I am working on a project where authentication is handled by a third party, and they send back the information as session attributes. I currently know how to handle that using a .jsp process page, where I could call methods, login in the user and re-direct to other pages as necessary. However I'm using facelets and .xhtml pages that don't contain the .jsp functionality.
How can I run a backing bean method as soon as the page loads that could also re-direct to other pages as necessary without the user having to click on a continue button or something like that. Is it possible?
I highly recommend NOT putting login/security code into detail application constructs. Aside from the fact that you're mixing layers together, one miscoded business module can provide the conduit for an unscrupulous person to invade the system.
I prefer the standard J2EE container-based security system for most apps. It's already there, it's already debugged, and it sits around your whole app, keeping watch in things before they ever hit your actual program code. For situations where that's not feasible, the next best solution is to place your security in filters, which has almost the same net effect, minus the integration into the overall app server and web.xml.
You can use J2EE container security even with external security providers, so long as they support something that can be mapped to role-based access control and you have the specs on custom security providers for your appserver of choice. I wrote a Tomcat security realm module that backed up a web-service based security system. It wasn't very much code and it worked perfectly.
An IDE is no substitute for an Intelligent Developer.
Joined: Feb 08, 2007
I agree the security where it is currently meshed isn't the right place for it. I plan on implementing a filter that would protect each and every page, I was mainly wondering if such attempts were possible.