• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Navigate to login page in case of invalid session

 
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Hi all,

I'm having a problem,
I created a class"LoginCheckTimeOut.java" which implements PhaseListener interface.I set value for session timeout in web.xml & registered the class in
faces-config.xml. when i use it and try to login, my page is getting refreshed by resetting all fields & not allowing me to login but its working for preventing direct access to page URL which was my one of the need.

so
can anyone suggest me where could be the problem & help me for"How to navigate to login page in case of invalid session?"

give the general code if possible.

thanks & regards.
rajeshwar
 
Saloon Keeper
Posts: 27762
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Welcome to the JavaRanch, Rajeshwar!

If you are using the J2EE standard security framework, the answer to your question about what to code is: Nothing.

That's because the standard container security framework will monitor all incoming URL requests, and if any attempt is made to access a secured URL, the server itself checks to see if the user is authenticated (logged in), and presents the login page, if he/she is not logged in. That is, in fact, one of the major strengths of the standard security framework. Most "Do It Yourself" security systems can be compromised by merely sidestepping the proper URL sequences.

Technically, the container doesn't "navigate to the login page". Instead, the login page is presented by the container (not the application) in place of the resource requested in the secured URL, and once the user is logged in, the original URL request proceeds transparently. Because the login page has no true URL of its own and is not handled by the application, but by the server, it must be a simple HTML or JSP page. Servlet-controlled pages (JSF, Struts, and so forth) cannot be used as login pages.

If you're attempting to invent your own login/security system, all bets are off. That's one of the disadvantages of DIY. There's no standard documented, debugged framework.

Another disadvantage of DIY security is that in something like 10 years of J2EE, I've yet to encounter one that's actually secure. Most, in fact, can be cracked by amateur hackers and kids in 5 minutes or less. The J2EE standard system, on the other hand, was designed and implemented by full-time security professionals and has had 10 years to be hardened.
 
Rajeshwar Tripathi
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks for reply Tim,


At every request from user, we are trying to validate whether user is logged or not by checking the user id in session (which we are setting when user is successfully authenticated). Is there a way where hackers can put the value in the session.

Also, can you please let me know why login pages should not be servlet controlled pages?

Please correct me if I am wrong

thanks & regards
Rajeshwar
 
Tim Holloway
Saloon Keeper
Posts: 27762
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hackers can do anything if you have loopholes. That's one of the reasons why I'm so much a proponent of not inventing one's own login/security system. Unless you're a full-time security expert, you'll fail to close all the loopholes.

Actually, full-time security experts fail, too, but since they aren't distracted by things like actual application functionality, and since they're trained to know what to look for, they fail less often.

You cannot make a J2Ee container-managed login page be servlet-driven for the reason I just outlined. The login page has no URL. It's simply a template file that's presented by the server itself, and the server's login process has just enough intelligence to process basic JSP functions. The login process is not part of the application, it's part of the server, so you can't use application logic in the login process.
 
reply
    Bookmark Topic Watch Topic
  • New Topic