JSF2 Security and Performance - JSF and HTML5

HTML and CSS Reference

In-Depth Information

<login-config>

<auth-method>FORM</auth-method>

<realm-name>WeatherRealm</realm-name>

<form-login-config>

<form-login-page>/home.xhtml</form-login-page>

<form-error-page>/error.xhtml</form-error-page>

</form-login-config>

</login-config>

<welcome-file-list>

<welcome-file>protected/weather.xhtml</welcome-file>

</welcome-file-list>

...

</web-app>

As shown in the bolded lines, in the security constraint part, only weatherUser role is able to access the resources

under the protected folder ( /protected/* ). In the login configuration part, the authentication method is set to FORM

(i.e., form-based Authentication), the realm name is set to WeatherRealm , and finally in the form login configuration,

the login page is set to be home.xhtml (which is shown in Listing 12-3), while the error page (which will be shown

when the user fails to log in) is set to be error.xhtml . When the user login succeeds, the user will be forwarded to

weather.xhtml page under protected folder.

weatherUser role defined for the application must be mapped to groups defined on the application server. For

GlassFish, you can define the mapping between role and group in a configuration file ( glassfish-web.xml ) as shown

in Listing 12-5.

Listing 12-5. glassfish-web.xml File

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE glassfish-web-app PUBLIC ...>

<glassfish-web-app error-url="">

<context-root>/weather</context-root>

<security-role-mapping>

<role-name>weatherUser</role-name>

<group-name>weather_user</group-name>

</security-role-mapping>

...

</glassfish-web-app>

As shown in the configuration file, role name ( weatherUser ) is mapped to an actual group name ( weather_user )

which exists in the realm repository ( WeatherRealm ).

WeatherRealm is the store of the users and groups for the weather application; as you may remember, we had an

APP_USER table which we used in order to store the application users. Thanks to JDBCRealm (which is supported in GlassFish

and some of the other Java EE application servers), you can make your existing users/groups database a realm; however, we

need to add another database table ( APP_GROUP ) in order to define the groups of the users as shown in Figure 12-1 .

Figure 12-1. Modifications in the weather application data model

Listing 12-6 shows the SQL statements which contain the attributes of both APP_USER and APP_GROUP and the

relation between them.

Search WWH ::

Custom Search

Home