Win a copy of Functional Reactive Programming this week in the Other Languages forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

JSF Login Page and JAAS

 
Markus Schmider
Ranch Hand
Posts: 132
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello,

if you want to use form-based authentication e.g

in web.xml

how would you code the login.html and error pages in JSF?

I have only found pure HTML examples for form-based authentication and in my JSF books say nothing about login and security.
Examples for login with JSF use custom beans.
But I think that should not be necessary and even redundant since an authenticated user is automatically propagated through the application.

Is JSF really so poorly integrated with JAAS?
 
Hebert Coelho
Ranch Hand
Posts: 754
Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
JSF do not need a specfic JSF page to login by JAAS.

Check out these tutorials: http://uaihebert.com/?p=55 , http://uaihebert.com/?p=834
 
Gert Jan Kruizinga
Greenhorn
Posts: 16
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The book "JAAS in Action" (you can get it at www.jaasbook.com) helped me a lot.
 
Tim Holloway
Saloon Keeper
Posts: 18304
56
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The J2EE standard security system is Realm-independent. Whether you use JAAS, JDBC, LDAP or a custom Realm of your own, the web.xml settings and the login pages are unchanged. Only the webapp server itself knows or cares.

However, the login pages are not application pages (neither are a number of other pages defined in web.xml, such as error pages). Because these pages are presented by the server itself rather than by the webapp, they don't go through the normal processing channels. Specifically, they don't get routed through the FacesServlet, because these pages have no external URL. Without the FacesServlet, the JSF code and tags cannot function. Struts users have a similar problem.

For that reason, the login forms must be either straight HTML or simple (non-JSF) JSPs.

My login pages are very stark. The more functions and decorations you load a login page with, the greater is the likelihood that security will be compromised.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic