jsf - How to handle authentication/authorization with users in a database? -
currently, working on web project using jsf 2.0, tomcat 7 , mongodb. have big question of how handle session management , authentication/authorization users in database.
the structure want follows: logged in users can create events , can see created events.
create.xhtml--> logged in users.events.xhtml--> public everyone.
the basic structure i'm planning is:
- check if page requires logged in user (e.g.
create.xhtml) - if yes, check if user logged in
- if user not logged in, go
login.xhtml - if logged in, come requested page
- keep "user logged in" information unless user clicks log out button. (there guess
@sessionscopedgets play)
the question is:
- what less complicated way of doing this?
- where should use
@sessionscopedannotation? increate.javaorloginmanager.java? - spring security looks kind of complicated issue, need it? if yes, can explain little bit of how implementation works jsf 2.0 , mongo db?
there several options. choose you. objectively weigh concrete advantages , disadvantages conform own situation.
1. use java ee provided container managed authentication
just declare <security-constraint> in web.xml refers security realm configured in servletcontainer. can webapp specify url pattern(s) should checked login and/or role(s), e.g. /secured/*, /app/*, /private/*, etc.
before java ee 8, unfortunately still need configure security real in servletcontainer-specific way. it's described in servletconainer-specific documentation. in case of tomcat 8, that's realm how-to. example, database based realm based on users/roles tables described in section "jdbcrealm".
since java ee 8, there standard api based on jsr-375.
advantages:
- relatively quick , easy setup , use.
- since java ee 8 there's robust , flexible standard api.
disadvantages:
- before java ee 8, realm configuration container-specific. in java ee 8, new jsr-375 security spec should solve of jaspic.
- before java ee 8, , there no fine grained control.
- before java ee 8, it's spartan; no "remember me", poor error handling, no permission based restriction.
see also:
- performing user authentication in java ee / jsf using j_security_check - contains complete code examples
- java ee kickoff application - example web application (developed me) demonstrates java ee 8 authentication soteria (the jsr-375 ri).
2. homegrow servlet filter
this allows more fine grained control, you're going need write code , should know/understand how should implement such filter avoid potential security holes. in jsf side, example put logged-in user session attribute sessionmap.put("user", user) , check in filter if session.getattribute("user") not null.
advantages:
- fine grained control.
- completely container independent.
disadvantages:
- reinvention of wheel; new features require lot of code.
- as starter, you're never sure if code 100% robust.
see also:
- is there easy way preprocess , redirect requests? - contains introducory explanation , kickoff example authentication
- authorization redirect on session expiration not work on submitting jsf form, page stays same - contains more extended kickoff example authentication covers ajax requests
- jsf: how control access , rights in jsf? - contains kickoff example authorization
3. adapt 3rd party framework
for example, apache shiro, spring security, etc. offers more fine grained configuration options standard container managed authentication , don't need write code yourself, expect of login page , (xml) configuration of course.
advantages:
- fine grained control.
- completely container independent.
- no reinvention of wheel; minimum of own code.
- thoroughly developed , tested lot of users, 100% robust.
disadvantages:
- some learning curve.
see also:
- jsf2 - shiro tutorial - extensive tutorial on integrating shiro in jsf2 webapp
Comments
Post a Comment