• Post Reply Bookmark Topic Watch Topic
  • New Topic

Single Sign On with JSF

 
Andus Chan
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm developing JSF Tomcat web application and want to integrate with the domain server (Novell). My web app can validate some specified User ID using Single Sign On (SSO), if they don't go to the normal Login form.

After searched the internet for the code about the SSO in JSF, but I cannot find any result.

If in JSP, I think I can use getHeader or getParameter in scriptlet for the User ID (passed in HTTP header). But how can I code it in JSF, and test it with a dummy page to simulate the real environment?

Thanks!
 
Tim Holloway
Bartender
Posts: 18414
58
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Welcome to the JavaRanch, Chandus!

As long as your app uses the standard J2EE container-managed security system, SSO is fairly easy. Since container-managed security is externally imposed, there's no special application logic needed. It's all done by selecting a suitable SSO security Realm as part of your application deployment description.

Getting the userId is not hard, but you have to chase down the FacesContext and into several intermediaries in order to get the HTTPServletRequest object that contains it. I normally define a special utility class that implements a "getUserId()" method so I don't have to clutter up my backing beans with a lot unsightly JSF-specific code.

The one thing that's different about security with JSF is that JSF doesn't always have the "right" URL. This can be a problem, since the container security system's front-line defense is based on the incoming URL, not on objects within the app. In order to ensure that security is applied correclly, add the <redirect/> element to your navigation rules when dispatching to a protected View.
 
Andus Chan
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Currently I still don't understand the Realm after reading many documents. To create simple login page using either SSO or Form Authentication, I'm not sure whether I'm correct or not.

I may write a function to validate the header's User ID using backing bean. If it is found in database, page will be redirected to restricted home page, otherwise, normal login page.

But how can this background function be executed automatically, when user goes to access the initial page e.g. index.xhtml ?
 
Dieter Quickfend
Bartender
Posts: 543
4
Java Netbeans IDE Redhat
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
ServletRequestListener?
 
Andus Chan
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Dieter Quickfend wrote:ServletRequestListener?


After checking User ID is either successful or failed, how to redirect the page to corresponding JSF page in this class?
 
Dieter Quickfend
Bartender
Posts: 543
4
Java Netbeans IDE Redhat
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
successful does nothing and the request completes, failed gets the request dispatcher from the event and forwards to an error/index page.

Still, especially with JSF I'd recommend doing it declaratively. JSF tends to be quirky when you go manual on it.
 
Tim Holloway
Bartender
Posts: 18414
58
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Rule #1 in SSO. Your app may not be the one that actually initiated the login. Because, by definition, some other secured app may have been the one logged into - it's SINGLE signon!

Therefore you cannot assume that your app will be able to do post-login processing, since login might have actually happened hours ago on some other app and even on some other server.

This is one of the reasons why J2EE doesn't have a listenable "login" event. In container-managed security, the authentication (login) process is supposed to be totally transparent. Login is done on the first access to any secured URL, or not at all if no secured URLs are requested.

I don't particularly like being forced to a "home page" post-login myself anyway, since I have bookmarkable URLs for fast direct access to frequently-used functions within apps. But that's a personal preference.

While there's no official API for handling logins, there is a simple way of determining that a user has transitioned from insecure to secure modes. Keep a session variable that holds the user ID. Check incoming requests to see if the user ID has transitioned from NULL to NOT NULL. When the transition has occurred, the user has logged in. You can't actually tell that they logged into your particular app because the container doesn't actually log users into apps, it logs them into the Realm, but they have definitely done an SSO login.

You can maintain this mechanism in a servlet listener and the code required is quite simple.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!