File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes JSF and the fly likes application security vs container managed security and access to session object in bean Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of EJB 3 in Action this week in the EJB and other Java EE Technologies forum!
JavaRanch » Java Forums » Java » JSF
Reply locked New topic
Author

application security vs container managed security and access to session object in bean

Dom McMillan
Greenhorn

Joined: Jul 26, 2011
Posts: 8
Hello,

for an application managed authentication I use a derby database. In the UserBean the logout() method is called in case the user logs out. However, in the first code sample the session object is always null. If the declaration and definition of the variables facesContext and session is included inside the logout() method then it works (code sample 2)!? Shouldn't the session object be only once initialized and then stay the same for the duration of the session? Why is that?

Code sample 1:


Code sample 2:


Would the given logout() method be a good example (application managed authentication) of executing a logout or did I miss something? Will the server make the client to delete the cookie (on the client) or will the server just destroy the session object related to that specific client? How can I test the correct behaviour (e.g. check whether the correct object is being deleted)?

For container managed authentication would a logout method look the same as above?

Hints / questions on any of these questions much appreciated since I cannot find answers in the literature.

Regards,

Dom
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 15632
    
  15

Welcome to the JavaRanch, Dom!

I could actually try and comprehend your question, but that's too much work too early in the morning. So I'll make some general observations and see if they fit.

In J2EE, there's a bit of a blur between a container-managed security session and HTTPsession. I think that starting in JEE, they've begun to make more of a distinction, but that's another matter.

In any event, in J2EE, the way to log out of a container-managed security session is to invoke session.invalidate(), as your examples do.

But sessions are more than just security. You MUST have (will be supplied with) an HttpSession when you're logged in with CMS, but you CAN have an HTTPSession without being logged in!

JSF tends to confuse the issue. If a JSF process logs out via session.invalidate(), the security session will be destroyed, as will any session data attributes such as session-scope bakcing beans. But JSF uses HTTPSession more frequently than other frameworks. For example, if you display a post-logout screen that references a session-scope backing bean, a NEW session will be created to contain it. This new session won't (yet) be secured - unless the post-logout screen is secured - and it won't have any of the previously-discarded session objects in it, but it will contain the new session objects.


Customer surveys are for companies who didn't pay proper attention to begin with.
Dom McMillan
Greenhorn

Joined: Jul 26, 2011
Posts: 8
Thanks for the welcome and your answer, Tim!

Since I opened already another thread with a more specific question may I close this thread and link to the other? I will then include questions there.

Here we go: http://www.coderanch.com/t/547156/JSF/java/After-logout-JSF-relogin-withtout
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 15632
    
  15

I'll close and lock this one for you.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: application security vs container managed security and access to session object in bean
 
Similar Threads
java.lang.RuntimeException: Cannot find FacesContext
Problem with Navigation in subview
After logout in JSF relogin withtout credentials possible
Logout in JSF with Security managed by Glassfish v3.1
How to create a secure login system?