I have an app which is currently being used by my company. It uses container based security with only one role (sufficient for now). I now have to come up with a new release that will allow our clients to use it as well, with a complex set of rules defining what they can and can't do with it. At the moment there are about 10 people using the app and when the new version comes out there will only be about 10 more clients using it, growing to possible 50 users overall. I'm pretty new to JSF, with no knowledge of Struts or anything, and I haven't worked with Java security before, but I think what I'm looking for is a simple custom security solution. However I can't find any good information about this.
My plan so far is to have a bean to handle the login process (connect to the db, check username/password, etc) then have a session scope bean for user information. With the request of any page (by following a link or typing in the page url to the browser) I will check the bean using JSTL 'if' to see if the user is logged in properly, and if not just redirect to the login page. [EDIT] Therefore when the session times out, the user will be logged off as the session bean is destroyed [/EDIT] I don't plan to create/access any session variables, but this seems to be what everyone else is doing.
Can anyone tell me if I'm on completely the wrong track, or what's wrong with my idea? Why would I want to store the username and password as session variables like I see elsewhere? Is using a filter for this a better idea? If anyone can point me to an easy to understand tutorial with a working example of a filter for security I would be really grateful!
Any information will really help!
[ May 29, 2006: Message edited by: Jamie Williams ] [ May 29, 2006: Message edited by: Jamie Williams ]
Yes your solution seems fine. This is an approach that is taken by a lot of web applications and works very well. A couple of things which you didn't mention, so you may not have considered them:
1. Look at using a Filter to check your user state and then redirecting the request out to your error / login page (or whatever).
2. Think about concurrency. What do you want to happen if someone logs in twice, from different sessions? If this will cause a problem then you could store user names with session's somewhere (maybe look at a SessionListener) so you can invalidate duplicate sessions.
ph34r my 133t j4v4 h4><0r1ng sk177z
Joined: Mar 31, 2006
Thanks alot Rick, I couldn't find my sort of solution (checking each page) anyway so I thought I had the wrong idea I have looked at filters before but not in great depth - they just look so difficult to implement! Do you know an easy to follow tutorial? The idea of the SessionListener is a good one, I will look into it. Do you know any tutorials for that too?
Joined: Dec 14, 2004
Sorry about the delay.
Filters and SessionListeners are really simple to implement - you can find tons of examples on the web but essentially you implement an interface and declare it in the web.xml.
Sorry I dont have more time to go in to more detail, maybe this bump will get the thread looked at again.
I use container-based security with roles for most apps. When you start getting per-user security permissions, however, that can get messy. At that point, I'd augment (not replace) the roles with some additional checking, depending on requirements. One possibility is to use JAAS.
There are several reasons why I prefer container-based. Most importantly, since it wraps the entire app, it's extremely unlikely for anyone to come u p with a "magic url" that slips past the security system. Yes, you can do this with filters, but essentially that's what container-based security is - just a specialized version of a filter that's geared to security. So I have a lowest-common-denominator level of security that has a high degree of trust.
Another other reason for preferring CBS is that the user's identity is confirmed and readily available at all times using standard JEE APIs. This identify can then be used as a key into whatever security database you want to use for fine-grained access control.
Finally, CBS allows you to take advantage of the security options on Struts and JSF tags. Essentially, when you can role-protect sensitive parts of a page without extra code, you have less code to write and less code to worry about breaking.
An IDE is no substitute for an Intelligent Developer.
Joined: Mar 31, 2006
It would be nice if I could use container based security, but my users need very specific permissions i.e. John Smith is allowed to see details for all the customers but Bob Jones is only allowed to see our customers in a specific set of countries in South America, John is allowed to view billing history for all of the business in Europe but Bob can issue invoices by mail for anyone, etc. It's actualkly more complicated than that but I can't go into detail. Users need to have personal settings and stuff like that too for languages, specific formats for file uploads, etc. I also need to have an interface for managers to use to set other users permissions. If I can get that level of control out of CBS I'd use it but I don't think I can, or if it would be easier than doing a custom job. What do you think?