I'm developing a Java EE application (JSF2 + richfaces+ Facelets + Tomcat). What's the best way to perform authentication when using JSF? Or should I make my own ?
Asked
Active
Viewed 2,046 times
3
-
FYI: It is spelled "authentication" not "authentification". – Migol Sep 20 '10 at 12:36
-
Duplicate of http://stackoverflow.com/questions/9965708 – BalusC Jun 07 '16 at 07:26
7 Answers
6
People usually pick between ( in no specific order) :
JAAS ( wich is Java/Java EE default security framework )
Spring Security
Custom Made Security
I never used Spring Security but the documentation is huge, i gave up trying that once because of time constraint. JAAS have the advantages of being simple and work out of the box with Tomcat.
I've seen custom security built on top of JAAS too.
What you really have to do is figure out what you will especifically need in your application and check wich frameworks suits your needs better.
Without knowing your business needs, if you only need Authentication (User login) i would say JAAS is the most simple way to go as is it not application intrusive and you wont need to add Spring dependencies if you are not already using it.
Arjan Tijms
- 37,782
- 12
- 108
- 140
Leonardo
- 120
- 5
-
1Note that JAAS itself is ***not*** a Java EE default security framework. JAAS is a security foundation found in Java SE, but it does not detail how it corresponds to Java EE security concepts, which are actually quite different at times. See this for more details: http://java.sys-con.com/node/1002315 – Arjan Tijms Apr 15 '13 at 06:57
3
Go for Spring Security
Here is how to integrate it with JSF
Edit:
http://ocpsoft.com/java/acegi-spring-security-jsf-login-page/
jmj
- 237,923
- 42
- 401
- 438
1
I think that Leonardo answered it correctly, but you could also consider Central Authentication Service(CAS) for enterprise wide security. It is a little more complex to configure, but the benefits are tremendous. It also supports an enormous number of out of the box authentication mechanisms from LDAP to NTLM. CAS also provides extension for custom authentication.
If you choose to use Java EE containers, and wish to use form based authentication, I have published a couple of examples for use with JSF 1.2 and 2.0 and j_security_check
- JSF 1.2 Facelets Form Based Authentication (j_security_check)
- JSF 2.x Facelets Form Based Authentication (j_security_check)
In addition, the Servlet 3.0 API provides login and authentication based on the container via the HttpServletRequest API.
John Yeary
- 1,112
- 22
- 45
0
You can try Apache Shiro, which gives authentication, authorization and many other.
Andro Selva
- 53,910
- 52
- 193
- 240
Narayan Subedi
- 1,343
- 2
- 20
- 46
0
JBoss Seam integrates EJB 3, Facelets, JSF, and hibernate really nicely. Also provides validation of data and some security stuff too. If you use it for all its features, it is really sweet. If you try to pick and choose only certain things out of it, then it is still cool, but you have a few work arounds. But I've been impressed with what I've seen of Seam so far.
Chris Aldrich
- 1,904
- 1
- 22
- 37
0
For simple authentication , a very simple approach is to check for valid user object in the template using JSTL, and show the login form if not.
for exmaple , assume your template is webapp/WEB-INF/templates/default.xhtml , inside the template:
<html...>
.
.
<h:body>
<c:if test="#{mbSecurity.validUser}">
.
. authenticated template sections goes here
.
</c:if>
<c:if test="#{not mbSecurity.validUser}">
<ui:include src="/WEB-INF/inc/login-form.xhtml" />
</c:if>
</h:body>
</html>
Advantages: Zero dependencies & zero-configurations, also if the session is expired, after the login, the user will back to the original page which he was in .
Jalal Kiswani
- 738
- 5
- 11
0
Apart from the mentioned frameworks there's also Seam Security which integrates nicely with CDI through an Extension.
arg20
- 4,893
- 1
- 50
- 74