I am not abel to execute the program....please help me.....
i am new to JPA.....i tried to use JPA instead of JDBC. if any changes to be made in somewhere please let me know...
I want to give user authentication to a webform. I have my user details in derby database.
Used Netbeans as an IDE
Table Name: Users
userid varchar(20) --->primary key
password varchar(20) ---> not null
I created Netbeans -Enterprse Bean Project-->named HR_Management_System. It created 3 project files named:
HR_Management_System_war ----I manually added JSF framework to it using properties
I created entity bean class from table ---> functionality available in Netbeans…
I manually created NamedQuery "User.authentication" with Query as "select us from User us where us.userid = :userid and us.password = :password"
Then I created Stateless Session Bean without any interface - UserSessionBean
I added below method in it
Then I created JSF Managed Bean "UserMBean" and used "userMBean"
I hardcoded it as
I created Login page as:login.xhtml
I designed the success.xhtml and failure.xhtml . Igave the navigation ….
But when I try to run the application I get following error: ClassNotFound – ejb/UserSessionBean
It's a very, very bad idea to write your own authentication and authorization system. I've seen many such attempts over the years, including some in some (supposedly) very high-security shops, and none of them have been very secure at all. It's a lot safer to just use the J22 standard container-base security system and save your labour for more productive pursuits. This is especially true in the case of EJB - EJB was designed with specific hooks into the container security system.
Your actual cause of failure, however, is that you didn't include a package statement on your EJB java source.
An IDE is no substitute for an Intelligent Developer.
Can you tell me how to get going with ContainerSecurity in JSF2 + GlassfishServer + Derby Database(bundled with Netbeans)....and also let e know how to maintain session and use it in shopping cart example after authenticating user against ContainerSecurity.
Container-managed security doesn't care about most of that stuff. Its primary method of operation is to block requests by unauthorized users to protected URLs so that they never reach application code. It also provides the get userId/getUserPrincipal HTTPServlet request methods, the isUserInRole method, and for EJBs, the ability to protect EJBs both via EJB deployment descriptors and by use of the isCallerInRole() method.
The only thing JSF-specific is that since JSF doesn't always track URLs but the container security system controls using URLs, you have to use the "redirect" JSF navigation option to ensure that people can't use JSF insecure page commandLinks and commandButtons to connect to secured resources.
I'm not an expert in GlassFish, but J2EE servers typically provide plug-in security managers called Realms. When you want to secure a webapp, you set up the basic security rules in web.xml, plus add any security-checking code you need in your application. Then you select a Realm that supports your account security repository (database, LDAP/Active Directory, Single-Signon, or whatever). The application doesn't care which Realm you selected, since they're all plug-replaceable. The details of the Realm itself and its configuration are server-specific, so you'll have to check the GlassFish docs.
In JSF, session are often created long before someone actually accesses a secured URL, but once they do, the login mechanism will kick in and add the security context to the user's session context - and create the session, if no session existed. Doing a session.invalidate() will therefore log the user out in the usual way, although depending on where you go next, a new, insecure session may be created soon thereafter and the cycle will repeat as needed.
Container security doesn't have any knowledge or interest in what database the webapp uses.
As for examples, check any good book on JSPs and Servlets and you should find some information on setting up secured transport and container security. You'll typically also find examples of a DIY login in some other part of the book, but like I said, Do-it-Yourself security ... isn't.
about the session management - you could annotate a bean (even a simple class) as a session scoped managed bean (@ManagedBean). At the fist use the bean instance will bind to the user session. A shopping cart is a nice example of a session bean..
In JSF session management is mostly automatically done for you. Please note that since session-scope beans are much more necessary in JSF than they are in most frameworks, the user may fall under session management long before going under secured session management. Security is added to the session when the webapp container detects the need for a secure environment. Invalidating the session destroys both the data session and the security session, since they're both the same session - just with an added security context.
You will not find documentation on Realms in general-purpose J2EE books, although most of them will have chapters on setting up secured webapps. That's because the Realm is part of the webapp server as an implementation of the J2EE security environment. The actual application security is server-independent, but the mechanism that enforces the security is not. So you'd have to read the manual on the webapp server itself. For example: http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html