The best place to ask programming/development questions, imo. UPDATE: stackoverflow is the *worst* place to *ask* questions (if your first question/comment doesn't get any up-rating/response, then u can't ask anymore questions--ridiculously unrealistic), but a great reference for finding answers.

My Music (Nickleus)

20120227

jboss jsf login example catalina container managed security j_security_check web.xml login-config auth-method form

some relevant code from web.xml:
<security-constraint>
<display-name>Web Security</display-name>
<web-resource-collection>
<web-resource-name>rich</web-resource-name>
<url-pattern>/pages/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Users</role-name>
<role-name>Administrators</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>Admin Web Security</display-name>
<web-resource-collection>
<web-resource-name>rich_admin</web-resource-name>
<url-pattern>/adm/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Administrators</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>myrealmLdapAuthenticator</realm-name>
<form-login-config>
<form-login-page>/login.jsf</form-login-page>
<form-error-page>/login.jsf</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>Users</role-name>
</security-role>
<security-role>
<role-name>Administrators</role-name>
</security-role>

the security-role role-names are defined in our LDAP server.

the most relevant line from LoginBean.java:
FacesContext.getCurrentInstance().getExternalContext().redirect("/pages/j_security_check?j_username="+username+"&j_password="+password); 

WebAuthentication webA = new WebAuthentication();
webA.login(username, password);


 this is done when backend authentication, plus anything you need to check/set before you welcome the user into the application, is complete. note that LoginBean.java is declared with request scope in faces-config.xml and the class itself has the annotation @org.ajax4jsf.model.KeepAlive
this redirect should be run on a server using https because it is a GET request.

and some code from login.xhtml:

<h:messages showDetail="false" showSummary="true" layout="list" styleClass="rich-messages-label" /> 
<h:form id="checkPassword">
<h:panelGrid columns="2">
<h:outputLabel for="username" value="#{loginBean.getPropertyValue('label.username')}" />
<h:inputText required="true" id="username" value="#{loginBean.username}" />
<h:outputLabel for="password" value="#{loginBean.getPropertyValue('label.password')}" />
<h:inputSecret required="true" id="password" value="#{loginBean.password}" />
</h:panelGrid>
<h:commandButton value="#{loginBean.getPropertyValue('label.login')}" action="#{loginBean.login}" disabled="#{loginBean.mustChangePassword}" reRender="checkPassword,authenticate" />
</h:form> 
<h:form id="authenticate" rendered="#{loginBean.mustChangePassword}">
<h:panelGrid columns="2">
<h:outputLabel for="currentpassword" value="#{loginBean.getPropertyValue('label.passwordCurrent')}" />
<h:inputSecret required="true" id="currentpassword" value="#{loginBean.password}" />
<h:outputLabel for="newpassword" value="#{loginBean.getPropertyValue('label.passwordNew')}" />
<h:inputSecret required="true" id="newpassword" value="#{loginBean.newPassword}" />
<h:outputLabel for="confirmnewpassword" value="#{loginBean.getPropertyValue('label.passwordConfirmNew')}" />
<h:inputSecret required="true" id="confirmnewpassword" value="#{loginBean.confirmNewPassword}" />
</h:panelGrid>
<h:commandButton value="#{loginBean.getPropertyValue('label.save')}" action="#{loginBean.authenticate}" />
</h:form>

No comments:

Post a Comment