Login system security

[Eurig Jones <eu...@fugro-robertson.com>]

I'm trying to decide on a Login/Logout system to protect my files using 
JSF.. I've played about with extending NavigationHandler, but the 
problem is, it doesn't protect the files which aren't JSF, and you can 
still run the JSP files if you wanted to...

How have you people gone about a database driven login/logout system 
using Faces?

Re: Login system security

[Julián García <jg...@unionsoluciones.com.co>]

The approach would be to use a filter. Acegi comes with a filter already 
configured and independent of any presentation framework (as long as 
it's based in servlets)....

If you dont want to introduce another (couple of) framework(s) use a 
hand-coded filter. However, I think acegi and spring are always worth a 
look ; )

I have seen there's a role property in some myFaces tags, but I'm not 
sure  how to use it, probably myFaces implementation offers something 
but I am not sure. I have sticked to acegi, since it offers many types 
of authentication schemes and is highly customizable.

Julian



Eurig Jones wrote:

> Thing is I really want to keep to the same framework (JSF)
>
> Julián García wrote:
>
>> I use acegi for Spring: *acegi*security.sourceforge.net/
>>
>> Julian Garcia
>>
>> Eurig Jones wrote:
>>
>>> I'm trying to decide on a Login/Logout system to protect my files 
>>> using JSF.. I've played about with extending NavigationHandler, but 
>>> the problem is, it doesn't protect the files which aren't JSF, and 
>>> you can still run the JSP files if you wanted to...
>>>
>>> How have you people gone about a database driven login/logout system 
>>> using Faces?
>>>
>
>

Re: Login system security

[Eurig Jones <eu...@fugro-robertson.com>]

Thing is I really want to keep to the same framework (JSF)

Julián García wrote:

> I use acegi for Spring: *acegi*security.sourceforge.net/
>
> Julian Garcia
>
> Eurig Jones wrote:
>
>> I'm trying to decide on a Login/Logout system to protect my files 
>> using JSF.. I've played about with extending NavigationHandler, but 
>> the problem is, it doesn't protect the files which aren't JSF, and 
>> you can still run the JSP files if you wanted to...
>>
>> How have you people gone about a database driven login/logout system 
>> using Faces?
>>

Re: Login system security

[Julián García <jg...@unionsoluciones.com.co>]

I use acegi for Spring: *acegi*security.sourceforge.net/

Julian Garcia

Eurig Jones wrote:

> I'm trying to decide on a Login/Logout system to protect my files 
> using JSF.. I've played about with extending NavigationHandler, but 
> the problem is, it doesn't protect the files which aren't JSF, and you 
> can still run the JSP files if you wanted to...
>
> How have you people gone about a database driven login/logout system 
> using Faces?
>

jsp:forward in JSF

[Eurig Jones <eu...@fugro-robertson.com>]

I want to be able to put a forward (like <jsp:forward>) on top of my 
pages which forwards to a particular page depending on a JSF EL 
expression given... how would i go about doing this?

Re: Login system security

[Sean Schofield <se...@gmail.com>]

Filters are the way to go IMO.  We use container authentication to
force login (with a custom screen) and then we rely on application
logic to control access to fields.  We use a session bean as others
have mentioned to store user information.

We also have a "spoof" login page that is not controlled by the
container.  We use this for pretending to be other users in a
production environment b/c all we have to do is replace the user bean
and flip a "spoof" flag on it (so that we can prevent saving etc.)

This has the advantage of allowing you to see exactly what  your user
sees with only a minimal amount of code (which reduces the chance that
you might not realy be seeing what your user sees.)

Those are some ideas at any rate.

sean


On 10/4/05, Dave <ja...@yahoo.com> wrote:
> hi Andrew,
>
> How to get a Realm object so that I can call authenticate()? I am using
> Database to store username and password. Thanks.
>
>
> Andrew robinson <an...@gmail.com> wrote:
>
> I am using the built in Tomcat DataSourceRealm so that single sign-on is
> possible. My login is still using a normal JSP instead of JSF, so I can't
> use JSF components to build my login page. Has anyone integrated the
> form-base web.xml authentication with a JSF login page?
>
>
> On 10/4/05, Mike Kienenberger <mkienenb@gmail.com > wrote:
> > I've switch from a login page to a filter that authenticates and sets
> > the User database record in the session.  (Actually, I fetch this
> > record every request, and store it in the request, but that may be too
> > excessive for your situation).
> >
> > I then have additional filters that work on that data to provide
> > coarse-grain security (ie, if you don't pass the filter, you can't
> > access any of the application).
> >
> > I also have a SecurityRoleManager bean that provides fine-grain
> > control by operating on the record stored in the session.   Ie,
> > "securityRoleManager.canEditDate()"
> >
> > On 10/4/05, Eurig Jones <eu...@fugro-robertson.com> wrote:
> > > I'm trying to decide on a Login/Logout system to protect my files using
> > > JSF.. I've played about with extending NavigationHandler, but the
> > > problem is, it doesn't protect the files which aren't JSF, and you can
> > > still run the JSP files if you wanted to...
> > >
> > > How have you people gone about a database driven login/logout system
> > > using Faces?
> > >
> >
>
>
>
>  ________________________________
> Yahoo! for Good
>  Click here to donate to the Hurricane Katrina relief effort.
>
>

Re: Login system security

[hicham abassi <ha...@gmail.com>]

In the core javaserver faces, there are infos about container security
in chapter 11.
Tomcat Database Realm or LDAP way

http://www.horstmann.com/corejsf/

I bought this book, it's very good ;)


