File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes JSF and the fly likes JSF Login Page and JAAS Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » JSF
Bookmark "JSF Login Page and JAAS" Watch "JSF Login Page and JAAS" New topic

JSF Login Page and JAAS

Markus Schmider
Ranch Hand

Joined: Feb 25, 2007
Posts: 116

if you want to use form-based authentication e.g

in web.xml

how would you code the login.html and error pages in JSF?

I have only found pure HTML examples for form-based authentication and in my JSF books say nothing about login and security.
Examples for login with JSF use custom beans.
But I think that should not be necessary and even redundant since an authenticated user is automatically propagated through the application.

Is JSF really so poorly integrated with JAAS?
Hebert Coelho
Ranch Hand

Joined: Jul 14, 2010
Posts: 754

JSF do not need a specfic JSF page to login by JAAS.

Check out these tutorials: ,

[] [Full WebApplication JSF EJB JPA JAAS with source code to download] One Table Per SubClass [Web/JSF]
Gert Jan Kruizinga

Joined: May 09, 2010
Posts: 16
The book "JAAS in Action" (you can get it at helped me a lot.
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 17410

The J2EE standard security system is Realm-independent. Whether you use JAAS, JDBC, LDAP or a custom Realm of your own, the web.xml settings and the login pages are unchanged. Only the webapp server itself knows or cares.

However, the login pages are not application pages (neither are a number of other pages defined in web.xml, such as error pages). Because these pages are presented by the server itself rather than by the webapp, they don't go through the normal processing channels. Specifically, they don't get routed through the FacesServlet, because these pages have no external URL. Without the FacesServlet, the JSF code and tags cannot function. Struts users have a similar problem.

For that reason, the login forms must be either straight HTML or simple (non-JSF) JSPs.

My login pages are very stark. The more functions and decorations you load a login page with, the greater is the likelihood that security will be compromised.

An IDE is no substitute for an Intelligent Developer.
I agree. Here's the link:
subject: JSF Login Page and JAAS
It's not a secret anymore!