Glassfish 4.0
Primefaces 5.0
Linux
I'm trying to understand how to secure my web application.
I have a form-based login page, /index.xhtml. I created a JDBC-Realm for which to authenticate the admin against. I think this is called basic authentication. I create web pages under /admin/* in my app that allow the admin to create users and those users would then be stored in the database.
The users would then login using form-based authentication to /index.xhtml which would then redirect them to /users/index.xhtml. This is in the web.xml.
My problem is that I do not understand how to do the session handling past the first page. Meaning after logging in and being redirected to /users/index.xhtml, I don't believe I'm saving the session (if thats what I'm supposed to do) or using it in the next page. I don't understand how to handle sessions for accessing other pages under /users/* past the first page.
Here's a bit about my config.
faces-config.xml
<?xml version="1.0" encoding="UTF-8"?>
<faces-config
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-facesconfig_2_0.xsd"
version="2.0">
<navigation-rule>
<from-view-id>/index.xhtml</from-view-id>
<navigation-case>
<from-action>#{loginController.login}</from-action>
<from-outcome>success</from-outcome>
<to-view-id>/users/index.xhtml</to-view-id>
</navigation-case>
<navigation-case>
<from-action>#{loginController.login}</from-action>
<from-outcome>failure</from-outcome>
<to-view-id>/index.xhtml</to-view-id>
</navigation-case>
</navigation-rule>
</faces-config>
web.xml
<login-config>
<auth-method>FORM</auth-method>
<realm-name>jdbc-realm</realm-name>
<form-login-config>
<form-login-page>/login.xhtml</form-login-page>
<form-error-page>/loginError.xhtml</form-error-page>
</form-login-config>
</login-config>
<security-constraint>
<display-name>Admin Pages</display-name>
<web-resource-collection>
<web-resource-name>Protected Admin Area</web-resource-name>
<description/>
<url-pattern>/admin/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>All Access</display-name>
<web-resource-collection>
<web-resource-name>None Protected User Area</web-resource-name>
<description/>
<url-pattern>/users/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<!--role-name>admin</role-name-->
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
glassfish-web.xml
<glassfish-web-app>
<parameter-encoding default-charset="UTF-8"/>
<security-role-mapping>
<role-name>admin</role-name>
<group-name>admin</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>user</role-name>
<group-name>user</group-name>
</security-role-mapping>
</glassfish-web-app>
/index.xhtml
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:f="http://java.sun.com/jsf/core"
xmlns:h="http://java.sun.com/jsf/html"
xmlns:ui="http://java.sun.com/jsf/facelets"
xmlns:p="http://primefaces.org/ui">
<h:head>
<ui:insert name="title"/>
</h:head>
<h:body>
<h:outputStylesheet library="resources" name="css/pnstyle.css"/>
<f:view contentType="text/html">
<h:form>
<p:panel id="panel-signin">
<p:focus context="panel-signin"/>
<p:messages id="messages" showDetail="true" autoUpdate="true"
closeable="true"/>
<h:panelGrid columns="3">
<h:outputLabel for="username" value="Username: *"/>
<p:inputText id="username" required="true" label="Username"
value="#{loginController.username}">
<f:validateLength minimum="3"/>
</p:inputText>
<p:message for="username"/>
<h:outputLabel for="password" value="Password: *"/>
<p:password id="password" required="true" label="Password"
value="#{loginController.password}">
</p:password>
<p:message for="password"/>
</h:panelGrid>
<p:commandButton id="loginButton" value="Login"
action="#{loginController.login}"/>
</p:panel>
</h:form>
</f:view>
</h:body>
</html>
LoginController.java (work in progress)
@EJB(name="ejb/LoginBean", beanInterface=ILogin.class)
@ManagedBean(name="loginController")
@SessionScoped
public class LoginController {
private boolean authenticated = false;
private ILogin ilogin;
private String username;
private String password;
private User user;
private String originalURL;
public LoginController() throws IOException {
FacesContext context = FacesContext.getCurrentInstance();
ExternalContext externalContext = context.getExternalContext();
originalURL = (String)
externalContext.getRequestMap().get(
RequestDispatcher.FORWARD_REQUEST_URI);
if (originalURL == null) {
originalURL = externalContext.getRequestContextPath() +
"/index.xhtml";
}
else {
String originalQuery = (String)
externalContext.getRequestMap().get(
RequestDispatcher.FORWARD_QUERY_STRING);
if (originalQuery != null) {
originalURL += "?" + originalQuery;
}
}
try {
ilogin = (ILogin)
(new InitialContext()).lookup("java:comp/env/ejb/LoginBean");
}
catch (Exception e) {
e.printStackTrace();
}
}
public String getUsername() {
return username;
}
public void setUsername(String username) {
this.username = username;
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
public boolean isAuthenticated() {
return authenticated;
}
public String login() throws IOException {
FacesContext context = FacesContext.getCurrentInstance();
ExternalContext externalContext = context.getExternalContext();
HttpServletRequest request =
(HttpServletRequest) externalContext.getRequest();
try {
/* If this is the admin, then we authenticate via the
* security role, otherwise via the EJB's.
*/
if (username.equals("admin")) {
request.login(username, password);
return "success";
}
else {
/* Authenticate from database. */
user = ilogin.getUser(username);
if (user.getPassWord().equals(password)) {
authenticated = true;
return "success";
}
}
}
catch (ServletException e) {
e.printStackTrace();
}
catch (Exception e) {
e.printStackTrace();
}
context.addMessage("panel-signin:messages",
new FacesMessage(FacesMessage.SEVERITY_WARN, "Invalid Login",
"Username or password is Invalid!"));
return "failure";
}
public void logout() throws IOException {
ExternalContext externalContext =
FacesContext.getCurrentInstance().getExternalContext();
externalContext.invalidateSession();
externalContext.redirect(externalContext.getRequestContextPath()
+ "/login.xhtml");
try {
//request.logout();
}
catch (Exception e) {
}
}
}