2005/10/6, Sean Schofield <se...@gmail.com>:
> I can vouch for what Duncan is saying.  We were able to write our own
> custom authenticator for OC4J.  It used Windows Active Directory for
> authentication and Open LDAP for authorization.  It was a bit more
> cumbersome than Tomcat but it worked fine.
>
> sean
>
> On 10/5/05, Duncan Mills <du...@oracle.com> wrote:
> >  Several Points here
> >  1) Using Security Attributes within your pages.
> >  I'm about to release 1.0 of the jsf-security project on SourceForge
> > (www.sourceforge.net/projects/jsf-security) this provides
> > extensions to EL which will give you a new scope #{securityScope} and a
> > bunch of attributes and pseudo functions such as
> > #{securityScope.isUserInRole['manager,admin']} which allow you to  use
> > expressions to control rendering and read-only states of components - even
> > if they are not "role" enabled in the way that the myfaces components are.
> > jsf-security is fully pluggable and so if you use Acegi or a home grown
> > Authorization / Authentication mechanism you can plug it in underneath the
> > same consistent EL.
> >  The current version hooks into Container Security, and we've just started a
> > JAAS adapter as well.
> >  If anyone wants to get involved - particularly of you use Acegi today get
> > in touch.
> >  For more info on this see this blog entry: and the project on SF. You can
> > pull the source from CVS today and build - it all works I just need to write
> > the doc and the localize the message strings...
> >
> >  2) Using the database to Authenticate / Authorize
> >  Your mileage will vary from container to container, but with OC4J (& Oracle
> > App server) you can plus in your own custom login modules that can do just
> > this - Frank and I who work on the jsf-security project just posted a paper
> > on that process a few weeks back:
> >  Declarative J2EE authentication and authorization with JAAS
> >
> >
> >  Duncan
> >
> >
> >
> >  Dave wrote:
> >
> > hi Andrew,
> >
> > How to get a Realm object so that I can call authenticate()? I am using
> > Database to store username and password. Thanks.
> >
> >  Andrew robinson <an...@gmail.com> wrote:
> > I am using the built in Tomcat DataSourceRealm so that single sign-on is
> > possible. My login is still using a normal JSP instead of JSF, so I can't
> > use JSF components to build my login page. Has anyone integrated the
> > form-base web.xml authentication with a JSF login page?
> >
> >
> > On 10/4/05, Mike Kienenberger <mkienenb@gmail.com > wrote:
> > I've switch from a login page to a filter that authenticates and sets
> >  the User database record in the session.  (Actually, I fetch this
> >  record every request, and store it in the request, but that may be too
> >  excessive for your situation).
> >
> >  I then have additional filters that work on that data to provide
> >  coarse-grain security (ie, if you don't pass the filter, you can't
> >  access any of the application).
> >
> >  I also have a SecurityRoleManager bean that provides fine-grain
> >  control by operating on the record stored in the session.   Ie,
> >  "securityRoleManager.canEditDate()"
> >
> >  On 10/4/05, Eurig Jones <eu...@fugro-robertson.com> wrote:
> >  > I'm trying to decide on a Login/Logout system to protect my files using
> >  > JSF.. I've played about with extending NavigationHandler, but the
> >  > problem is, it doesn't protect the files which aren't JSF, and you can
> >  > still run the JSP files if you wanted to...
> >  >
> >  > How have you people gone about a database driven login/logout system
> >  > using Faces?
> >  >
> >
> >
> >
> >  Yahoo! for Good
> >  Click here to donate to the Hurricane Katrina relief effort.
> >  --
> >
> > Regards
> >
> > Duncan Mills
> > Senior Principal Product Manager
> > Oracle Application Development Tools
> >
> > Duncan.Mills@oracle.com
> >
>


--

hicham ABASSI
habassi@gmail.com

Re: Login system security

[Sean Schofield <se...@gmail.com>]

I can vouch for what Duncan is saying.  We were able to write our own
custom authenticator for OC4J.  It used Windows Active Directory for
authentication and Open LDAP for authorization.  It was a bit more
cumbersome than Tomcat but it worked fine.

sean

On 10/5/05, Duncan Mills <du...@oracle.com> wrote:
>  Several Points here
>  1) Using Security Attributes within your pages.
>  I'm about to release 1.0 of the jsf-security project on SourceForge
> (www.sourceforge.net/projects/jsf-security) this provides
> extensions to EL which will give you a new scope #{securityScope} and a
> bunch of attributes and pseudo functions such as
> #{securityScope.isUserInRole['manager,admin']} which allow you to  use
> expressions to control rendering and read-only states of components - even
> if they are not "role" enabled in the way that the myfaces components are.
> jsf-security is fully pluggable and so if you use Acegi or a home grown
> Authorization / Authentication mechanism you can plug it in underneath the
> same consistent EL.
>  The current version hooks into Container Security, and we've just started a
> JAAS adapter as well.
>  If anyone wants to get involved - particularly of you use Acegi today get
> in touch.
>  For more info on this see this blog entry: and the project on SF. You can
> pull the source from CVS today and build - it all works I just need to write
> the doc and the localize the message strings...
>
>  2) Using the database to Authenticate / Authorize
>  Your mileage will vary from container to container, but with OC4J (& Oracle
> App server) you can plus in your own custom login modules that can do just
> this - Frank and I who work on the jsf-security project just posted a paper
> on that process a few weeks back:
>  Declarative J2EE authentication and authorization with JAAS
>
>
>  Duncan
>
>
>
>  Dave wrote:
>
> hi Andrew,
>
> How to get a Realm object so that I can call authenticate()? I am using
> Database to store username and password. Thanks.
>
>  Andrew robinson <an...@gmail.com> wrote:
> I am using the built in Tomcat DataSourceRealm so that single sign-on is
> possible. My login is still using a normal JSP instead of JSF, so I can't
> use JSF components to build my login page. Has anyone integrated the
> form-base web.xml authentication with a JSF login page?
>
>
> On 10/4/05, Mike Kienenberger <mkienenb@gmail.com > wrote:
> I've switch from a login page to a filter that authenticates and sets
>  the User database record in the session.  (Actually, I fetch this
>  record every request, and store it in the request, but that may be too
>  excessive for your situation).
>
>  I then have additional filters that work on that data to provide
>  coarse-grain security (ie, if you don't pass the filter, you can't
>  access any of the application).
>
>  I also have a SecurityRoleManager bean that provides fine-grain
>  control by operating on the record stored in the session.   Ie,
>  "securityRoleManager.canEditDate()"
>
>  On 10/4/05, Eurig Jones <eu...@fugro-robertson.com> wrote:
>  > I'm trying to decide on a Login/Logout system to protect my files using
>  > JSF.. I've played about with extending NavigationHandler, but the
>  > problem is, it doesn't protect the files which aren't JSF, and you can
>  > still run the JSP files if you wanted to...
>  >
>  > How have you people gone about a database driven login/logout system
>  > using Faces?
>  >
>
>
>
>  Yahoo! for Good
>  Click here to donate to the Hurricane Katrina relief effort.
>  --
>
> Regards
>
> Duncan Mills
> Senior Principal Product Manager
> Oracle Application Development Tools
>
> Duncan.Mills@oracle.com
>

