp based and other as jsf based.
    Now my question is can i use such way of doing so or is there any better way of implementing so.
    My friend suggested that i can pass the value of jsf based form in hidden form to a input box of form to be submitted finally instead of submitteing two diff forms.
    but in that case also i ahev to use two forms in a single jsp/jsf page.
    suggest me something which can really work out.
    thanks
    vijendra

    You can use as many forms as you want as long as you don't nest forms. The HTML spec probibits that.

  • What is the mean of using Portal with Role Based security as entry point

    Hi Experts we have requirement of integration of Portal and MDM
    I am completely new to the MDM. So please give me some idea , what is the meanin for following points.
    1) Using the Portal with Role Based security as entry point for capacity and Routing Maintaince(These two are some modules).
    2) Additionally , Portal should have capability to enter in to the MDM for future master data maintence. Feeds of data will need to be come from  SAP 4.6c
    Please give me the clarity of what is the meanin of second point
    Regards
    Vijay

    Hi
    It requires the entire land scape like EP server and MDM server both should be configured in SLD.
    Your requirement is maintaing and updating the MDM data with Enterprise portal.We have some Business Packages to install in Portal inorder to access the functionality of MDM.
    Portal gives you a secure role based functionality of MDM through Single sign on (login into the portal access any application) to their end users.
    Please go through this link
    http://help.sap.com/saphelp_mdmgds55/helpdata/EN/45/c8cd92dc7f4ebbe10000000a11466f/frameset.htm
    You need to develope some custom applications which should be integrated into the portal to access MDM Server master data
    The estimation involves as per your requirement clearly
    Its depends upon the Landscape settings, Requirement complexity,Identify how many number of custom applications need to be developed
    Regards
    Kalyan

  • WebLogic Form-based security

    I am using form-based login to authenticate users. I want to tie all entry points
    on successful login to a single page. Is there a way to accomplish this? In the
    web.xml one can configure the error page to be forwarded to on login failure but
    there is nothing on these lines for successful logins i.e. page to be forwarded to
    login success.
    <form-login-config>
    <form-login-page> login.jsp</<form-login-page>
    <form-error-page>error.jsp</<form-error-page>
    </form-login-config>
    Any ideas on how to accomplish this?
    Sanjay

    on login.jsp page do some jsp code that changes the j_target_url to the URL that you
    want all users to be directed to
    Cheers
    Joe Jerry
    I am using form-based login to authenticate users. I want to tie all entry points
    on successful login to a single page. Is there a way to accomplish this? In the
    web.xml one can configure the error page to be forwarded to on login failure but
    there is nothing on these lines for successful logins i.e. page to be forwarded to
    login success.
    <form-login-config>
    <form-login-page> login.jsp</<form-login-page>
    <form-error-page>error.jsp</<form-error-page>
    </form-login-config>
    Any ideas on how to accomplish this?
    Sanjay

  • How to use remote managed bean and JPA in JSF

    Hi All,
    I am familiar with referencing backing-beans and JPA properties where Glassfish and MySQL is running locally. However, is it possible to lookup these same properties using JNDI if they reside on remote servers? If so, what change is needed?
    I would like to distribute the J2EE 5 application load including database by running Glassfish, MySQL on separate servers. This will put on the JSF (presentation-tier) components on it's own server while a secondary system will handle the middle tier processing and leaving the database activities to be carried out on another server. Not sure whether this is the right approach though. These hardware would run on both Solaris and Windows platforms.
    Unfortunately, buying faster hardware is not an option.
    Any assistance would be appreciated,
    Jack

    Hi Faissal,
    Is your suggestion below:
    //Lookup an EJB and use it
       YourRemoteBean bean = (YourRemoteBean ) ServiceLocator.findRemoteObject(jndiName); // ServiceLocator is a class that lookup
                                                                                                                                           //  the remote objectis equivalent to the following lines:
    Properties props = new Properties();
        props.setProperty("java.naming.factory.initial", "com.sun.enterprise.naming.SerialInitContextFactory");
                props.setProperty("java.naming.factory.url.pkgs", "com.sun.enterprise.naming");
                props.setProperty("java.naming.factory.state", "com.sun.corba.ee.impl.presentation.rmi.JNDIStateFactoryImpl");
                // optional.  Defaults to localhost.  Only needed if web server is running
                // on a different host than the appserver   
                // props.setProperty("org.omg.CORBA.ORBInitialHost", "localhost");
                props.setProperty("org.omg.CORBA.ORBInitialHost", "remoteServer");
                // optional.  Defaults to 3700.  Only needed if target orb port is not 3700.
                // props.setProperty("org.omg.CORBA.ORBInitialPort", "3700");
                InitialContext jndiContext = new InitialContext(props);     
                InitialContext jndiContext = new InitialContext();
                YourRemoteBean bean =  (YourRemoteBean) jndiContext.lookup("ejb.YourRemoteBean");Thanks,
    Jack

