Pages

Monday, June 06, 2011

JSF 2.x Facelets Form Based Authentication (j_security_check)

Previously, I posted an example of how to use JSF 1.2 with form based authentication (j_security_check).

In this example, I use JSF 2.x to perform the same kind of login. The code is very similar, but the logout method has been simplified in JSF 2. There is no need to get the HttpSession object to invalidate the session. Here is my comment from the previous article.
One of the common issues that comes up frequently is how to use form based authentication with JSF with j_security_check. This code example and NetBeans project demonstrate how to use JSF and facelets with various browsers. The code is simple and undecorated. I wanted to make sure it had the broadest browser compatibility.

Maven project: jsf2-login.zip

Note: If you test it with other browsers, please post a comment to let me know what it works on. The list below is what I have available to me.

Compatibility

  • Mozilla Firefox 4
  • Internet Explorer 8
  • Chrome 11
  • Safari 5
  • Opera 11

Note: The xhtml form below did not work on Internet Explorer 8 until I disabled the comments in the web.xml file. There is a comment in the file which also indicates that it is an issue with IE 8.

Note: The login.xhtml form uses an HTML based form and not a JSF <h:form /> tag.

login.xhtml


<?xml version="1.0" encoding="UTF-8"?>
<!--
 Copyright 2011 Blue Lotus Software, LLC.
 Copyright 2011 John Yeary.

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 under the License.
-->
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
      xmlns:h="http://java.sun.com/jsf/html">
    <head>
        <title>Login</title>
    </head>
    <body>
        <form method="post" action="j_security_check" name="loginForm">
            <h:panelGrid columns="2">
                <h:outputLabel id="userNameLabel" for="j_username" value="#{msgs.username}:"/>
                <h:inputText id="j_username" autocomplete="off" />
                <h:outputLabel id="passwordLabel" for="j_password" value="#{msgs.password}:"/>
                <h:inputSecret id="j_password" autocomplete="off"/>
                <div/>
                <h:panelGroup>
                    <h:commandButton type="submit" value="Login"/>
                    <h:commandButton type="reset" value="Clear"/>
                </h:panelGroup>
            </h:panelGrid>
        </form>
    </body>
</html>

SessionBean.java


/*
 *  Copyright 2011 Blue Lotus Software, LLC.
 *  Copyright 2011 John Yeary <jyeary@bluelotussoftware.com>.
 *
 *  Licensed under the Apache License, Version 2.0 (the "License");
 *  you may not use this file except in compliance with the License.
 *  You may obtain a copy of the License at
 *
 *       http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS,
 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *  under the License.
 */
/*
 *  $Id:$
 */
package com.bluelotussoftware.example.jsf.login;

import java.io.Serializable;
import javax.faces.bean.ManagedBean;
import javax.faces.bean.SessionScoped;
import javax.faces.context.ExternalContext;
import javax.faces.context.FacesContext;

/**
 *
 * @author John Yeary <jyeary@bluelotussoftware.com>
 * @version 1.0
 */
@ManagedBean
@SessionScoped
public class SessionBean implements Serializable {

    private static final long serialVersionUID = 916055190609044881L;

    /**
     * Default constructor.
     */
    public SessionBean() {
    }

    /**
     * Logs the current user out by invalidating the session.
     * @return &quot;logout&quot; which is used by the {@literal faces-config.xml}
     * to redirect back to the {@literal index.xhtml} page.
     */
    public String logout() {
        FacesContext facesContext = FacesContext.getCurrentInstance();
        ExternalContext externalContext = facesContext.getExternalContext();
        externalContext.invalidateSession();
        return "logout";
    }
}

Enhanced by Zemanta

3 comments:

  1. truly interesting stuff!
    Forms

    ReplyDelete
  2. what the login credentials to test out the feature. I'm looking through any config while within the project, cant find any.

    I want to trace the behavior on successful login

    ReplyDelete
  3. The example uses the Apache Tomcat security mechanism. You need to configure the tomcat-users.xml file for the user and roles you want to allow access.

    ReplyDelete