Re: Login system security

[Martin Marinschek <ma...@gmail.com>]

Great ;)

keep us updated!

regards,

Martin

On 10/9/05, Duncan Mills <du...@oracle.com> wrote:
>  Yes protecting views by role in the same way that Struts can assign roles
> to an Action is next on the list - I just have to think about the best way
> to do this and co-exist with any custom viewhandler impls and a reasonable
> format for the additional metadata required.
>  Duncan
>
>
>  Martin Marinschek wrote:
>  This is a very interesting project - will need to check it out for my
> next web-app ;)
>
> Will you also restrict delivering a view based on the user role? This
> is the third layer of security restrictions necessary in JSF...
>
> regards,
>
> Martin
>
> On 10/6/05, Duncan Mills <du...@oracle.com> wrote:
>
>
>  Right - the nice thing about the jsf-security EL extensions is that they
> don't have to be driven from Container Security you can plug in pretty much
> any home grown concept of a login page to authenticate and then your own
> auth mechanism as well. For instance if you take the approach of using a
> "userInfo" bean on the session which is generated by your own login process
> then it's trivial to hook that up into the EL interface
>  I guess the next phase of js-security where we're going to start
> protecting navigation targets based on role will be of interest to you was
> well
>  Duncan
>
>
>  Dave wrote:
>
> This is great!
> I posted a message before about how to login without any protected page. I
> looked at authenticator package where there is FormAuthenticator. I like to
> do similar, but without a protected page. User can click a login link and
> register all necessary info with session after successful authentication,
> and stay in the same page. The page will render differently depending on
> roles.
>
> It was suggested to have a dummy protected page that will redirect to
> current page. The problem is that the current page is stateful using
> <saveState>, and the data will not be available by redirecting from the
> dummy protected page.
>
> I looked the source code of servlet authenticator package. But have not
> figured out how to the realm object to call authenticate(....). Any help is
> appreciated.
> Thanks. Dave
>
>
>  Duncan Mills <du...@oracle.com> wrote:
> Several Points here
>  1) Using Security Attributes within your pages.
>  I'm about to release 1.0 of the jsf-security project on SourceForge
> (www.sourceforge.net/projects/jsf-security) this provides
> extensions to EL which will give you a new scope #{securityScope} and a
> bunch of attributes and pseudo functions such as
> #{securityScope.isUserInRole['manager,admin']} which allow you to use
> expressions to control rendering and read-only states of components - even
> if they are not "role" enabled in the way that the myfaces components are.
> jsf-security is fully pluggable and so if you use Acegi or a home grown
> Authorization / Authentication mechanism you can plug it in underneath the
> same consistent EL.
>  The current version hooks into Container Security, and we've j ust started
> a JAAS adapter as well.
>  If anyone wants to get involved - particularly of you use Acegi today get
> in touch.
>  For more info on this see this blog entry: and the project on SF. You can
> pull the source from CVS today and build - it all works I just need to write
> the doc and the localize the message strings...
>
>  2) Using the database to Authenticate / Authorize
>  Your mileage will vary from container to container, but with OC4J (& Oracle
> App server) you can plus in your own custom login modules that can do just
> this - Frank and I who work on the jsf-security project just posted a paper
> on that process a few weeks back:
>  Declarative J2EE authentication and authorization with JAAS
>
>
>  Duncan
>
>
>  Dave wrote:
>
> hi Andrew,
>
> How to get a Realm object so that I can call authenticate()? I am using
> Database to store username and password. Thanks.
>
>  Andrew robinson <an...@gmail.com> wrote:
> I am using the built in Tomcat DataSourceRealm so that single sign-on is
> possible. My login is still using a normal JSP instead of JSF, so I can't
> use JSF components to build my login page. Has anyone integrated the
> form-base web.xml authentication with a JSF login page?
>
>
> On 10/4/05, Mike Kienenberger <mkienenb@gmail.com > wrote:
> I've switch from a login page to a filter that authenticates and sets
>  the User database record in the session. (Actually, I fetch this
>  record every request, and store it in the request, but that may be too
>  excessive for your situation).
>
>  I then have additional filters that work on that data to provide
>  coarse-grain security (ie, if you don't pass the filter, you can't
>  access any of the application).
>
>  I also have a SecurityRoleManager bean that provides fine-grain
>  control by operating on the record stored in the session. Ie,
>  "securityRoleManager.canEditDate()"
>
>  On 10/4/05, Eurig Jones <eu...@fugro-robertson.com>
> wrote:
>  > I'm trying to decide on a Login/Logout system to protect my files using
>  > JSF.. I've played about with extending NavigationHandler, but the
>  > problem is, it doesn't protect the files which aren't JSF, a nd you can
>  > still run the JSP files if you wanted to...
>  >
>  > How have you people gone about a database driven login/logout system
>  > using Faces?
>  >
>
>  Yahoo! for Good
>  Click here to donate to the Hurricane Katrina relief effort.
>  --
>
> Regards
>
> Duncan Mills
> Senior Principal Product Manager
> Oracle Application Development Tools
>
> Duncan.Mills@oracle.com
>
>
>  Yahoo! for Good
>  Click here to donate to the Hurricane Katrina relief effort.
>  --
>
> Regards
>
> Duncan Mills
> Senior Principal Product Manager
> Oracle Application Development Tools
>
> Duncan.Mills@oracle.com
>
>
>
> --
>
> http://www.irian.at
> Your JSF powerhouse -
> JSF Trainings in English and German
>
>
>
>


