JSF2 Security and Performance - JSF and HTML5

HTML and CSS Reference

In-Depth Information

Not ■ It is important to note that http basic authentication sends user names and passwords as Base64-encoded

text; while form-based authentication sends them as plain text, which means they are not secure, so they are

recommended to be used with secure transport mechanism (such as SSL). In order to configure SSL you need to check

the documentation of your application server because it is specific for every application server; for example in order to

configure SSL in tomcat 7, check the following link: http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html .

Digest Authentication

Digest authentication authenticates a user based on a user name and a password (like basic HTTP authentication).

However, unlike basic authentication, digest authentication does not send user passwords over the network. Instead,

the client sends a one-way cryptographic hash of the password.

Configuring an Authentication Method

In order to configure the authentication method in your Java EE web application, you can use <login-config>

element as shown here in the web configuration file ( web.xml ):

<login-config>

<auth-method>FORM</auth-method>

<realm-name>jdbcRealm</realm-name>

<form-login-config>

<form-login-page>/home.xhtml</form-login-page>

<form-error-page>/error.xhtml</form-error-page>

</form-login-config>

</login-config>

As you may notice, <login-config> element has the following sub-elements:

•

<auth-method> element specifies the authentication mechanism for the web application.

It can be DIGEST, BASIC or FORM or NONE.

•

<realm-name> element specifies the realm name.

•

<form-login-config> element specifies the login and error pages. It should be used when the

form-based login is used.

Authorization

Authorization defines the role-based access control that determines what are the parts of the system which are

allowed to be accessed by users. In Java EE, in order to achieve this, you can use <security-constraint> element in

the web.xml as shown in Listing 12-1.

Listing 12-1. Sample <security-constraint> Example

<?xml version="1.0" encoding="UTF-8"?>

<web-app version="3.1" xmlns=" http://xmlns.jcp.org/xml/ns/javaee "

xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance "

Search WWH ::

Custom Search

Home