2

In my project to since today I had a login + logout buttons that used JSF Form authentication and simple XHTML j_security_check login page (using primefaces for layout). 

<form action="j_security_check" method="post">
    <p:panelGrid id="loginContentPanel" columns="2">
        <p:outputLabel for="j_username" value="Login" />
        <p:inputText id="j_username" />
        <p:outputLabel for="j_password" value="Password" />
        <p:password id="j_password"></p:password>
        <f:facet name="footer">
            <div id="loginButtonCenter">
                <h:commandButton id="loginButton"
                    styleClass="ui-button ui-widget ui-state-default ui-corner-all ui-button-text-only"
                    value="Login" />
            </div>
        </f:facet>
    </p:panelGrid>
</form>

Access to page was restricted by following entries in web.xml

<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>User Auth</realm-name>
    <form-login-config>
        <form-login-page>/login.xhtml</form-login-page>
        <form-error-page>/login.xhtml?s=err</form-error-page>
    </form-login-config>
</login-config>

<security-constraint>
    <web-resource-collection>
        <web-resource-name>User Auth</web-resource-name>
        <url-pattern>/admin/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>admin</role-name>
    </auth-constraint>
</security-constraint>

However I'm asked to change login system, so it works in this way:

  • Unauthorized user - login page
  • Authorized user - portal functionality
  • Authorized user with admin role - portal + admin dedicated pages

I modified web.xml to grant access to all roles:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>User Auth</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>*</role-name>
    </auth-constraint>
</security-constraint>

but it still requires me to have at least one role, not being only logged-in. (and I had to change login page to html-only, cause I was getting redirects to jquery style files(?))

I would ask about best approach to do so, but it's best to have closed questions, soooo here is a bunch:

  • For now my xhtml files are placed directly in WebContent directory, and in admin directory for admin pages. Should I move rest of the files (except login page) to for example user directory, so I can restrict only area of my project and use PF styles and images on login page?
  • I've read about filters, so I could just redirect users that are not logged to login page. Is it secure and cannot be interrupted? Does j_security_check "works" well with filters?
  • Is it even possible to restrict application only to logged users using only application web.xml file?

Working on TomEE 1.7.3

The Raven
  • 527
  • 1
  • 6
  • 31
  • Just add kind of "user" role? The admins obviously have both "user" and "admin" roles. Don't do filters, they are for homegrown security only, not container managed security. – BalusC Jan 11 '16 at 14:34
  • Well that is what I would do too, but it's now project requirement, that application is available to all users without additional role... – The Raven Jan 11 '16 at 14:36
  • There can't be users without any role. Just create a new role representing "without role" state. – BalusC Jan 11 '16 at 14:38
  • Well if you say so, it has to be true! :) Thanks again. I will bug my admin mates then. – The Raven Jan 11 '16 at 14:49

1 Answers1

1

but it still requires me to have at least one role, not being only logged-in.

Just add a role representing an "user without role", e.g. user. The admins obviously own both roles.

(and I had to change login page to html-only, cause I was getting redirects to jquery style files(?))

The URL pattern of /* applies to all requests, including JSF resource requests (CSS/JS/image files from WAR/resources and WAR/WEB-INF/lib/*.jar!/META-INF/resources). To fix this, just add /javax.faces.resource/* URL pattern to the set of publicly allowed resources (i.e. having no auth constraint).

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Allowed resources</web-resource-name>
        <url-pattern>/javax.faces.resource/*</url-pattern>
    </web-resource-collection>
    <!-- No Auth Contraint! -->
</security-constraint>

See also PrimeFaces CSS skin not showing in login page, also JavaScript undefined errors.

For now my xhtml files are placed directly in WebContent directory, and in admin directory for admin pages. Should I move rest of the files (except login page) to for example user directory, so I can restrict only area of my project and use PF styles and images on login page?

Not necessary. Just constraint URL pattern /* to user role and /admin/* to admin role.

I've read about filters, so I could just redirect users that are not logged to login page. Is it secure and cannot be interrupted? Does j_security_check "works" well with filters?

Don't mix them. Filters are for homegrown security only. See also How to handle authentication/authorization with users in a database? Moreover, container managed security runs far before first filter is hit, so you won't have any chance to do something in a filter anyway. See also a.o. Servlet filter not applying to container managed login page.

Community
  • 1
  • 1
BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555