Document Information


Part I Introduction

1.  Overview

2.  Using the Tutorial Examples

Part II The Web Tier

3.  Getting Started with Web Applications

4.  JavaServer Faces Technology

5.  Introduction to Facelets

6.  Expression Language

7.  Using JavaServer Faces Technology in Web Pages

8.  Using Converters, Listeners, and Validators

9.  Developing with JavaServer Faces Technology

10.  JavaServer Faces Technology: Advanced Concepts

11.  Using Ajax with JavaServer Faces Technology

12.  Composite Components: Advanced Topics and Example

13.  Creating Custom UI Components and Other Custom Objects

14.  Configuring JavaServer Faces Applications

15.  Java Servlet Technology

16.  Uploading Files with Java Servlet Technology

17.  Internationalizing and Localizing Web Applications

Part III Web Services

18.  Introduction to Web Services

19.  Building Web Services with JAX-WS

20.  Building RESTful Web Services with JAX-RS

21.  JAX-RS: Advanced Topics and Example

Part IV Enterprise Beans

22.  Enterprise Beans

23.  Getting Started with Enterprise Beans

24.  Running the Enterprise Bean Examples

25.  A Message-Driven Bean Example

26.  Using the Embedded Enterprise Bean Container

27.  Using Asynchronous Method Invocation in Session Beans

Part V Contexts and Dependency Injection for the Java EE Platform

28.  Introduction to Contexts and Dependency Injection for the Java EE Platform

29.  Running the Basic Contexts and Dependency Injection Examples

30.  Contexts and Dependency Injection for the Java EE Platform: Advanced Topics

31.  Running the Advanced Contexts and Dependency Injection Examples

Part VI Persistence

32.  Introduction to the Java Persistence API

33.  Running the Persistence Examples

34.  The Java Persistence Query Language

35.  Using the Criteria API to Create Queries

36.  Creating and Using String-Based Criteria Queries

37.  Controlling Concurrent Access to Entity Data with Locking

38.  Using a Second-Level Cache with Java Persistence API Applications

Part VII Security

39.  Introduction to Security in the Java EE Platform

40.  Getting Started Securing Web Applications

41.  Getting Started Securing Enterprise Applications

42.  Java EE Security: Advanced Topics

Working with Digital Certificates

Creating a Server Certificate

To Use keytool to Create a Server Certificate

Adding Users to the Certificate Realm

Using a Different Server Certificate with the GlassFish Server

To Specify a Different Server Certificate

Authentication Mechanisms

Client Authentication

Mutual Authentication

Enabling Mutual Authentication over SSL

Creating a Client Certificate for Mutual Authentication

Using the JDBC Realm for User Authentication

To Configure a JDBC Authentication Realm

Securing HTTP Resources

Securing Application Clients

Using Login Modules

Using Programmatic Login

Securing Enterprise Information Systems Applications

Container-Managed Sign-On

Component-Managed Sign-On

Configuring Resource Adapter Security

To Map an Application Principal to EIS Principals

Configuring Security Using Deployment Descriptors

Specifying Security for Basic Authentication in the Deployment Descriptor

Specifying Non-Default Principal-to-Role Mapping in the Deployment Descriptor

Further Information about Security

Part VIII Java EE Supporting Technologies

43.  Introduction to Java EE Supporting Technologies

44.  Transactions

45.  Resources and Resource Adapters

46.  The Resource Adapter Example

47.  Java Message Service Concepts

48.  Java Message Service Examples

49.  Bean Validation: Advanced Topics

50.  Using Java EE Interceptors

Part IX Case Studies

51.  Duke's Bookstore Case Study Example

52.  Duke's Tutoring Case Study Example

53.  Duke's Forest Case Study Example



Using Form-Based Login in JavaServer Faces Web Applications

This section describes strategies for implementing form-based login in JavaServer Faces applications.

Using j_security_check in JavaServer Faces Forms

The most common way of authenticating a user in web applications is through a login form. As described in Form-Based Authentication, Java EE security defines the j_security_check action for login forms. This allows the web container to authenticate users from many different web application resources. Facelets forms, using the h:form, h:inputText, and h:inputSecret tags, however, generate the action and input IDs automatically, which means developers are unable to specify j_security_check as the form action, nor can they set the user name and password input field IDs to j_username and j_password, respectively.

Using standard HTML form tags allows developers to specify the correct action and input IDs for the form.

<form action="j_security_check" method="POST">
  <input type="text" name="j_username" />
  <input type="secret" name="j_password" />

This form, however, doesn’t have access to the features of a JavaServer Faces application, such as automatic localization of strings and the use of templating to define the look and feel of the pages. A standard HTML form, in combination with Facelets and HTML tags, allows developers to use localized strings for the input field labels while still ensuring the form uses standard Java EE security:

<form action="j_security_check" method="POST">
    <h:outputLabel for="j_username">#{bundle['login.username']}:</h:outputLabel>
    <h:inputText id="j_username" size="20" />

    <h:outputLabel for="j_password">#{bundle['login.password']}:</h:outputLabel>
    <h:inputSecret id="j_password" size="20"/>

    <input type="submit" value="#{bundle['login.submit']}" />

Using a Managed Bean for Authentication in JavaServer Faces Applications

A managed bean can authenticate users of a JavaServer Faces application, which allows regular Facelets form tags to be used instead of a mix of standard HTML and Facelets tags. In this case, the managed bean defines login and logout methods, and Facelets forms call these methods in the action attribute. The managed bean’s methods call the javax.servlet.http.HttpServletRequest.login and HttpServletRequest.logout methods to manage user authentication.

In the following managed bean, a stateless session bean uses the user credentials passed to the login method to authenticate the user and resets the caller identity of the request when the logout method is called.

public class LoginBean {
  private String username;
  private String password;

  public String getUsername() {
    return this.username;

  public void setUserName(String username) {
    this.username = username;

  public String getPassword() {
    return this.password;

  public void setPassword() {
    this.password = password;


  public String login () {
    FacesContext context = FacesContext.getCurrentInstance();
    HttpServetRequest request = (HttpServletRequest) 
    try {
      request.login(this.username, this.password);
    } catch (ServletException e) {
      context.addMessage(null, new FacesMessage("Login failed."));
      return "error";
    return "admin/index";

  public void logout() {
    FacesContext context = FacesContext.getCurrentInstance();
    HttpServetRequest request = (HttpServletRequest) 
    try {
    } catch (ServletException e) {
      context.addMessage(null, new FacesMessage("Logout failed."));

The Facelets form then calls these methods for user login and logout.

    <h:outputLabel for="usernameInput">
    <h:inputText id="usernameInput" value="#{loginBean.username}" 
                 required="true" />
    <br />
    <h:outputLabel for="passwordInput">
    <h:inputSecret id="passwordInput" value="#{loginBean.password}" 
                   required="true" />
    <br />
    <h:commandButton value="${bundle['login.submit']" 
                     action="#{loginBean.login}" />