• Post Reply Bookmark Topic Watch Topic
  • New Topic

JSF Login issue: automatic login with an user without fill username/password when refresh login page  RSS feed

 
Uy Tran
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello all,

I'm writing a project with login page, the codes:

Login form:


LoginBean.java


LogoutBean.java


faces-config.xml


web.xml



The problem is that user can login without fill username/password, he only do refresh page.
It happens I think when there are many students do login/logout (about 50 or more). And if i restart server, it doens't happen more. But after a time period then the issue happens again.

Hope someone help me this issue?

Regards.
 
Greg Charles
Sheriff
Posts: 3015
12
Firefox Browser IntelliJ IDE Java Mac Ruby
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello Uy, and welcome to Java Ranch! Chào bạn!

It looks to me like you're trying to invent your own custom framework for logins. It would be better to follow the JavaEE Tutorial for form-based logins. That's going to be more secure, and it's also probably easier to integrate your authentication logic into it than it is to create your own process.

For your login, it looks like you consider a login successful if learner is not null. However, the learner is set by LoginUtil, and I don't see the code for that. I don't really understand how a refresh would make any difference, but you can use a debugger to see if the login method is being called again, and for some reason returns a non-null learner value the second time. It does seem to me that if a user simply bookmarked the welcome page and went directly there, he/she would bypass the login process entirely. That's a total failure of security, so I strongly suggest going through the tutorial linked above, and doing logins the way it recommends.

Chúc may mắn!
 
Tim Holloway
Bartender
Posts: 18777
74
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Greg Charles wrote: It does seem to me that if a user simply bookmarked the welcome page and went directly there, he/she would bypass the login process entirely.
Chúc may mắn!


My estimate over the years is that probably 95% of all the "do it yourself" login/security systems written for Java can be cracked in under 2 hours, often by non-technical people, and that this particular weakness is the #1 cause why.

The worst thing in the world that a company can do is tell their application programmer "Write this system. And while you're at it, make it secure". Well, except for when they add "By Thursday" to the requirements.

The SECOND worst thing in the world that a company can do security-wise is have some "genius" dream up a security system and make that the Corporate Standard.

Unless you are a full-time trained security professional, you have no business writing your own security code, especially when security systems already exist that were designed, written, tested and fully documented by full-time security professionals.

Security is not some sort of "All You Have To Do" thing. It's a delicate chain and only a single link needs to break in order to let the barbarian hordes in to plunder. Don't bother to backup databases. Hire cheap labor that doesn't know how to make code crash-resistent. Skimp on infrastructure and documentation.

But if you don't do security right, your critical corporate assets will be spirited away faster than you can say "Ashley Madison".
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!