jsf - How to handle authentication/authorization with users in a database? -


currently, working on web project using jsf 2.0, tomcat 7 , mongodb. have big question of how handle session management , authentication/authorization users in database.

the structure want follows: logged in users can create events , can see created events.

  • create.xhtml --> logged in users.
  • events.xhtml --> public everyone.

the basic structure i'm planning is:

  • check if page requires logged in user (e.g. create.xhtml)
  • if yes, check if user logged in
  • if user not logged in, go login.xhtml
  • if logged in, come requested page
  • keep "user logged in" information unless user clicks log out button. (there guess @sessionscoped gets play)

the question is:

  1. what less complicated way of doing this?
  2. where should use @sessionscoped annotation? in create.java or loginmanager.java?
  3. spring security looks kind of complicated issue, need it? if yes, can explain little bit of how implementation works jsf 2.0 , mongo db?

there several options. choose you. objectively weigh concrete advantages , disadvantages conform own situation.


1. use java ee provided container managed authentication

just declare <security-constraint> in web.xml refers security realm configured in servletcontainer. can webapp specify url pattern(s) should checked login and/or role(s), e.g. /secured/*, /app/*, /private/*, etc.

before java ee 8, unfortunately still need configure security real in servletcontainer-specific way. it's described in servletconainer-specific documentation. in case of tomcat 8, that's realm how-to. example, database based realm based on users/roles tables described in section "jdbcrealm".

since java ee 8, there standard api based on jsr-375.

advantages:

  • relatively quick , easy setup , use.
  • since java ee 8 there's robust , flexible standard api.

disadvantages:

  • before java ee 8, realm configuration container-specific. in java ee 8, new jsr-375 security spec should solve of jaspic.
  • before java ee 8, , there no fine grained control.
  • before java ee 8, it's spartan; no "remember me", poor error handling, no permission based restriction.

see also:


2. homegrow servlet filter

this allows more fine grained control, you're going need write code , should know/understand how should implement such filter avoid potential security holes. in jsf side, example put logged-in user session attribute sessionmap.put("user", user) , check in filter if session.getattribute("user") not null.

advantages:

  • fine grained control.
  • completely container independent.

disadvantages:

  • reinvention of wheel; new features require lot of code.
  • as starter, you're never sure if code 100% robust.

see also:


3. adapt 3rd party framework

for example, apache shiro, spring security, etc. offers more fine grained configuration options standard container managed authentication , don't need write code yourself, expect of login page , (xml) configuration of course.

advantages:

  • fine grained control.
  • completely container independent.
  • no reinvention of wheel; minimum of own code.
  • thoroughly developed , tested lot of users, 100% robust.

disadvantages:

  • some learning curve.

see also:


Comments

Popular posts from this blog

twig - Using Twigbridge in a Laravel 5.1 Package -

Kivy: Swiping (Carousel & ScreenManager) -

jdbc - Not able to establish database connection in eclipse -