--

http://www.irian.at
Your JSF powerhouse -
JSF Trainings in English and German

Re: Login system security

[Duncan Mills <du...@oracle.com>]

Yes protecting views by role in the same way that Struts can assign 
roles to an Action is next on the list - I just have to think about the 
best way to do this and co-exist with any custom viewhandler impls and a 
reasonable format for the additional metadata required.
Duncan

Martin Marinschek wrote:

>This is a very interesting project - will need to check it out for my
>next web-app ;)
>
>Will you also restrict delivering a view based on the user role? This
>is the third layer of security restrictions necessary in JSF...
>
>regards,
>
>Martin
>
>On 10/6/05, Duncan Mills <du...@oracle.com> wrote:
>  
>
>> Right -  the nice thing about the jsf-security EL extensions is that they
>>don't have to be driven from Container Security you can plug in pretty much
>>any home grown concept of a login page to authenticate and then your own
>>auth mechanism as well. For instance if you take the approach of using a
>>"userInfo" bean on the session which is generated by your own login process
>>then it's trivial to hook that up into the EL interface
>> I guess the next phase of js-security where we're going to start
>>protecting navigation targets based on role will be of interest to you was
>>well
>> Duncan
>>
>>
>> Dave wrote:
>>
>>This is great!
>>I posted a message before about how to login without any protected page. I
>>looked at authenticator package where there is FormAuthenticator. I like to
>>do similar, but without a protected page. User can click a login link and
>>register all necessary info with session after successful authentication,
>>and stay in the same page. The page will render differently depending on
>>roles.
>>
>>It was suggested to have a dummy protected page that will redirect to
>>current page. The problem is that the current page is stateful using
>><saveState>, and the data will not be available by redirecting from the
>>dummy protected page.
>>
>>I looked the source code of servlet authenticator package. But have not
>>figured out how to the realm object to call authenticate(....).  Any help is
>>appreciated.
>>Thanks. Dave
>>
>>
>> Duncan Mills <du...@oracle.com> wrote:
>>Several Points here
>> 1) Using Security Attributes within your pages.
>> I'm about to release 1.0 of the jsf-security project on SourceForge
>>(www.sourceforge.net/projects/jsf-security) this provides
>>extensions to EL which will give you a new scope #{securityScope} and a
>>bunch of attributes and pseudo functions such as
>>#{securityScope.isUserInRole['manager,admin']} which allow you to  use
>>expressions to control rendering and read-only states of components - even
>>if they are not "role" enabled in the way that the myfaces components are.
>>jsf-security is fully pluggable and so if you use Acegi or a home grown
>>Authorization / Authentication mechanism you can plug it in underneath the
>>same consistent EL.
>> The current version hooks into Container Security, and we've j ust started
>>a JAAS adapter as well.
>> If anyone wants to get involved - particularly of you use Acegi today get
>>in touch.
>> For more info on this see this blog entry: and the project on SF. You can
>>pull the source from CVS today and build - it all works I just need to write
>>the doc and the localize the message strings...
>>
>> 2) Using the database to Authenticate / Authorize
>> Your mileage will vary from container to container, but with OC4J (& Oracle
>>App server) you can plus in your own custom login modules that can do just
>>this - Frank and I who work on the jsf-security project just posted a paper
>>on that process a few weeks back:
>> Declarative J2EE authentication and authorization with JAAS
>>
>>
>> Duncan
>>
>>
>> Dave wrote:
>>
>>hi Andrew,
>>
>>How to get a Realm object so that I can call authenticate()? I am using
>>Database to store username and password. Thanks.
>>
>> Andrew robinson <an...@gmail.com> wrote:
>>I am using the built in Tomcat DataSourceRealm so that single sign-on is
>>possible. My login is still using a normal JSP instead of JSF, so I can't
>>use JSF components to build my login page. Has anyone integrated the
>>form-base web.xml authentication with a JSF login page?
>>
>>
>>On 10/4/05, Mike Kienenberger <mkienenb@gmail.com > wrote:
>>I've switch from a login page to a filter that authenticates and sets
>> the User database record in the session.  (Actually, I fetch this
>> record every request, and store it in the request, but that may be too
>> excessive for your situation).
>>
>> I then have additional filters that work on that data to provide
>> coarse-grain security (ie, if you don't pass the filter, you can't
>> access any of the application).
>>
>> I also have a SecurityRoleManager bean that provides fine-grain
>> control by operating on the record stored in the session.   Ie,
>> "securityRoleManager.canEditDate()"
>>
>> On 10/4/05, Eurig Jones <eu...@fugro-robertson.com> wrote:
>> > I'm trying to decide on a Login/Logout system to protect my files using
>> > JSF.. I've played about with extending NavigationHandler, but the
>> > problem is, it doesn't protect the files which aren't JSF, a nd you can
>> > still run the JSP files if you wanted to...
>> >
>> > How have you people gone about a database driven login/logout system
>> > using Faces?
>> >
>>
>> Yahoo! for Good
>> Click here to donate to the Hurricane Katrina relief effort.
>> --
>>
>>Regards
>>
>>Duncan Mills
>>Senior Principal Product Manager
>>Oracle Application Development Tools
>>
>>Duncan.Mills@oracle.com
>>
>>
>> Yahoo! for Good
>> Click here to donate to the Hurricane Katrina relief effort.
>> --
>>
>>Regards
>>
>>Duncan Mills
>>Senior Principal Product Manager
>>Oracle Application Development Tools
>>
>>Duncan.Mills@oracle.com
>>
>>    
>>
>
>
>--
>
>http://www.irian.at
>Your JSF powerhouse -
>JSF Trainings in English and German
>  
>

