I'm a novice at JSF and I got a couple of questions concerning organizing user authentication there.
1) How can i redirect the registered user to a welcome page (for example welcome.xhtml)? I heard about using Filter or navigation-rule tag, but i didn't found a full-blown tutorial of how it works.
2) How can i tell the server that unauthorized users can access not only the login page but also the registration page? Is there an analog for ASP.NET web.config tag or something like this?
The solution for requirement 1) is already achieved by the solution for requirement 2). You just let the user go to that URL directly. If the user is after all not logged in, then redirect them to the register/login page. That's how it normally works.
You need to implement a Filter which listens on an url-pattern matching the secured pages. E.g. /secured/*, /protected/*, etc. In the doFilter() method you just check for the presence of the logged in User in the current session and handle accordingly. Here's a basic kickoff example:
if (((HttpServletRequest) request).getSession().getAttribute("user") == null) {
// Not logged in, redirect to login page.
response.sendRedirect("login.jsf");
} else {
// Logged in, just continue with request.
chain.doFilter(request, response);
}
To get it to work with JSF, just know the fact that JSF stores session scoped managed beans as attributes of the HttpSession with the managed bean name as key.
Related
I have created a basic spring security authentication using UserDetailsService and now I am able to validate user. However, I don't understand how to achieve below things:
Once a user is logged in, when next request comes how and where do I check if the request is coming from the same logged in user or other logged in user?
I know the concept of Spring interceptors where I can intercept all incoming request. But is there something in spring security that does this?
How can I start a session after logging in and store values in session for that user?
I browsed through existing answers but most of examples are for logging in.
I would appreciate if someone can give me examples.
EDIT:
I think I should use session scoped beans in order to maintain user's session contents rather than manipulating httpsession directly.
I think you really need to spend some time reading the Spring security documentation and over all JSP, servlet and MVC architecture. You have several misunderstandings,
After authentication, you don't need to start a session it was already there when the request came. Remember request.getSession()we get the session from the request and I am really NOT aware of any other way i.e. instantiating session object and assigning it to request/response. After successful authentication spring automatically sets a SPRING_SECURITY_CONTEXT attribute in session and this variable is later used to determine whether user is already authenticated or not (Spring does that for you, you don't need to use this attribute).
In spring security we set an authentication entry point which has information about login page url and FORM_LOGIN_FILTER which has information about login processing url, login success url and login failure url among few other things.Every request whose session doesn't have SPRING_SECURITY_CONTEXT and auth attribute gets redirected to login page url.
I could give the code directly but it would be great if you read at least few pages of Spring documentation here. Once you understand the concepts and are still not able to solve the problem. Edit your question with detailed problem and we will try to fix it.
At first you need to create an Authentication object using current HttpRequest as below:
public class SessionService{
public Authentication getSession(HttpServletRequest request) {
HttpSession session=request.getSession();
SecurityContext ctx= (SecurityContext) session.getAttribute("SPRING_SECURITY_CONTEXT");
Authentication auth=ctx.getAuthentication();
return auth;
}
}
Then, you can retrieve the session details from this Authentication object by passing the current HttpRequest as follows:
Authentication auth = sessionService.getSession(request);
The above auth object contains the details that you need.
I'm trying to set up access to a static HTML page - lets call it search.html.
I understand I can use cookies for this task, but is it possible with servlet sessions?
What options are there so access is only provided once a user is logged in? I have a login servlet that forwards to search.html however I only want this to be access once a user is logged in and a session is created.
Thanks
When the user logs in you store something in the Session indicating that. This can be as simple as a boolean flag or a full User object with roles etc. Then you write a filter which checks the presence of this flag or the roles of the user etc. Depending on the outcome you either let the reqest through or deny it with 403 Forbidden. Filters can be configured to paths in the web.xml.
I am developing a web application in Struts. I have a requirement that I have to check that a session exists for user. If the user session exists then user can access the resource, or I need to check session variable existence before accessing every JSP page.
For that I make use of filter where I check for the session variable existence. But when I use filter, every request is routed to that filter--even the login page request is routed to filter. The login page doesn't need the filter check applied, what to do for this?
