File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes JSF and the fly likes JSF2 + EJB3 + JPA to perform authentication and authorization. Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » JSF
Bookmark "JSF2 + EJB3 + JPA to perform authentication and authorization." Watch "JSF2 + EJB3 + JPA to perform authentication and authorization." New topic
Author

JSF2 + EJB3 + JPA to perform authentication and authorization.

Gaurav Pravin Dighe
Greenhorn

Joined: Jun 12, 2011
Posts: 23

Hi,

I am not abel to execute the program....please help me.....
i am new to JPA.....i tried to use JPA instead of JDBC. if any changes to be made in somewhere please let me know...

I want to give user authentication to a webform. I have my user details in derby database.

Used Netbeans as an IDE

Derby Database:
Table Name: Users
userid varchar(20) --->primary key
password varchar(20) ---> not null
I created Netbeans -Enterprse Bean Project-->named HR_Management_System. It created 3 project files named:
  • HR_Management_System
    HR_Management_System_ejb
    HR_Management_System_war ----I manually added JSF framework to it using properties
  • .

    I created entity bean class from table ---> functionality available in Netbeans…
    I manually created NamedQuery "User.authentication" with Query as "select us from User us where us.userid = :userid and us.password = :password"


    Then I created Stateless Session Bean without any interface - UserSessionBean
    I added below method in it



    Then I created JSF Managed Bean "UserMBean" and used "userMBean"
    I hardcoded it as


    I created Login page as:login.xhtml


    I designed the success.xhtml and failure.xhtml . Igave the navigation ….

    But when I try to run the application I get following error: ClassNotFound – ejb/UserSessionBean

    Regards,
    Gaurav Dighe
    H Jetly
    Ranch Hand

    Joined: Aug 26, 2010
    Posts: 41

    Can you give the complete code of the Session Bean and the Managed bean. Like I can see are they pointing to the same class?


    Harsh Jetly
    Tim Holloway
    Saloon Keeper

    Joined: Jun 25, 2001
    Posts: 15960
        
      19

    It's a very, very bad idea to write your own authentication and authorization system. I've seen many such attempts over the years, including some in some (supposedly) very high-security shops, and none of them have been very secure at all. It's a lot safer to just use the J22 standard container-base security system and save your labour for more productive pursuits. This is especially true in the case of EJB - EJB was designed with specific hooks into the container security system.

    Your actual cause of failure, however, is that you didn't include a package statement on your EJB java source.


    Customer surveys are for companies who didn't pay proper attention to begin with.
    Gaurav Pravin Dighe
    Greenhorn

    Joined: Jun 12, 2011
    Posts: 23

    Tim Holloway,

    Can you tell me how to get going with ContainerSecurity in JSF2 + GlassfishServer + Derby Database(bundled with Netbeans)....and also let e know how to maintain session and use it in shopping cart example after authenticating user against ContainerSecurity.

    Tim Holloway
    Saloon Keeper

    Joined: Jun 25, 2001
    Posts: 15960
        
      19

    Container-managed security doesn't care about most of that stuff. Its primary method of operation is to block requests by unauthorized users to protected URLs so that they never reach application code. It also provides the get userId/getUserPrincipal HTTPServlet request methods, the isUserInRole method, and for EJBs, the ability to protect EJBs both via EJB deployment descriptors and by use of the isCallerInRole() method.

    The only thing JSF-specific is that since JSF doesn't always track URLs but the container security system controls using URLs, you have to use the "redirect" JSF navigation option to ensure that people can't use JSF insecure page commandLinks and commandButtons to connect to secured resources.

    I'm not an expert in GlassFish, but J2EE servers typically provide plug-in security managers called Realms. When you want to secure a webapp, you set up the basic security rules in web.xml, plus add any security-checking code you need in your application. Then you select a Realm that supports your account security repository (database, LDAP/Active Directory, Single-Signon, or whatever). The application doesn't care which Realm you selected, since they're all plug-replaceable. The details of the Realm itself and its configuration are server-specific, so you'll have to check the GlassFish docs.

    In JSF, session are often created long before someone actually accesses a secured URL, but once they do, the login mechanism will kick in and add the security context to the user's session context - and create the session, if no session existed. Doing a session.invalidate() will therefore log the user out in the usual way, although depending on where you go next, a new, insecure session may be created soon thereafter and the cycle will repeat as needed.

    Container security doesn't have any knowledge or interest in what database the webapp uses.

    As for examples, check any good book on JSPs and Servlets and you should find some information on setting up secured transport and container security. You'll typically also find examples of a DIY login in some other part of the book, but like I said, Do-it-Yourself security ... isn't.
    Gaurav Pravin Dighe
    Greenhorn

    Joined: Jun 12, 2011
    Posts: 23

    Tim Hooloway,

    Thank you very much...i have heard about JDBC Realm but i am not finding any tutorial or example for it. I have J2EE Tutorial as well as Complete Reference to JSF2. but i couldn't get any.

    I will be very thankful if you let me know the link for JDBC Realm tutorial.

    Second concern i have is, as you said Secuirty only deals with authentication , authorization .....so how to deal with session mangement after doing the same....

    Please explain me the same...

    It would be realy very very helpful.
    Gabriel Vince
    Greenhorn

    Joined: Feb 05, 2009
    Posts: 24
    Hi,
    about the session management - you could annotate a bean (even a simple class) as a session scoped managed bean (@ManagedBean). At the fist use the bean instance will bind to the user session. A shopping cart is a nice example of a session bean..
    Gaurav Pravin Dighe
    Greenhorn

    Joined: Jun 12, 2011
    Posts: 23

    Hi Gabriel Vince ,

    Can you fwd me the working example.....or a link where i can learn from...


    Tim Holloway
    Saloon Keeper

    Joined: Jun 25, 2001
    Posts: 15960
        
      19

    In JSF session management is mostly automatically done for you. Please note that since session-scope beans are much more necessary in JSF than they are in most frameworks, the user may fall under session management long before going under secured session management. Security is added to the session when the webapp container detects the need for a secure environment. Invalidating the session destroys both the data session and the security session, since they're both the same session - just with an added security context.

    You will not find documentation on Realms in general-purpose J2EE books, although most of them will have chapters on setting up secured webapps. That's because the Realm is part of the webapp server as an implementation of the J2EE security environment. The actual application security is server-independent, but the mechanism that enforces the security is not. So you'd have to read the manual on the webapp server itself. For example: http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html



    Gabriel Vince
    Greenhorn

    Joined: Feb 05, 2009
    Posts: 24
    Hi, I believe the working example is included
    http://.lmgtfy.com/?q=JSF%20tutorial%20%40ManagedBean
    And I'd advice to download the 'complete JSF reference' pdf, it may help much in the topic. Please don't ask for a link, try to google it.
    G.
     
    Don't get me started about those stupid light bulbs.
     
    subject: JSF2 + EJB3 + JPA to perform authentication and authorization.
     
    Similar Threads
    JSF not rendering properly
    Error
    Session Scope JSF
    Getting Exception creating bean of class JSP Exception
    Why @ManagedBean works while @Named doesn't?