Help coderanch get a
new server
by contributing to the fundraiser
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Devaka Cooray
  • Liutauras Vilda
Sheriffs:
  • Jeanne Boyarsky
  • paul wheaton
  • Henry Wong
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Tim Moores
  • Carey Brown
  • Mikalai Zaikin
Bartenders:
  • Lou Hamers
  • Piet Souris
  • Frits Walraven

Authentication in JSF

 
Ranch Hand
Posts: 30
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Can some one point me design patterns for user authentication in JSF ?
 
Ranch Hand
Posts: 211
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am wondering, and i might be wrong, why would user authentication be any different in JSF w.r.t design patterns.

Care to shed some light J
 
J Gupta
Ranch Hand
Posts: 30
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Rahul, Thanks for asking
If I was implementing Front controller I could have added a Filter for authentication, I was wondering if there a standard practice for separating authentication concern in your design
 
Rahul Mishra
Ranch Hand
Posts: 211
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Well, that was my point exactly..a concern like authentication does not change whether you use JSF/Struts/anything else..and hence the fact that i conceptualize it as a 'Front Controller' does not change...


The way i realize a front controller might change based on the capabilities of the framework and the platform..but that still doesn't change that my intent is to intercept all requests and ensure that they are belong to an authenticated user..

My point being..the design pattern..does not change..the realization of it might...


 
Ranch Hand
Posts: 33
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Placing your authentication as well as autherization logic in the Servlet filter could be an option, in case you don't want to use a declarative security provided by a container. You get a looser coupling between a functionality defined by your application. In this scenario, however, you will have to implement the authentication logic yourself; you can also use any of the security frameworks available "out there", e.g. JAAS, Spring Security, you name it.

With regards to the security patterns I would advice you to have a look at book "Core Security Patterns", which describes, for example, the Authentication Enforces (if I am not mistaken) design pattern.

As a result, the possible scenario could be to define a servlet filter, which will delegate to your authentication enforcer, which, in turn, will either perform the authentication itself, by calling a DB for example, or will delegate to a security framework you choose to use, e.g. JAAS.

Hope it helps,
Janis
 
Ranch Hand
Posts: 51
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi All,

I read some where that, with Security filter the security principal will not be propagated to EJB container. I'm not sure it is still true or not!

How about Form-based authentication over SSL for authentication & authorization and Security filter for additional security features like handling XSS attacks etc.

Do you see any problem in this approach?

Best regards,
Sri.
 
Janis Kazakovs
Ranch Hand
Posts: 33
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
As long as I know the propagation of the security context should be supported by web and application servers. As soon as you have establish user's identity on presentation tier it should be propagated to the business tier. You can configure your servers to use transport layer security in order to meet confidentiality requirements.

If you do not use declarative security provided to you out of the box by the web container and implement authentication in, for example, servlet filter by mean of JAAS you will have to do some manual work, as for example implementing LoginModule and configuring JAAS Realm on your server. As soon as you have made all the necessary steps, on authentication of a request the JAAS will check user credentials and will establish user's identity represented by java.security.Principal class. Since you implement the authentication manually, from your filter, you will have to store the Principal instance in the session and refer to it on every request.

Janis
 
Janis Kazakovs
Ranch Hand
Posts: 33
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Btw, in case of JSF, an action listener could be an alternative to servlet filter to perform authentication.
 
J Gupta
Ranch Hand
Posts: 30
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Janis Kazakovs wrote:Btw, in case of JSF, an action listener could be an alternative to servlet filter to perform authentication.



Right off the bat, that's what I was looking for

Thanks a lot, I wish you a happy new year
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic