Currently, I am working on a web project using JSF 2.0, Tomcat 7 and MongoDB. I have a big question of how to handle the session management and authentication/authorization with users in a database.
The structure I want is as follows: only logged in users can create events and everyone can see the created events.
create.xhtml
--> only for logged in users.events.xhtml
--> public for everyone.The basic structure I'm planning is:
create.xhtml
)login.xhtml
@SessionScoped
gets into play)The question is:
@SessionScoped
annotation? In Create.java
or
LoginManager.java
?There are several options. Which to choose is fully up to you. Just objectively weigh the concrete advantages and disadvantages conform your own situation.
Just declare a <security-constraint>
in web.xml
which refers a security realm which is configured in servletcontainer. You can for your webapp specify URL pattern(s) which should be checked for login and/or role(s), e.g. /secured/*
, /app/*
, /private/*
, etc.
Before Java EE 8, you unfortunately still need to configure a security realm in a servletcontainer-specific way. It's usually described in servletconainer-specific documentation. In case of Tomcat 8, that's the Realm HOW-TO. For example, a database based realm based on users/roles tables is described in section "JDBCRealm".
Since Java EE 8, there will finally be a standard API based on JSR-375.
This allows for much more fine grained control, but you're going to need to write all the code yourself and you should really know/understand how you should implement such a filter to avoid potential security holes. In JSF side, you could for example just put the logged-in user as a session attribute by sessionMap.put("user", user)
and check in the filter if session.getAttribute("user")
is not null
.
For example, Apache Shiro, Spring Security, etc. This offers usually much more fine grained configuration options than standard container managed authentication and you don't need to write any code for this yourself, expect of the login page and some (XML) configuration of course.