jsf - How to handle authentication/authorization with users in a database? -


currently, working on web project using jsf 2.0, tomcat 7 , mongodb. have big question of how handle session management , authentication/authorization users in database.

the structure want follows: logged in users can create events , can see created events.

  • create.xhtml --> logged in users.
  • events.xhtml --> public everyone.

the basic structure i'm planning is:

  • check if page requires logged in user (e.g. create.xhtml)
  • if yes, check if user logged in
  • if user not logged in, go login.xhtml
  • if logged in, come requested page
  • keep "user logged in" information unless user clicks log out button. (there guess @sessionscoped gets play)

the question is:

  1. what less complicated way of doing this?
  2. where should use @sessionscoped annotation? in create.java or loginmanager.java?
  3. spring security looks kind of complicated issue, need it? if yes, can explain little bit of how implementation works jsf 2.0 , mongo db?

there several options. choose you. objectively weigh concrete advantages , disadvantages conform own situation.

1. use java ee provided container managed authentication

just declare <security-constraint> in web.xml refers security realm configured in servletcontainer. can webapp specify url pattern(s) should checked login and/or role(s), e.g. /secured/*, /app/*, /private/*, etc.

before java ee 8, unfortunately still need configure security real in servletcontainer-specific way. it's described in servletconainer-specific documentation. in case of tomcat 8, that's realm how-to. example, database based realm based on users/roles tables described in section "jdbcrealm".

since java ee 8, there standard api based on jsr-375.

advantages:

  • relatively quick , easy setup , use.
  • since java ee 8 there's robust , flexible standard api.

disadvantages:

  • before java ee 8, realm configuration container-specific. in java ee 8, new jsr-375 security spec should solve of jaspic.
  • before java ee 8, , there no fine grained control.
  • before java ee 8, it's spartan; no "remember me", poor error handling, no permission based restriction.

see also:

2. homegrow servlet filter

this allows more fine grained control, you're going need write code , should know/understand how should implement such filter avoid potential security holes. in jsf side, example put logged-in user session attribute sessionmap.put("user", user) , check in filter if session.getattribute("user") not null.

advantages:

  • fine grained control.
  • completely container independent.

disadvantages:

  • reinvention of wheel; new features require lot of code.
  • as starter, you're never sure if code 100% robust.

see also:

3. adapt 3rd party framework

for example, apache shiro, spring security, etc. offers more fine grained configuration options standard container managed authentication , don't need write code yourself, expect of login page , (xml) configuration of course.

advantages:

  • fine grained control.
  • completely container independent.
  • no reinvention of wheel; minimum of own code.
  • thoroughly developed , tested lot of users, 100% robust.

disadvantages:

  • some learning curve.

see also:


Comments

Post a Comment

Popular posts from this blog

powershell Start-Process exit code -1073741502 when used with Credential from a windows service environment -

i'm running strange behavior powershell start-process call. here call: $process = start-process ` "c:\somepath\mybinary.exe" ` -passthru ` -credential $defaultcredential ` -wait ` -workingdirectory "c:\somepath" ` -loaduserprofile if ($process.exitcode -ne 0) { #do } this call return exit code - 1073741502 . after quick search, exit code seems related generic error when program not load required dll (aka. status_dll_init_failed ). when run without -credential $credential program runs correctly. in order isolate problem, manually launched some.exe in prompt target credential , runs smoothly. so problem seems come way start-process cmdlet launch process. i found potential solutions problem tried apply no luck : link , link . would have idea of what's going on here ? edit 1: run proc mon monitoring program activities when launched directly or via powershell script. problem seems occur when loading kernelbase
Read more

twig - Using Twigbridge in a Laravel 5.1 Package -

i'm trying create laravel 5.1 package uses twigbridge instead of .php views. can normal .php views display fine, when try make use of .twig templates i'm met error. possible use twigbridge templates when creating views laravel package or pretty stuck blade , php ? edit 1: loading twig template without extending works. it's when start using {% extends 'file' %} error comes out. i error error loading /virtual/laravel/packages/username/mypackage/src/views/sample.twig: template "templates.master" not defined () in "/virtual/laravel/packages/username/mypackage/src/views/sample.twig" @ line 1. my folders username |_ mypackage |_ src |_ controllers - samplecontroller.php |_ views |_ templates - master.twig - sample.twig twig template sample.twig {% extends 'templates.master' %} {% block content %} {{ parent()
Read more

c# - LINQ join Entities from HashSet's, Join vs Dictionary vs HashSet performance -

i have hashset's each stores t, have written test application compares different relation algorithms can think of, i'm not pleased results getting. does there exist more efficient ways of achieving object relations, once testing? using system; using system.collections.generic; using system.linq; using system.text; using system.threading.tasks; using system.diagnostics; namespace linqtests { class program { static void main(string[] args) { hashset<user> usertable = new hashset<user>(); hashset<userproperty> userpropertytable = new hashset<userproperty>(); #region lets create dummy data. console.writeline("please wait while creating dummy data, can take while..."); console.writeline(""); int rows = 1000000; for(int x = 0; x < rows; x++) { random rnd = new random(); // ad
Read more