Re: Login system security

[Martin Marinschek <ma...@gmail.com>]

This is a very interesting project - will need to check it out for my
next web-app ;)

Will you also restrict delivering a view based on the user role? This
is the third layer of security restrictions necessary in JSF...

regards,

Martin

On 10/6/05, Duncan Mills <du...@oracle.com> wrote:
>  Right -  the nice thing about the jsf-security EL extensions is that they
> don't have to be driven from Container Security you can plug in pretty much
> any home grown concept of a login page to authenticate and then your own
> auth mechanism as well. For instance if you take the approach of using a
> "userInfo" bean on the session which is generated by your own login process
> then it's trivial to hook that up into the EL interface
>  I guess the next phase of js-security where we're going to start
> protecting navigation targets based on role will be of interest to you was
> well
>  Duncan
>
>
>  Dave wrote:
>
> This is great!
> I posted a message before about how to login without any protected page. I
> looked at authenticator package where there is FormAuthenticator. I like to
> do similar, but without a protected page. User can click a login link and
> register all necessary info with session after successful authentication,
> and stay in the same page. The page will render differently depending on
> roles.
>
> It was suggested to have a dummy protected page that will redirect to
> current page. The problem is that the current page is stateful using
> <saveState>, and the data will not be available by redirecting from the
> dummy protected page.
>
> I looked the source code of servlet authenticator package. But have not
> figured out how to the realm object to call authenticate(....).  Any help is
> appreciated.
> Thanks. Dave
>
>
>  Duncan Mills <du...@oracle.com> wrote:
> Several Points here
>  1) Using Security Attributes within your pages.
>  I'm about to release 1.0 of the jsf-security project on SourceForge
> (www.sourceforge.net/projects/jsf-security) this provides
> extensions to EL which will give you a new scope #{securityScope} and a
> bunch of attributes and pseudo functions such as
> #{securityScope.isUserInRole['manager,admin']} which allow you to  use
> expressions to control rendering and read-only states of components - even
> if they are not "role" enabled in the way that the myfaces components are.
> jsf-security is fully pluggable and so if you use Acegi or a home grown
> Authorization / Authentication mechanism you can plug it in underneath the
> same consistent EL.
>  The current version hooks into Container Security, and we've j ust started
> a JAAS adapter as well.
>  If anyone wants to get involved - particularly of you use Acegi today get
> in touch.
>  For more info on this see this blog entry: and the project on SF. You can
> pull the source from CVS today and build - it all works I just need to write
> the doc and the localize the message strings...
>
>  2) Using the database to Authenticate / Authorize
>  Your mileage will vary from container to container, but with OC4J (& Oracle
> App server) you can plus in your own custom login modules that can do just
> this - Frank and I who work on the jsf-security project just posted a paper
> on that process a few weeks back:
>  Declarative J2EE authentication and authorization with JAAS
>
>
>  Duncan
>
>
>  Dave wrote:
>
> hi Andrew,
>
> How to get a Realm object so that I can call authenticate()? I am using
> Database to store username and password. Thanks.
>
>  Andrew robinson <an...@gmail.com> wrote:
> I am using the built in Tomcat DataSourceRealm so that single sign-on is
> possible. My login is still using a normal JSP instead of JSF, so I can't
> use JSF components to build my login page. Has anyone integrated the
> form-base web.xml authentication with a JSF login page?
>
>
> On 10/4/05, Mike Kienenberger <mkienenb@gmail.com > wrote:
> I've switch from a login page to a filter that authenticates and sets
>  the User database record in the session.  (Actually, I fetch this
>  record every request, and store it in the request, but that may be too
>  excessive for your situation).
>
>  I then have additional filters that work on that data to provide
>  coarse-grain security (ie, if you don't pass the filter, you can't
>  access any of the application).
>
>  I also have a SecurityRoleManager bean that provides fine-grain
>  control by operating on the record stored in the session.   Ie,
>  "securityRoleManager.canEditDate()"
>
>  On 10/4/05, Eurig Jones <eu...@fugro-robertson.com> wrote:
>  > I'm trying to decide on a Login/Logout system to protect my files using
>  > JSF.. I've played about with extending NavigationHandler, but the
>  > problem is, it doesn't protect the files which aren't JSF, a nd you can
>  > still run the JSP files if you wanted to...
>  >
>  > How have you people gone about a database driven login/logout system
>  > using Faces?
>  >
>
>  Yahoo! for Good
>  Click here to donate to the Hurricane Katrina relief effort.
>  --
>
> Regards
>
> Duncan Mills
> Senior Principal Product Manager
> Oracle Application Development Tools
>
> Duncan.Mills@oracle.com
>
>
>  Yahoo! for Good
>  Click here to donate to the Hurricane Katrina relief effort.
>  --
>
> Regards
>
> Duncan Mills
> Senior Principal Product Manager
> Oracle Application Development Tools
>
> Duncan.Mills@oracle.com
>


