JSF 2.0 Simple login page
Solution 1
You could use the HttpServletRequest API introduced in Servlet 3.0:
/**
* Performs authentication via HttpServletRequest API
*/
public String login(String username, String password) throws IOException {
try {
getRequest().login(username, password);
this.user = userDao.find(username);
} catch (ServletException e) {
JsfUtil.addErrorMessage(JsfUtil.getStringResource("loginFailed"));
return null;
}
return "/index?faces-redirect=true";
}
public String logout() throws ServletException {
this.user = null;
FacesContext.getCurrentInstance().getExternalContext().invalidateSession();
if (isAuthenticated())
getRequest().logout();
return "logout";
}
public boolean isAuthenticated() {
return getRequest().getUserPrincipal() != null;
}
public static HttpServletRequest getRequest() {
Object request = FacesContext.getCurrentInstance().getExternalContext().getRequest();
return request instanceof HttpServletRequest
? (HttpServletRequest) request : null;
}
Solution 2
You can use j_security_check. All you do is post to it, and it will handle authentication based on the realm you've defined, and the application-specific configuration in your web.xml.
Depending on your app server, there is an additional step of linking the defined role (app-specific) to a group (realm-specific).
Here is a typical configuration:
<servlet>
<servlet-name>Login</servlet-name>
<servlet-class>com.example.Login</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Login</servlet-name>
<url-pattern>/Login</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>Error</servlet-name>
<servlet-class>com.example.Error</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Error</servlet-name>
<url-pattern>/Error</url-pattern>
</servlet-mapping>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>example.com</realm-name>
<form-login-config>
<form-login-page>/Login</form-login-page>
<form-error-page>/Error</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>arbitraryRoleName</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>All Pages</web-resource-name>
<url-pattern>/index.xhtml</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>arbitraryRoleName</role-name>
</auth-constraint>
</security-constraint>
Note the security-role
. This still needs linked into a group, or whatever you are defining to differentiate users that can use a page from users who can't.
grem
Updated on June 04, 2022Comments
-
grem almost 2 years
I need to restrict the access to a part of the application. In order to access that part, user needs to log in. I have a table in my database called User, with usernames and hashed passwords and a login form that consists of two inputs and a submit. However, I don't know which classes/mathids should I use to log in the user (I assume that there is a support for this functionality in jsf). Also, as far as I know, I need to edit my web.xml to support the authentification. Could someone propose a typical solutions and general steps that I need to do in order to get that functionality (links, tutorials of a value greatly appreciated)?
i also wonder how do I limit the access to another page if the person is not logged in so when the user types in the direct link to a page, he will be redirected to a main login page.
Thanks in advance for any help. Grem.
-
grem over 13 yearsThanks a lot, Zack. Is there no other way but to use j_security_check? I know that there is a class with login and logout methods which I could use but don't remember the name of it.
-
BalusC almost 13 yearsThis is not part of JSF 2. This is part of Servlet 3.0. So this works only when running JSF 1.x/2.x/whatever on Tomcat 7, Glassfish 3, JBoss AS 6, etc or newer.
-
Theo almost 13 years@BalusC thanks for pointing that out. I adapted the answer accordingly.
-
Tioma over 12 yearsHave you solution for Servlet 2.5? I use JBoss5.1 which uses Java5. So I can't use it. Please, would be great if you have any suggestion.
-
Theo over 12 yearsYou can use form based authentication using j_security_check.