  • Container Managed Security on Tomcat - configuring different auth-methods

    I am trying to configure the container managed security on tomcat4. Or rather I am trying to add a further dimension to the configuration that already exists.
    At the moment the entire application uses LDAP authentication and I would like to separate an area that requires further authentication. That is to say I would like everyone using the web application to authenticate using the existing Form-Based LDAP authentication but I would like only certain users to be able to use the data upload facility (whose code is stored in it's own directory).
    This is the authentication bit of my web.xml:
      <security-constraint>
        <web-resource-collection>
          <web-resource-name>qmrae</web-resource-name>
          <url-pattern>*.do</url-pattern>
          <url-pattern>*.jsp</url-pattern>
        </web-resource-collection>
        <auth-constraint>
          <role-name>*</role-name>
        </auth-constraint>
      </security-constraint>
      <login-config>
        <auth-method>FORM</auth-method>
        <realm-name>Form-Based Authentication Area</realm-name>
        <form-login-config>
          <form-login-page>/login.jsp</form-login-page>
          <form-error-page>/loginError.jsp</form-error-page>
        </form-login-config>
      </login-config>My first hurdle is in understanding exactly how the application knows where to go for its authentication.
    I had guessed that the realm-name would map "areas" of my application to realm configuration defined in my application's context area in Tomcat's web.xml but this doesnt seem to be the case. In fact I have read conflicting explanations as to what the realm-name is for. One source has said that this is only used for BASIC authentication as a way of naming the resulting pop up window - many others say it maps the login-config to the web-resource-name. However the latter doesnt make sense because the authentication works in my application at the moment even though those values are completely different (and indeed are different in most of the examples i've read on the web). Furthermore I can find any other mention of the defined realm-name in any other file (which of course be because i'm looking in the wrong place).
    I was prepared to accept that the realm-name might not actually do anything and so I've been looking for examples of defining a different auth-method for different url-patterns but i've had no luck.
    I know a user can have one or more roles but I dont have access to the LDAP server to set these up and haven't found anything about defining different auth-methods other than one thread in this forum suggesting that is wasnt possible on AIS.
    This thread suggests that you can have more than one security-constraint but again i'm not sure about the auth methods and how you map an auth method to a security-constraint
    http://forum.java.sun.com/thread.jspa?forumID=33&threadID=320918
    To summarise my questions:
    1) What are the functions of the realm-name and web-resource-name? Are they related?
    2) Is it possible to configure different areas of an application to use different authentication methods? and if so, could you point me in the direction of relevant documentation
    3) If (2) is not possible and I have to assign a new role to the privileged LDAP users, is it enough to define a new security-constraint? Could you describe the behaviour I could expect for users that have authenticated once and try to access this super-security area, will they be shown another login form or will it just let them in because the container is already aware of their permissions.
    Many thanks for your attention,
    Rachel

    If you create your own Realm classes - look at JAAS - you can sort out your last login time, just wrap them around the DataSourceRealm.
    As far as 'remind' him is concerned - I'm guessing you mean provider a reminder for the password based on the user name. If you use form based authentication you can put what ever you like on the page.

  • Glassfish 3.1 Container managed security - custom authentication

    I have used custom authentication with tomcat and it works great. I am moving to glassfish 3.1 and want to set it up there now. I haven't found any specifics for glassfish 3.1. Anybody got it working in GF 3.1?
    Thanks,
    John

    To follow up ...
    I am using container managed security and form based authentication. My custom SJSAS login realm, however, never fails to authenticate users. Instead of failing authentication when a username and password match cannot be found, I add the user to an 'unknown-user' group who has no rights to the application.
    I do this because I can then catch 403 errors for users who have failed authentication (because they are not authorized to access any pages), or for users who are not in the right role to access part of the application.
    It's not the way that I would prefer to handle login 'failures', but it works.

Maybe you are looking for

  • How to wake from sleep only with power button

    Hi, I still use this old PowerMac G4 (hopefully Apple builds a new MacPro soon!) and when not using it, it is  in sleep mode. Unfortunately my cats like to touch the keyboard, thus waking up my Mac. Is it possible to wake the mac only by pressing the

  • Problem with Blob

    Hi to all My JDBC driver not supports getBlob(); My code is //reading blob1 mResultSet=mStatement.executeQuery("Select blob1 from table1"); mResultSet.next(); InputStream is = mResultSet.getBinaryStream("blob1"); //writing blob2 String mm="UPDATE tab

  • KE1Z transfer planned sales revenue  to FI-GL but the amout is double.

    Dear all:    I have transfered the planning sales revenue using KE1Z  and if I change the data in KEPM and transfer to FIGL again.The revenue will post the total amount  again. ex. step 1.KEPM  Rev $100 to FIGL           >  KE1Z transfer to FI>report

  • 'osql' is not recognized error

    Hello all, I have been trying to get my server to switch from the standard pointBase DB over to using a fresh SQL2000 DB on another box. I am using a Win2K box and am running the WL7.0 platform. I have changed the settings in the config.xml and db_se

  • A song I just bought won't play in my iTunes?

    I've never had this problem before though some of my friends have and now it's happening to me.  I just bought a song probably 15 minutes ago and whenever I click on it to play it it skips to the next song.  I tried playing it in quicktime and quickt