--

http://www.irian.at
Your JSF powerhouse -
JSF Trainings in English and German

Re: Login system security

[Duncan Mills <du...@oracle.com>]

Right -  the nice thing about the jsf-security EL extensions is that 
they don't have to be driven from Container Security you can plug in 
pretty much any home grown concept of a login page to authenticate and 
then your own auth mechanism as well. For instance if you take the 
approach of using a "userInfo" bean on the session which is generated by 
your own login process then it's trivial to hook that up into the EL 
interface
I guess the next phase of js-security where we're going to start  
protecting navigation targets based on role will be of interest to you 
was well
Duncan

Dave wrote:

> This is great!
> I posted a message before about how to login without any protected 
> page. I looked at authenticator package where there is 
> FormAuthenticator. I like to do similar, but without a protected page. 
> User can click a login link and register all necessary info with 
> session after successful authentication, and stay in the same page. 
> The page will render differently depending on roles.
>  
> It was suggested to have a dummy protected page that will redirect to 
> current page. The problem is that the current page is stateful using 
> <saveState>, and the data will not be available by redirecting from 
> the dummy protected page.
>  
> I looked the source code of servlet authenticator package. But have 
> not figured out how to the realm object to call authenticate(....).  
> Any help is appreciated.
> Thanks. Dave
>
>
> */Duncan Mills <du...@oracle.com>/* wrote:
>
>     Several Points here
>     *1) Using Security Attributes within your pages. *
>     I'm about to release 1.0 of the *jsf-security* project on
>     SourceForge (www.sourceforge.net/projects/jsf-security
>     <http://www.sourceforge.net/projects/jsf-security>) this provides
>     extensions to EL which will give you a new scope #{securityScope}
>     and a bunch of attributes and pseudo functions such as
>     #{securityScope.isUserInRole['manager,admin']} which allow you to 
>     use expressions to control rendering and read-only states of
>     components - even if they are not "role" enabled in the way that
>     the myfaces components are. jsf-security is fully pluggable and so
>     if you use Acegi or a home grown Authorization / Authentication
>     mechanism you can plug it in underneath the same consistent EL.
>     The current version hooks into Container Security, and we've j ust
>     started a JAAS adapter as well.
>     If anyone wants to get involved - particularly of you use Acegi
>     today get in touch.
>     For more info on this see this blog entry
>     <http://www.groundside.com/blog/content/DuncanMills/J2EE%20Development/2005/10/03/JSF_Security_Project_on_SourceForge.html>:
>     and the project on SF. You can pull the source from CVS today and
>     build - it all works I just need to write the doc and the localize
>     the message strings...
>
>     *2) Using the database to Authenticate / Authorize*
>     Your mileage will vary from container to container, but with OC4J
>     (& Oracle App server) you can plus in your own custom login
>     modules that can do just this - Frank and I who work on the
>     jsf-security project just posted a paper on that process a few
>     weeks back:
>     Declarative J2EE authentication and authorization with JAAS
>     <http://www.oracle.com/technology/products/jdev/howtos/10g/jaassec/index.htm>
>
>
>     Duncan
>
>
>     Dave wrote:
>
>>     hi Andrew,
>>      
>>     How to get a Realm object so that I can call authenticate()? I am
>>     using Database to store username and password. Thanks.
>>
>>     */Andrew robinson <an...@gmail.com>
>>     <ma...@gmail.com>/* wrote:
>>
>>         I am using the built in Tomcat DataSourceRealm so that single
>>         sign-on is possible. My login is still using a normal JSP
>>         instead of JSF, so I can't use JSF components to build my
>>         login page. Has anyone integrated the form-base web.xml
>>         authentication with a JSF login page?
>>
>>         On 10/4/05, *Mike Kienenberger* <mkienenb@gmail.com
>>         <ma...@gmail.com> > wrote:
>>
>>             I've switch from a login page to a filter that
>>             authenticates and sets
>>             the User database record in the session.  (Actually, I
>>             fetch this
>>             record every request, and store it in the request, but
>>             that may be too
>>             excessive for your situation).
>>
>>             I then have additional filters that work on that data to
>>             provide
>>             coarse-grain security (ie, if you don't pass the filter,
>>             you can't
>>             access any of the application).
>>
>>             I also have a SecurityRoleManager bean that provides
>>             fine-grain
>>             control by operating on the record stored in the
>>             session.   Ie,
>>             "securityRoleManager.canEditDate()"
>>
>>             On 10/4/05, Eurig Jones <eurig.jones@fugro-robertson.com
>>             <ma...@fugro-robertson.com>> wrote:
>>             > I'm trying to decide on a Login/Logout system to
>>             protect my files using
>>             > JSF.. I've played about with extending
>>             NavigationHandler, but the
>>             > problem is, it doesn't protect the files which aren't
>>             JSF, a nd you can
>>             > still run the JSP files if you wanted to...
>>             >
>>             > How have you people gone about a database driven
>>             login/logout system
>>             > using Faces?
>>             >
>>
>>
>>     Yahoo! for Good
>>     Click here to donate <http://store.yahoo.com/redcross-donate3/>
>>     to the Hurricane Katrina relief effort. 
>
>
>-- 
>
>Regards
>
>Duncan Mills
>Senior Principal Product Manager
>Oracle Application Development Tools
>
>Duncan.Mills@oracle.com <ma...@oracle.com>
>
> Yahoo! for Good
> Click here to donate <http://store.yahoo.com/redcross-donate3/> to the 
> Hurricane Katrina relief effort. 


