I'm having a problem,
I created a class"LoginCheckTimeOut.java" which implements PhaseListener interface.I set value for session timeout in web.xml & registered the class in
faces-config.xml. when i use it and try to login, my page is getting refreshed by resetting all fields & not allowing me to login but its working for preventing direct access to page URL which was my one of the need.
can anyone suggest me where could be the problem & help me for"How to navigate to login page in case of invalid session?"
If you are using the J2EE standard security framework, the answer to your question about what to code is: Nothing.
That's because the standard container security framework will monitor all incoming URL requests, and if any attempt is made to access a secured URL, the server itself checks to see if the user is authenticated (logged in), and presents the login page, if he/she is not logged in. That is, in fact, one of the major strengths of the standard security framework. Most "Do It Yourself" security systems can be compromised by merely sidestepping the proper URL sequences.
Technically, the container doesn't "navigate to the login page". Instead, the login page is presented by the container (not the application) in place of the resource requested in the secured URL, and once the user is logged in, the original URL request proceeds transparently. Because the login page has no true URL of its own and is not handled by the application, but by the server, it must be a simple HTML or JSP page. Servlet-controlled pages (JSF, Struts, and so forth) cannot be used as login pages.
If you're attempting to invent your own login/security system, all bets are off. That's one of the disadvantages of DIY. There's no standard documented, debugged framework.
Another disadvantage of DIY security is that in something like 10 years of J2EE, I've yet to encounter one that's actually secure. Most, in fact, can be cracked by amateur hackers and kids in 5 minutes or less. The J2EE standard system, on the other hand, was designed and implemented by full-time security professionals and has had 10 years to be hardened.
An IDE is no substitute for an Intelligent Developer.
Joined: Jan 12, 2012
Thanks for reply Tim,
At every request from user, we are trying to validate whether user is logged or not by checking the user id in session (which we are setting when user is successfully authenticated). Is there a way where hackers can put the value in the session.
Also, can you please let me know why login pages should not be servlet controlled pages?
Hackers can do anything if you have loopholes. That's one of the reasons why I'm so much a proponent of not inventing one's own login/security system. Unless you're a full-time security expert, you'll fail to close all the loopholes.
Actually, full-time security experts fail, too, but since they aren't distracted by things like actual application functionality, and since they're trained to know what to look for, they fail less often.
You cannot make a J2Ee container-managed login page be servlet-driven for the reason I just outlined. The login page has no URL. It's simply a template file that's presented by the server itself, and the server's login process has just enough intelligence to process basic JSP functions. The login process is not part of the application, it's part of the server, so you can't use application logic in the login process.