Authentication in JSF

Can some one point me design patterns for user authentication in JSF ?

I am wondering, and i might be wrong, why would user authentication be any different in JSF w.r.t design patterns.

Care to shed some light J

Rahul, Thanks for asking
If I was implementing Front controller I could have added a Filter for authentication, I was wondering if there a standard practice for separating authentication concern in your design

Well, that was my point exactly..a concern like authentication does not change whether you use JSF/Struts/anything else..and hence the fact that i conceptualize it as a 'Front Controller' does not change...


The way i realize a front controller might change based on the capabilities of the framework and the platform..but that still doesn't change that my intent is to intercept all requests and ensure that they are belong to an authenticated user..

My point being..the design pattern..does not change..the realization of it might...

Placing your authentication as well as autherization logic in the Servlet filter could be an option, in case you don't want to use a declarative security provided by a container. You get a looser coupling between a functionality defined by your application. In this scenario, however, you will have to implement the authentication logic yourself; you can also use any of the security frameworks available "out there", e.g. JAAS, Spring Security, you name it.

With regards to the security patterns I would advice you to have a look at book "Core Security Patterns", which describes, for example, the Authentication Enforces (if I am not mistaken) design pattern.

As a result, the possible scenario could be to define a servlet filter, which will delegate to your authentication enforcer, which, in turn, will either perform the authentication itself, by calling a DB for example, or will delegate to a security framework you choose to use, e.g. JAAS.

Hope it helps,
Janis

Hi All,

I read some where that, with Security filter the security principal will not be propagated to EJB container. I'm not sure it is still true or not!

How about Form-based authentication over SSL for authentication & authorization and Security filter for additional security features like handling XSS attacks etc.

Do you see any problem in this approach?

Best regards,
Sri.

As long as I know the propagation of the security context should be supported by web and application servers. As soon as you have establish user's identity on presentation tier it should be propagated to the business tier. You can configure your servers to use transport layer security in order to meet confidentiality requirements.

If you do not use declarative security provided to you out of the box by the web container and implement authentication in, for example, servlet filter by mean of JAAS you will have to do some manual work, as for example implementing LoginModule and configuring JAAS Realm on your server. As soon as you have made all the necessary steps, on authentication of a request the JAAS will check user credentials and will establish user's identity represented by java.security.Principal class. Since you implement the authentication manually, from your filter, you will have to store the Principal instance in the session and refer to it on every request.

Janis

Btw, in case of JSF, an action listener could be an alternative to servlet filter to perform authentication.

Janis Kazakovs wrote:Btw, in case of JSF, an action listener could be an alternative to servlet filter to perform authentication.

Right off the bat, that's what I was looking for

Thanks a lot, I wish you a happy new year