Java Reference
In-Depth Information
Concepts
, Java EE security defines the
j_security_check
action for login forms.
This allows the web container to authenticate users from many different web application
resources. Facelets forms, using the
h:form
,
h:inputText
, and
h:inputSecret
tags, however, generate the action and input IDs automatically, which means developers
are unable to specify
j_security_check
as the form action, nor can they set the user
name and password input field IDs to
j_username
and
j_password
, respectively.
Using standard HTML form tags allows developers to specify the correct action and input
IDs for the form.
<form action="j_security_check" method="POST">
<input type="text" name="j_username" />
<input type="secret" name="j_password" />
...
</form>
This form, however, doesn't have access to the features of a JavaServer Faces application,
such as automatic localization of strings and the use of templating to define the look and
feel of the pages. A standard HTML form, in combination with Facelets and HTML tags,
allows developers to use localized strings for the input field labels while still ensuring the
form uses standard Java EE security:
<form action="j_security_check" method="POST">
<h:outputLabel
for="j_username">#{bundle['login.username']}:</h:outputLabel>
<h:inputText id="j_username" size="20" />
<h:outputLabel
for="j_password">#{bundle['login.password']}:</h:outputLabel>
<h:inputSecret id="j_password" size="20"/>
<input type="submit" value="#{bundle['login.submit']}" />
</form>
Using a Managed Bean for Authentication in JavaServer Faces Applications
A managed bean can authenticate users of a JavaServer Faces application, which allows
regular Facelets form tags to be used instead of a mix of standard HTML and Facelets
tags. In this case, the managed bean defines
login
and
logout
methods, and Facelets
forms call these methods in the
action
attribute. The managed bean's methods call
the
javax.servlet.http.HttpServletRequest.login
and
HttpSer-
vletRequest.logout
methods to manage user authentication.