This week's giveaway is in the Android forum.
We're giving away four copies of Android Security Essentials Live Lessons and have Godfrey Nolan on-line!
See this thread for details.
The moose likes JSF and the fly likes JSF Login Page and JAAS Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » JSF
Bookmark "JSF Login Page and JAAS" Watch "JSF Login Page and JAAS" New topic

JSF Login Page and JAAS

Markus Schmider
Ranch Hand

Joined: Feb 25, 2007
Posts: 100

if you want to use form-based authentication e.g

in web.xml

how would you code the login.html and error pages in JSF?

I have only found pure HTML examples for form-based authentication and in my JSF books say nothing about login and security.
Examples for login with JSF use custom beans.
But I think that should not be necessary and even redundant since an authenticated user is automatically propagated through the application.

Is JSF really so poorly integrated with JAAS?
Hebert Coelho
Ranch Hand

Joined: Jul 14, 2010
Posts: 754

JSF do not need a specfic JSF page to login by JAAS.

Check out these tutorials: ,

[] [Full WebApplication JSF EJB JPA JAAS with source code to download] One Table Per SubClass [Web/JSF]
Gert Jan Kruizinga

Joined: May 09, 2010
Posts: 16
The book "JAAS in Action" (you can get it at helped me a lot.
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 15959

The J2EE standard security system is Realm-independent. Whether you use JAAS, JDBC, LDAP or a custom Realm of your own, the web.xml settings and the login pages are unchanged. Only the webapp server itself knows or cares.

However, the login pages are not application pages (neither are a number of other pages defined in web.xml, such as error pages). Because these pages are presented by the server itself rather than by the webapp, they don't go through the normal processing channels. Specifically, they don't get routed through the FacesServlet, because these pages have no external URL. Without the FacesServlet, the JSF code and tags cannot function. Struts users have a similar problem.

For that reason, the login forms must be either straight HTML or simple (non-JSF) JSPs.

My login pages are very stark. The more functions and decorations you load a login page with, the greater is the likelihood that security will be compromised.

Customer surveys are for companies who didn't pay proper attention to begin with.
It is sorta covered in the JavaRanch Style Guide.
subject: JSF Login Page and JAAS
Similar Threads
login authentication
j_security_check 404 error
FORM atuthentication question
Form-based Security
Unable to get Authentication popup window