Hello everyone, I have an issue that has been bugging me. It's with regards to loggin-in-security. I know there are other posts, but i cant find the answer that answers my question. When you create a web site using JSF and EJB( the managed beans or javabeans- cant really remember the difference at this point), how do you handle log in security. For example, when anyone logs in to this site he/she is asked for a username and password. Now, i have heard not to use your own "log in" when you create your own website. What i did, when i created the site using JSF, was to implement a logIn method, and this method called the 'select userName, Password from users' sql statement. If the sql statement found a match, it would return true, if not false. But, it seems this approach is wrong.
Now for my question, how would i go about it? If i dont implement my own logic- to call the database myself- how would i do it using EJB. I mean, dont you have to check the database to make sure the userName & passwords match? I assumed that i had to write the sql statement myself, but it seems i'm wrong. Please explain, i just want to learn.
Also, can people intercept the username and password when the user clicks log in? How does one prevent some else from intercepting this information?
immer alvarado wrote:Also, can people intercept the username and password when the user clicks log in? How does one prevent some else from intercepting this information?
Yes, data which is transmitted over a network can indeed be intercepted by other people. You can't prevent them from doing that, but if you want to prevent them from getting the user name and password, then the way to do that is to encrypt that information using SSL.
As for your main question, which I think is "How do I configure JSF to do container-managed authentication", let's move this post over to the JSF forum where it's more likely to get an answer.
When you use container-managed authentication and authorization, you do not code a login method. The container takes over login for you and uses a login method of its own. All you can do is supply the login and loginfail JSPs and indicate their resource paths in the web.xml file. That's true in both JSF and any other j2EE webapp that uses this system. EJB security is automatically included in the authorization process.
The container-managed security system operates via plug-in security modules, which can be swapped in and out without any changes to the webapp itself. If you want the userid/password to be authenticated against a database, you must use a database realm module. If you're using Tomcat, there are 2 such realms, one for general database access, one for JDBC. For best results, store the password in encrypted form in the database (there's a Realm configuration option for that).
The basic rules for all this are covered in most fundamental J2EE books. The one thing that JSF changes has to do with URLs. Since the primary guard mechanism for authorization is the incoming URL and JSF URLs don't track their corresponding resources as freely as most systems do, you need to put a "redirect" directive in JSF navigation operations that target secured URLs.
An IDE is no substitute for an Intelligent Developer.