Reputation: 525
Restricting application only to logged users in JSF
In my project to since today I had a login + logout buttons that used JSF Form authentication and simple XHTML j_security_check login page (using primefaces for layout).
<form action="j_security_check" method="post">
<p:panelGrid id="loginContentPanel" columns="2">
<p:outputLabel for="j_username" value="Login" />
<p:inputText id="j_username" />
<p:outputLabel for="j_password" value="Password" />
<p:password id="j_password"></p:password>
<f:facet name="footer">
<div id="loginButtonCenter">
<h:commandButton id="loginButton"
styleClass="ui-button ui-widget ui-state-default ui-corner-all ui-button-text-only"
value="Login" />
</div>
</f:facet>
</p:panelGrid>
</form>
Access to page was restricted by following entries in web.xml
<login-config>
<auth-method>FORM</auth-method>
<realm-name>User Auth</realm-name>
<form-login-config>
<form-login-page>/login.xhtml</form-login-page>
<form-error-page>/login.xhtml?s=err</form-error-page>
</form-login-config>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>User Auth</web-resource-name>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
However I'm asked to change login system, so it works in this way:
- Unauthorized user - login page
- Authorized user - portal functionality
- Authorized user with admin role - portal + admin dedicated pages
I modified web.xml to grant access to all roles:
<security-constraint>
<web-resource-collection>
<web-resource-name>User Auth</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
but it still requires me to have at least one role, not being only logged-in. (and I had to change login page to html-only, cause I was getting redirects to jquery style files(?))
I would ask about best approach to do so, but it's best to have closed questions, soooo here is a bunch:
- For now my xhtml files are placed directly in WebContent directory, and in admin directory for admin pages. Should I move rest of the files (except login page) to for example user directory, so I can restrict only area of my project and use PF styles and images on login page?
- I've read about filters, so I could just redirect users that are not logged to login page. Is it secure and cannot be interrupted? Does j_security_check "works" well with filters?
- Is it even possible to restrict application only to logged users using only application web.xml file?
Working on TomEE 1.7.3
Upvotes: 2
Views: 1505
Answers (1)
Reputation: 1108692
but it still requires me to have at least one role, not being only logged-in.
Just add a role representing an "user without role", e.g. user. The admins obviously own both roles.
(and I had to change login page to html-only, cause I was getting redirects to jquery style files(?))
The URL pattern of /* applies to all requests, including JSF resource requests (CSS/JS/image files from WAR/resources and WAR/WEB-INF/lib/*.jar!/META-INF/resources). To fix this, just add /javax.faces.resource/* URL pattern to the set of publicly allowed resources (i.e. having no auth constraint).
<security-constraint>
<web-resource-collection>
<web-resource-name>Allowed resources</web-resource-name>
<url-pattern>/javax.faces.resource/*</url-pattern>
</web-resource-collection>
<!-- No Auth Contraint! -->
</security-constraint>
See also PrimeFaces CSS skin not showing in login page, also JavaScript undefined errors.
For now my xhtml files are placed directly in WebContent directory, and in admin directory for admin pages. Should I move rest of the files (except login page) to for example user directory, so I can restrict only area of my project and use PF styles and images on login page?
Not necessary. Just constraint URL pattern /* to user role and /admin/* to admin role.
I've read about filters, so I could just redirect users that are not logged to login page. Is it secure and cannot be interrupted? Does j_security_check "works" well with filters?
Don't mix them. Filters are for homegrown security only. See also How to handle authentication/authorization with users in a database? Moreover, container managed security runs far before first filter is hit, so you won't have any chance to do something in a filter anyway. See also a.o. Servlet filter not applying to container managed login page.
Upvotes: 1
Related Questions
- What is the difference between JSF, Servlet and JSP?
- "JACC Policy Provider:Failed Permission Check" on security constrained login page that has no authorization constraint
- JSF Form Based Authentication + Managed Bean login not working
- JSP login with declarative security - How does the actual authentication happen?
- Wrong redirect after logging in (Java EE w/ JSF)
- Incorrect URL in browser using JSF 2.0
- Spring Security and JSF, Failed to find resource /j_spring_security_check.jsp
- How can I provide security in a web-application by jdbcRealm when I have few user tables