File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes JSF and the fly likes Using SSL two way authentication (mutual authentication) in web app in JSF Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » JSF
Bookmark "Using SSL two way authentication (mutual authentication) in web app in JSF" Watch "Using SSL two way authentication (mutual authentication) in web app in JSF" New topic

Using SSL two way authentication (mutual authentication) in web app in JSF

yogessh chavaan

Joined: Apr 08, 2011
Posts: 13

Hello ,

I am developing a web application with JSF framework. In this application the users will be authenticated using the certificate . Could any one please guide to implement this authentication mechanism. Also i want to identify who the user is . I will be using weblogic 10.3.3 and jdk 6. i browsed the net and found nothing more than using CLIENT-CERT in web.xml and the SSL configuration for weblogic. What i want to know exactly is , all the configuration and the code to be implemented in the web app.
1) how the user will be authenticated by the webapp.
2)get the identification (like the name) of the user.

What java packages will be needed to implement this ?

Thanks in advance.
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 17417

There's nothing JSF specific to this. If you are using JEE's standard security framework (supplied with WebLogic), everything is done by WebLogic. You have to configure a security Realm in the WebLogic server, bind it to the webapp(s) that will be secured by it, and include the certificate information in the WebLogic secure transport configuration. So it's mostly questions you need to ask in the WebLogic forum - although WebLogic was pretty good in documenting those processes.

When using container-managed security with form-based login, you design a basic HTML or JSP login form in 2 almost-identical parts. The login form is the page that WebLogic (NOT the webapp!) will present when a user makes a request to a secured URL as mapped in the webapp's web.xml file and the user is not already logged in. If the login fails, then WebLogic will present the loginfail page repeatedly until the user either logs in or gives up and goes away. My loginfail page usually is a clone of the login page, but with the added caption "Login Failed!".

There is no application login code and the application does not get notified when the user logs in (this may have been done in some other app in the webapp's security Realm or via Single Signon, Windows Login, or some other place remote in time and logic). You can always tell when you are logged in, however, since the HttpServletRequest getUserPrincipal() and getRemoteUser() methods return null until the user has logged in. The getRemoteUser() method returns the userID, which is also stored in the UserPrincipal object. Because the code to get the userID (and to test user security role authorization) is particularly ugly in JSF, I keep a separate utility class to hold it. That allows me to use simpler, more abstract code in the application logic itself. It also allows me to swap in a testing security module for offline (unit) testing.

JEE container security is primarily about limiting access to secured URLs. If the user fails in authentication or authorization, the user never even gets to application logic and therefore cannot exploit it. So actual security code within the webapp is usually minimal.

An IDE is no substitute for an Intelligent Developer.
I agree. Here's the link:
subject: Using SSL two way authentication (mutual authentication) in web app in JSF
It's not a secret anymore!