Is Navigation and Content Management in a page secure using Beans?

Question

Actually I'm new to JSF and Facelets and enterprise apps despite i've been working on it the last 4 months, anyway, i'm developing a web page which has a login, an user administrator and a documents administrator (it has more but it doesn't matter) and i have to manage the acces and the content of pages according to each user permissions. Reading about security i've found out many ways of doing a login, but i have made my own with Stateful Beans in order to maintain the users data in the application for using them later so i can restrict the content. the question is... is this the correct way to manage the content according to users restrictions? if not, which is the best and securest way of doing it?

this is my Stateful Bean (i did not include the Getters and Setters)

    @ManagedBean
    @Stateful
    public class HandlerLogin implements Serializable{

    @EJB
    private LoginMethodsLocal loginMethods;

    private String loginNickname;
    private String loginPassword;
    private String userData[];
    //[0]=Nickname
    //[1]=Name
    //[2]=User Type

    private boolean loguedIn= false;

    public void check(){

    System.out.println(this.loginNombre);
    System.out.println(this.loginContrasena);

    this.userData= loginMethods.Login(this.loginNickname, this.loginPassword);
    //the method loginMethods.Login() queries in the database looking for
    //"this.loginNickname" and "this.loginPassword"

    if (this.userData!=null){

        this.loguedIn=true;

    }
    else{

        this.loguedIn= false;
        FacesContext.getCurrentInstance().addMessage("mensajesLogin", new FacesMessage("Error, User Does not Exist"));
    }
}

public void closeSession(){

    this.userData=null;
} 
}

so my logic to manage the content and navigation is to check what kind of user is and depending on it determine how the acces and rendering is going to be

Answer 1

The @Stateful annotation does nothing in a JSF @ManagedBean. That annotation is only really been used when the class is by itself injected as @EJB in another managed bean or EJB and even then, a brand new and completely different instance with all properties set to default would have been created and used. So the @Stateful annotation definitely doesn't do what you think it does. Remove it, it makes no sense in this context.

Whether the remaining code is the correct way or not depends on the concrete functional requirements. There are many ways which are equally good and secure (assuming that you understand what code you actually are writing). The question is more: how many of the wheel do you want to reinvent yourself? The builtin container managed authentication leaves very little room for finegrained control, but if it is sufficient for you, then just make use of it instead of homebrewing the authentication yourself.

Going through the following related answers should give some good ideas:

• Performing user authentication in Java EE / JSF using j_security_check
• JSF: How control access and rights in JSF?
• How to check if is user logged in?
• How to properly use isUserInRole(role)
• JSF request scoped bean keeps recreating new Stateful session beans on every request?