This is typical session filter use case. For login page request, not to be filtered, you need have a different URL for login page which will be excluded in the URL mapping for the filter.
OR
In the filter itself, you can check what is the requested URL, its login page then don't check for the session. But I would recommend the earlier approach because its rightly address the Separation of Concern philosophy.
I am doing an incremental JSP --> Wicket migration. I had kept the JSP appliation and doing page by page migration. I gan go and return from JSP <--> wicket pages.But my problem is in JSP my logged in user credentials are stored in a Bean (UserBean,scope:session) and in JSP on each page I check logged in user from that bean.
But how can I get these informations in wicket? so that from my JSP page if a User is logged in, on wicket page load it can read that and set suer info so that my wicket log in page does not come.
my wicket page uses wicket-auth-role and checks with:
#AuthorizeInstantiation("ADMIN") public class HomePage extends BasePage {.....}
I have my own UserDetailsServcice and MyAuthenticationWebSession in wicket.
After some attempts and help from Don Roby, here I got userID from session in wicket:
final RequestCycle requestCycle = RequestCycle.get();
WebRequest wr=(WebRequest)requestCycle.getRequest();
HttpServletRequest hsr= wr.getHttpServletRequest();
AuthenticatedWebSession session = OrbitWebSession.get();
String username = (String)hsr.getSession().getAttribute("SessionUser");
Now,exactly where can I set username,password and call authenticate so that my page does not redirects to login page? Who calls authenticate() methods and how? I have tried onBeforeRender() method on my secured page,but it does not work. :(
More code specifically around the login process might help us make a more complete answer, but basically you have to get access to the normal servlet container session and thus to that bean from somewhere in wicket. Likely the best place to put that logic is somewhere in your MyAuthenticationWebSession, so that it knows the user is logged in.
To get at the servlet container session from wicket code, you can use
httpSession =
((WebRequest)request).getHttpServletRequest().getSession();
If at the point you're putting this in your wicket code you don't already have this WebRequest object (which is likely a ServletWebRequest object), you can get it from the RequestCycle:
RequestCycle requestCycle = RequestCycle.get();
Request request = requestCycle.getRequest();
authenticate is called by AuthenticatedWebSession during the login process. Unfortunately for you, most methods in the aforementioned class are marked final so it's a bit hard to customize.
What I think you should be able to do is to use the protected method signIn(boolean value) in the constructor of your own session. You get a Request there, from that you should hopefully be able to get your "SessionUser", then extract your User via your UserDetailsService, call signIn(true) and initialize the correct roles for that user. If signIn(true) is called, you shouldn't get a redirect to login.
In a Java Servlet I want to check programmatically whether a user is logged in or not.
The HttpServletRequest#getUserPrincipal() as pointed out in the other answer only applies when you make use of Java EE provided container managed security as outlined here.
If you're however homegrowing your own security, then you need to rely on the HttpSession. It's not that hard, here is an overview what you need to implement on each step:
On login, get the User from the DB and store it in session in servlet's doPost():
User user = userDAO.find(username, password);
if (user != null) {
session.setAttribute("user", user);
} else {
// Show error like "Login failed, unknown user, try again.".
}
On logout, just invalidate the session in servlet's doPost(). It will destroy the session and clear out all attributes.
session.invalidate();
To check if an User is logged in or not, create a filter which is mapped with an url-pattern which covers the restricted pages, e.g. /secured/*, /protected/*, etcetera and implement doFilter() like below:
if (session.getAttribute("user") == null) {
response.sendRedirect(request.getContectPath() + "/login"); // Not logged in, redirect to login page.
} else {
chain.doFilter(request, response); // Logged in, just continue chain.
}
That's basically all.
See also:
How to redirect to Login page when Session is expired in Java web application?
How to handle authentication/authorization with users in a database?
HttpServletRequest.getUserPrincipal()
The Java Servlet 3.1 Specification (Section 13.10) states:
Being logged into an application during the processing of a request, corresponds precisely to there being a valid non-null caller identity associated with the request as may be determined by calling getRemoteUser or getUserPrincipal on the request. A null return value from either of these methods indicates that the caller is not logged into the application with respect to the processing of the request.