-- 

Regards

Duncan Mills
Senior Principal Product Manager
Oracle Application Development Tools

Duncan.Mills@oracle.com

Re: Login system security

[Dave <ja...@yahoo.com>]

This is great!
I posted a message before about how to login without any protected page. I looked at authenticator package where there is FormAuthenticator. I like to do similar, but without a protected page. User can click a login link and register all necessary info with session after successful authentication, and stay in the same page. The page will render differently depending on roles.
 
It was suggested to have a dummy protected page that will redirect to current page. The problem is that the current page is stateful using <saveState>, and the data will not be available by redirecting from the dummy protected page.
 
I looked the source code of servlet authenticator package. But have not figured out how to the realm object to call authenticate(....).  Any help is appreciated.
Thanks. Dave


Duncan Mills <du...@oracle.com> wrote:
Several Points here
1) Using Security Attributes within your pages. 
I'm about to release 1.0 of the jsf-security project on SourceForge (www.sourceforge.net/projects/jsf-security) this provides extensions to EL which will give you a new scope #{securityScope} and a bunch of attributes and pseudo functions such as #{securityScope.isUserInRole['manager,admin']} which allow you to  use expressions to control rendering and read-only states of components - even if they are not "role" enabled in the way that the myfaces components are. jsf-security is fully pluggable and so if you use Acegi or a home grown Authorization / Authentication mechanism you can plug it in underneath the same consistent EL. 
The current version hooks into Container Security, and we've just started a JAAS adapter as well.
If anyone wants to get involved - particularly of you use Acegi today get in touch.
For more info on this see this blog entry: and the project on SF. You can pull the source from CVS today and build - it all works I just need to write the doc and the localize the message strings... 

2) Using the database to Authenticate / Authorize
Your mileage will vary from container to container, but with OC4J (& Oracle App server) you can plus in your own custom login modules that can do just this - Frank and I who work on the jsf-security project just posted a paper on that process a few weeks back:
Declarative J2EE authentication and authorization with JAAS


Duncan 


Dave wrote: hi Andrew,
 
How to get a Realm object so that I can call authenticate()? I am using Database to store username and password. Thanks.

Andrew robinson <an...@gmail.com> wrote:
I am using the built in Tomcat DataSourceRealm so that single sign-on is possible. My login is still using a normal JSP instead of JSF, so I can't use JSF components to build my login page. Has anyone integrated the form-base web.xml authentication with a JSF login page?

On 10/4/05, Mike Kienenberger <mkienenb@gmail.com > wrote: I've switch from a login page to a filter that authenticates and sets
the User database record in the session.  (Actually, I fetch this 
record every request, and store it in the request, but that may be too
excessive for your situation).

I then have additional filters that work on that data to provide
coarse-grain security (ie, if you don't pass the filter, you can't 
access any of the application).

I also have a SecurityRoleManager bean that provides fine-grain
control by operating on the record stored in the session.   Ie,
"securityRoleManager.canEditDate()" 

On 10/4/05, Eurig Jones <eu...@fugro-robertson.com> wrote:
> I'm trying to decide on a Login/Logout system to protect my files using
> JSF.. I've played about with extending NavigationHandler, but the 
> problem is, it doesn't protect the files which aren't JSF, and you can
> still run the JSP files if you wanted to...
>
> How have you people gone about a database driven login/logout system
> using Faces? 
>




Yahoo! for Good
Click here to donate to the Hurricane Katrina relief effort. 

-- RegardsDuncan MillsSenior Principal Product ManagerOracle Application Development ToolsDuncan.Mills@oracle.com

		
---------------------------------
Yahoo! for Good
 Click here to donate to the Hurricane Katrina relief effort. 

Re: Login system security

[Duncan Mills <du...@oracle.com>]

Several Points here
*1) Using Security Attributes within your pages. *
I'm about to release 1.0 of the *jsf-security* project on SourceForge 
(www.sourceforge.net/projects/jsf-security) this provides extensions to 
EL which will give you a new scope #{securityScope} and a bunch of 
attributes and pseudo functions such as 
#{securityScope.isUserInRole['manager,admin']} which allow you to  use 
expressions to control rendering and read-only states of components - 
even if they are not "role" enabled in the way that the myfaces 
components are. jsf-security is fully pluggable and so if you use Acegi 
or a home grown Authorization / Authentication mechanism you can plug it 
in underneath the same consistent EL.
The current version hooks into Container Security, and we've just 
started a JAAS adapter as well.
If anyone wants to get involved - particularly of you use Acegi today 
get in touch.
For more info on this see this blog entry 
<http://www.groundside.com/blog/content/DuncanMills/J2EE%20Development/2005/10/03/JSF_Security_Project_on_SourceForge.html>: 
and the project on SF. You can pull the source from CVS today and build 
- it all works I just need to write the doc and the localize the message 
strings...

