Using Form-Based Login in JavaServer Faces Web Applications
This section describes strategies for implementing form-based login in JavaServer Faces applications.
Using j_security_check in JavaServer Faces Forms
The most common way of authenticating a user in web applications is through a login form. As described in Form-Based Authentication, Java EE security defines the j_security_check action for login forms. This allows the web container to authenticate users from many different web application resources. Facelets forms, using the h:form, h:inputText, and h:inputSecret tags, however, generate the action and input IDs automatically, which means developers are unable to specify j_security_check as the form action, nor can they set the user name and password input field IDs to j_username and j_password, respectively.
Using standard HTML form tags allows developers to specify the correct action and input IDs for the form.
<form action="j_security_check" method="POST"> <input type="text" name="j_username" /> <input type="secret" name="j_password" /> ... </form>
This form, however, doesn’t have access to the features of a JavaServer Faces application, such as automatic localization of strings and the use of templating to define the look and feel of the pages. A standard HTML form, in combination with Facelets and HTML tags, allows developers to use localized strings for the input field labels while still ensuring the form uses standard Java EE security:
<form action="j_security_check" method="POST"> <h:outputLabel for="j_username">#{bundle['login.username']}:</h:outputLabel> <h:inputText id="j_username" size="20" /> <h:outputLabel for="j_password">#{bundle['login.password']}:</h:outputLabel> <h:inputSecret id="j_password" size="20"/> <input type="submit" value="#{bundle['login.submit']}" /> </form>
Using a Managed Bean for Authentication in JavaServer Faces Applications
A managed bean can authenticate users of a JavaServer Faces application, which allows regular Facelets form tags to be used instead of a mix of standard HTML and Facelets tags. In this case, the managed bean defines login and logout methods, and Facelets forms call these methods in the action attribute. The managed bean’s methods call the javax.servlet.http.HttpServletRequest.login and HttpServletRequest.logout methods to manage user authentication.
In the following managed bean, a stateless session bean uses the user credentials passed to the login method to authenticate the user and resets the caller identity of the request when the logout method is called.
@Stateless @Named public class LoginBean { private String username; private String password; public String getUsername() { return this.username; } public void setUserName(String username) { this.username = username; } public String getPassword() { return this.password; } public void setPassword() { this.password = password; } ... public String login () { FacesContext context = FacesContext.getCurrentInstance(); HttpServetRequest request = (HttpServletRequest) context.getExternalContext().getRequest(); try { request.login(this.username, this.password); } catch (ServletException e) { ... context.addMessage(null, new FacesMessage("Login failed.")); return "error"; } return "admin/index"; } public void logout() { FacesContext context = FacesContext.getCurrentInstance(); HttpServetRequest request = (HttpServletRequest) context.getExternalContext().getRequest(); try { request.logout(); } catch (ServletException e) { ... context.addMessage(null, new FacesMessage("Logout failed.")); } } }
The Facelets form then calls these methods for user login and logout.
<h:form> <h:outputLabel for="usernameInput"> #{bundle['login.username']: </h:outputLabel> <h:inputText id="usernameInput" value="#{loginBean.username}" required="true" /> <br /> <h:outputLabel for="passwordInput"> #{bundle['login.password']: </h:outputLabel> <h:inputSecret id="passwordInput" value="#{loginBean.password}" required="true" /> <br /> <h:commandButton value="${bundle['login.submit']" action="#{loginBean.login}" /> </h:form>