File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Architect Certification (SCEA/OCMJEA) and the fly likes Authentication in JSF Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Certification » Architect Certification (SCEA/OCMJEA)
Bookmark "Authentication in JSF" Watch "Authentication in JSF" New topic
Author

Authentication in JSF

J Gupta
Ranch Hand

Joined: Jul 16, 2008
Posts: 30
Can some one point me design patterns for user authentication in JSF ?
Rahul Mishra
Ranch Hand

Joined: Jan 22, 2006
Posts: 211
I am wondering, and i might be wrong, why would user authentication be any different in JSF w.r.t design patterns.

Care to shed some light J


OCMJEA/SCEA, SCDJWS, SCBCD 1.3, SCJP 1.4
My SCEA experience:http://javalogue.blogspot.com/
J Gupta
Ranch Hand

Joined: Jul 16, 2008
Posts: 30
Rahul, Thanks for asking
If I was implementing Front controller I could have added a Filter for authentication, I was wondering if there a standard practice for separating authentication concern in your design
Rahul Mishra
Ranch Hand

Joined: Jan 22, 2006
Posts: 211
Well, that was my point exactly..a concern like authentication does not change whether you use JSF/Struts/anything else..and hence the fact that i conceptualize it as a 'Front Controller' does not change...


The way i realize a front controller might change based on the capabilities of the framework and the platform..but that still doesn't change that my intent is to intercept all requests and ensure that they are belong to an authenticated user..

My point being..the design pattern..does not change..the realization of it might...


Janis Kazakovs
Ranch Hand

Joined: Aug 13, 2009
Posts: 33
Placing your authentication as well as autherization logic in the Servlet filter could be an option, in case you don't want to use a declarative security provided by a container. You get a looser coupling between a functionality defined by your application. In this scenario, however, you will have to implement the authentication logic yourself; you can also use any of the security frameworks available "out there", e.g. JAAS, Spring Security, you name it.

With regards to the security patterns I would advice you to have a look at book "Core Security Patterns", which describes, for example, the Authentication Enforces (if I am not mistaken) design pattern.

As a result, the possible scenario could be to define a servlet filter, which will delegate to your authentication enforcer, which, in turn, will either perform the authentication itself, by calling a DB for example, or will delegate to a security framework you choose to use, e.g. JAAS.

Hope it helps,
Janis


SCEA 5.0, SCBCD 5.0, SCWCD 1.4, SCJP 5.0
OMG-Certified UML Professional, Intermediate; OMG-Certified UML Professional, Fundamental
srees Nivas
Ranch Hand

Joined: Oct 05, 2009
Posts: 51
Hi All,

I read some where that, with Security filter the security principal will not be propagated to EJB container. I'm not sure it is still true or not!

How about Form-based authentication over SSL for authentication & authorization and Security filter for additional security features like handling XSS attacks etc.

Do you see any problem in this approach?

Best regards,
Sri.
Janis Kazakovs
Ranch Hand

Joined: Aug 13, 2009
Posts: 33
As long as I know the propagation of the security context should be supported by web and application servers. As soon as you have establish user's identity on presentation tier it should be propagated to the business tier. You can configure your servers to use transport layer security in order to meet confidentiality requirements.

If you do not use declarative security provided to you out of the box by the web container and implement authentication in, for example, servlet filter by mean of JAAS you will have to do some manual work, as for example implementing LoginModule and configuring JAAS Realm on your server. As soon as you have made all the necessary steps, on authentication of a request the JAAS will check user credentials and will establish user's identity represented by java.security.Principal class. Since you implement the authentication manually, from your filter, you will have to store the Principal instance in the session and refer to it on every request.

Janis
Janis Kazakovs
Ranch Hand

Joined: Aug 13, 2009
Posts: 33
Btw, in case of JSF, an action listener could be an alternative to servlet filter to perform authentication.
J Gupta
Ranch Hand

Joined: Jul 16, 2008
Posts: 30
Janis Kazakovs wrote:Btw, in case of JSF, an action listener could be an alternative to servlet filter to perform authentication.


Right off the bat, that's what I was looking for

Thanks a lot, I wish you a happy new year
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Authentication in JSF