• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Devaka Cooray
  • Tim Cooke
Sheriffs:
  • Rob Spoor
  • Liutauras Vilda
  • paul wheaton
Saloon Keepers:
  • Tim Holloway
  • Tim Moores
  • Mikalai Zaikin
  • Carey Brown
  • Piet Souris
Bartenders:
  • Stephan van Hulst

Redirection after realm authentication

 
Greenhorn
Posts: 11
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello!

In my JSF2.0 web project I have a FORM-based login for Tomcat 7.0 REALM authentication.

My web.xml looks like this:


After a successfull login admins should get to /admin/adminpanel.xhtml and users/experts should get to /user/userpanel.xhtml.

What would be the best way to accomplish this?

Thanks in advance!
 
Stefan Ramirez
Greenhorn
Posts: 11
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I probably need some kind of filter servlet ... therefore I seem to be in the wrong sub-forum.

Does one usually combine realm authentication with some kind of loginBean für session management?
 
Saloon Keeper
Posts: 28239
198
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
No, you don't have a "login bean", since the container doesn't formally notify the application when a user has logged in. The only way to detect a login is to monitor page requests and check the HttpRequest object. When the userName/userPrincipal values transition from null to not-null, a login has just occurred. This is usually best done in a Filter.

It sounds like you want to force the user to a "home page" after they login. I don't recommend that, since it's a royal pain to those of us who like to bookmark direct links into secured functions, but you can use the above-mentioned filter code to hijack the incoming URL and redirect the request.
 
Stefan Ramirez
Greenhorn
Posts: 11
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thank you Mr. Holloway! Your answers are always spot on!

The main problem seems to be that I've chosen the wrong authentication system in the first place.

What I need is a role based user login and some kind of session management.
Correct me if I'm wrong but Tomcat REALM authentication seems more of a "protect some folders" system.

I wasn't even able to direct my visitors to a login and proceed. Tomcat wants me to request a protected URL and login afterwards.

Can somebody point me to the right direction for my needs?

Thanks in advance,
Stefan

 
Tim Holloway
Saloon Keeper
Posts: 28239
198
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You're wrong.

It isn't really "Tomcat Realm" authentication, it's J2EE standard Container-managed authentication and authorization, to give it it's full name. Tomcat is just one of many servers that implement the standard, although the actual Realms themselves are plug-ins that adhere to the common specs.

Although when I said "you're wrong" what I really meant wasn't that - that's just nitpicking. What I meant was that the system isn't a "folder protection system". In fact, it doesn't protect folders AT ALL! It works on URLs, and a URL level only corresponds to a filesystem folder when the server and application want it to. JSF developers get their noses rubbed in that pretty quickly, since the JSF URLs don't track the underlying resource paths as closely as non-JSF framework URLs generally do.

One of the greatest strengths of the container-managed system is that it cannot be bypassed by jumping around a login screen. If you attempt to access a protected URL, the container itself hijacks the request, presents the login screen, and processes it. If AND ONLY IF the login succeeded, the original request is rescheduled and passed to the app. So the application code is not vulnerable to non-authenticated users, since their attempts will never get anywhere near the application itself.

There are several reasons why Tomcat doesn't support setting up a "login home". One of which is because twerps like me often like to bookmark their way directly to commonly-used secured pages and would be really annoyed if we were instead forced to a "home page". Another is that in a single signon system, the user could have signed into a different application on a different server 3 days earlier, but because it's SSO, your app would not force a new, separate login - because it wouldn't be SINGLE signon then!

In short, J2EE is designed for on-demand security. If you want the user to have a login screen pushed in their face first thing, make the welcome page be secured. That will force the login screen to be presented followed by the home screen, assuming no one jumps to a direct URL. Or use Tomcat 7, where the latest JEE standard has added a "login" API call and put the login on a screen that invokes it.

Which brings me to a Best Practices recommendation. I like the JEE login. My apps may be friendly, but my security is not. I'm just fine with a stark plain login form with maybe a Doberman on it. I most definitely don't recommend putting menus and other bling on the login page no matter how you do it. At best, they won't work, since secured access is required, at worst they could possibly be used to bypass security. When using container-managed security it shouldn't be possible, but I prefer NOT to discover loopholes the hard way, myself.
 
Hey! Wanna see my flashlight? It looks like this tiny ad:
Gift giving made easy with the permaculture playing cards
https://coderanch.com/t/777758/Gift-giving-easy-permaculture-playing
reply
    Bookmark Topic Watch Topic
  • New Topic