Secure Your JSF Application with JAAS

Working Desk

You may also like...

12 Responses

  1. Iker says:

    This is a great and complete example of JAAS+JSF. Good job! Thank you!

    • admin says:

      Thank you, Iker! I’m glad that you found this application useful. I will try to release a new and more complex version soon.

  2. Edwin F. López says:

    Hi and thanks. This proves really useful.
    One quick question though, how different this would be for glassfish?

    • ixtendo says:

      To deploy this on GlassFish, you must see where this application server keeps the Subject. In Tomcat, the subject is kept under a specific key (you can find the name of the key in the secure filter).

  3. msteinbe says:

    Hi, thank you for your complete example.
    I also have a question:
    In the filter (securityFilterListener) you save the new subject in session, under the key:
    In the authentication controller, you get the subject saved in session with the method:Subject.getSubject(AccessController.getContext())
    It works fine, I just don’t understand how you find out and didn’t find any documentation.
    Can you explain me how it works and where to find some documentation ?
    Thanks !

    • ixtendo says:

      I found that key by examining the Tomcat source code. To understand how Tomcat uses the respective key, you’ll have to dig in the Tomcat source code. That’s because I debugged that code a few years ago to understand how it worked and, unfortunately, don’t remember it anymore.

  4. richa says:

    Hi thanks for such a great example. Could u please elaborate little how to perform this “To build the project, you have to install Maven and call mvn clean package. “. I have maven installed but new to it so dont know how to build the project with maven. I am using ubuntu 12.04. Could u pl tell me how to build the project step by step ?

    Thanks a lot..

    • richa says:

      Hey I directly deployed the jjwa.war file in web-apps dir of tomcat. When I try to login to the page in browser with admin-admin or with user-user (uname-password), I get java.lang.nullpointer exaception. Could you pl say why ? I have changed folllowing in my dao-context.xml

      any idea why it gives me exception ?

  5. richa says:

    Ok. Now I dont any exceptions..I am able to run the application the way u said. But i have few questions :- 1) If I want to make “user” to see the Admin’s page (the page which admin sees when he logs in), what should I do ? I mean where exactly is that particular checking done ? in catalina.policy code which we added ? pl tell me how can I make user see the admin page ? That would be interesting to know.. 2) I have deployed jjwa.war in web apps of tomcat. I have set up the database the way u said. So when I access the jjwa application, does it use the mysql database tables ? the example which u described about doctor, patient etc is just to explain or can we really make use of it with this sample code ?

    • ixtendo says:

      Regarding Maven, first you must download and unzip it. Then, navigate to the project folder where the pom.xml file is located. Here, you must call the mvn clean package. If you don’t have Maven set in your path, then you’ll have to invoke it like this: /usr/share/mvn/bin/ clean package. (I assumed that you have Maven installed in the /usr/share/ folder). The .war archive will be placed in the target folder located in the same directory as pom.xml.

      Answers to your questions:

      1. The security check is done in two places: one is the MVC layer (see the SecurityController class) and the second is the service layer, through an AOP join point (see the AuthorizationCheckerExecutor class).
      2. When you access the application, the user rights are read from the MySQL database. The example with the doctor and the patient was given just to explain the RBAC security model.

  6. Fred says:

    This is a great example. Thank you so much for making it available. I got it to work very easy. Question: Would it be difficult to get this to work with JBoss or WebLogic? Would I somehow have to incorporate the contents of the catalina.policy file if I want to try to get this working for JBoss or WebLogic? Thanks and keep up the great work.

  7. islam says:

    hi, thank you very much for your complete and quiet complex example .

    when i tried the app, i got the nullpointerException when logging,
    i digged in the source code and i found that
    Subject subject = SecurityUtil.getSubject(); returns null =>
    this is the line caused the issue,

    i changed the code to :
    Subject subject= loginContext.getSubject();
    and it worked for me.
    now i would like to understand what was the problem.
    and if you would like to share with us a new version using new servlet and new releases of apis.

    thank you a lot

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>