I have developed a web application using JSF 1.2. It has a login page and some other pages that users can see them after log in.
But every time when users press ctrl+t(opens a new tab) the application asks users to log in to proceed. But i want to do it work without asking users to enter their credentials if the user has already logged in. And be able to see the page as in the other tab
Do you have any recommendations about this problem?
Yes. Don't invent your own security system. This is just one of many problems you'll have. And welcome to the JavaRanch, Igor!
If you hang around here for long you'll see a lot of me ranting on home-made login systems. It's because they just don't work. Unfortunately, it seems like almost every Java book out there has examples with user-defined logins in them. But I've been working with J2EE since before JSPs were even invented, and I've never seen a single do-it-yourself security system that was really secure. Most of them aren't secure at all, in fact. They're like a house with a lock on the front door and no door on the back door. They're also expensive to maintain, extra work to code and debug, and - well, I'm up to about 12 reasons why doing your own security system is just plain bad.
There's a login/security system that comes as part of the J2EE security standard, and it won't force people to login multiple times. It's good enough "as is" for most applications, and there are some good pre-coded/pre-debugged security frameworks that can work with it if you need more.
Security is hard work. It's better to take advantage of someone else's hard work. Especially since the people who designed the J2EE standard security system were security professionals.
An IDE is no substitute for an Intelligent Developer.
Joined: May 23, 2009
Hi Tim Holloway,
Really thanks for your reply. Could you please list the names of those login\security systems and if possible some links mentioned about them
You can find documentation on the basic J2EE container-managed security system in any decent book on J2EE that covers servlets and JSPs. Like I said, the majority of webapps don't need any more than that.
Really complex apps often use the Spring Framework for infrastructure, and Spring can enhance basic J2EE security using the aecgi security package. For details on that, visit the springframework.org website.