*2) Using the database to Authenticate / Authorize*
Your mileage will vary from container to container, but with OC4J (& 
Oracle App server) you can plus in your own custom login modules that 
can do just this - Frank and I who work on the jsf-security project just 
posted a paper on that process a few weeks back:
Declarative J2EE authentication and authorization with JAAS 
<http://www.oracle.com/technology/products/jdev/howtos/10g/jaassec/index.htm>


Duncan


Dave wrote:

> hi Andrew,
>  
> How to get a Realm object so that I can call authenticate()? I am 
> using Database to store username and password. Thanks.
>
> */Andrew robinson <an...@gmail.com>/* wrote:
>
>     I am using the built in Tomcat DataSourceRealm so that single
>     sign-on is possible. My login is still using a normal JSP instead
>     of JSF, so I can't use JSF components to build my login page. Has
>     anyone integrated the form-base web.xml authentication with a JSF
>     login page?
>
>     On 10/4/05, *Mike Kienenberger* <mkienenb@gmail.com
>     <ma...@gmail.com> > wrote:
>
>         I've switch from a login page to a filter that authenticates
>         and sets
>         the User database record in the session.  (Actually, I fetch this
>         record every request, and store it in the request, but that
>         may be too
>         excessive for your situation).
>
>         I then have additional filters that work on that data to provide
>         coarse-grain security (ie, if you don't pass the filter, you
>         can't
>         access any of the application).
>
>         I also have a SecurityRoleManager bean that provides fine-grain
>         control by operating on the record stored in the session.   Ie,
>         "securityRoleManager.canEditDate()"
>
>         On 10/4/05, Eurig Jones <eurig.jones@fugro-robertson.com
>         <ma...@fugro-robertson.com>> wrote:
>         > I'm trying to decide on a Login/Logout system to protect my
>         files using
>         > JSF.. I've played about with extending NavigationHandler,
>         but the
>         > problem is, it doesn't protect the files which aren't JSF,
>         and you can
>         > still run the JSP files if you wanted to...
>         >
>         > How have you people gone about a database driven
>         login/logout system
>         > using Faces?
>         >
>
>
> Yahoo! for Good
> Click here to donate <http://store.yahoo.com/redcross-donate3/> to the 
> Hurricane Katrina relief effort. 


-- 

Regards

Duncan Mills
Senior Principal Product Manager
Oracle Application Development Tools

Duncan.Mills@oracle.com

Re: Login system security

[Dave <ja...@yahoo.com>]

hi Andrew,
 
How to get a Realm object so that I can call authenticate()? I am using Database to store username and password. Thanks.

Andrew robinson <an...@gmail.com> wrote:
I am using the built in Tomcat DataSourceRealm so that single sign-on is possible. My login is still using a normal JSP instead of JSF, so I can't use JSF components to build my login page. Has anyone integrated the form-base web.xml authentication with a JSF login page?

On 10/4/05, Mike Kienenberger <mkienenb@gmail.com > wrote:I've switch from a login page to a filter that authenticates and sets
the User database record in the session.  (Actually, I fetch this 
record every request, and store it in the request, but that may be too
excessive for your situation).

I then have additional filters that work on that data to provide
coarse-grain security (ie, if you don't pass the filter, you can't 
access any of the application).

I also have a SecurityRoleManager bean that provides fine-grain
control by operating on the record stored in the session.   Ie,
"securityRoleManager.canEditDate()" 

On 10/4/05, Eurig Jones <eu...@fugro-robertson.com> wrote:
> I'm trying to decide on a Login/Logout system to protect my files using
> JSF.. I've played about with extending NavigationHandler, but the 
> problem is, it doesn't protect the files which aren't JSF, and you can
> still run the JSP files if you wanted to...
>
> How have you people gone about a database driven login/logout system
> using Faces? 
>



		
---------------------------------
Yahoo! for Good
 Click here to donate to the Hurricane Katrina relief effort. 

Re: Login system security

[Andrew robinson <an...@gmail.com>]

I am using the built in Tomcat DataSourceRealm so that single sign-on is
possible. My login is still using a normal JSP instead of JSF, so I can't
use JSF components to build my login page. Has anyone integrated the
form-base web.xml authentication with a JSF login page?

On 10/4/05, Mike Kienenberger <mk...@gmail.com> wrote:
>
> I've switch from a login page to a filter that authenticates and sets
> the User database record in the session. (Actually, I fetch this
> record every request, and store it in the request, but that may be too
> excessive for your situation).
>
> I then have additional filters that work on that data to provide
> coarse-grain security (ie, if you don't pass the filter, you can't
> access any of the application).
>
> I also have a SecurityRoleManager bean that provides fine-grain
> control by operating on the record stored in the session. Ie,
> "securityRoleManager.canEditDate()"
>
> On 10/4/05, Eurig Jones <eu...@fugro-robertson.com> wrote:
> > I'm trying to decide on a Login/Logout system to protect my files using
> > JSF.. I've played about with extending NavigationHandler, but the
> > problem is, it doesn't protect the files which aren't JSF, and you can
> > still run the JSP files if you wanted to...
> >
> > How have you people gone about a database driven login/logout system
> > using Faces?
> >
>

Re: Login system security

[Mike Kienenberger <mk...@gmail.com>]

I've switch from a login page to a filter that authenticates and sets
the User database record in the session.  (Actually, I fetch this
record every request, and store it in the request, but that may be too
excessive for your situation).

I then have additional filters that work on that data to provide
coarse-grain security (ie, if you don't pass the filter, you can't
access any of the application).

I also have a SecurityRoleManager bean that provides fine-grain
control by operating on the record stored in the session.   Ie, 
"securityRoleManager.canEditDate()"

On 10/4/05, Eurig Jones <eu...@fugro-robertson.com> wrote:
> I'm trying to decide on a Login/Logout system to protect my files using
> JSF.. I've played about with extending NavigationHandler, but the
> problem is, it doesn't protect the files which aren't JSF, and you can
> still run the JSP files if you wanted to...
>
> How have you people gone about a database driven login/logout system
> using Faces?
>