I just started learning Java EE. My goal is to implement a web portal (with EJB 3 and JSF) for badminton players, where the users can post and analyze their results.
To keep it simple (well it turns out it really isn’t) I have decided to use the security system the container provides (JBoss as7). After some problem I have managed to get the authentication/authorization to work. However, I have one issue which I haven’t been able to solve.
When I try to access a protected page I get, as expected, intercepted by the security system. However, after I have logged in I’m not re-directed to the page I initially requested. Instead I’m once more asked to log in.
If I manually type the original address, I can access the page without any trouble.
I have read many threads on stackoverflow, but haven’t been able to solve my problem. I would really appreciate if someone could help me!
Authentication.java:
@ManagedBean
@SessionScoped
public class Authentication {
private String username = "";
private String password = "";
private User user = new User();
@EJB
UserService service;
public String getUsername() {
return username;
}
public void setUsername(String username) {
this.username = username;
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
public User getUser() {
return user;
}
public void login() {
FacesContext context = FacesContext.getCurrentInstance();
HttpServletRequest request = (HttpServletRequest) context
.getExternalContext().getRequest();
try {
Principal userPrincipal = request.getUserPrincipal();
if (userPrincipal != null) {
request.logout();
}
request.login(username, password);
user = service.find(username, password);
} catch (ServletException e) {
context.addMessage(null, new FacesMessage("Unknown login"));
}
}
public String logout() {
FacesContext.getCurrentInstance().getExternalContext()
.invalidateSession();
return "login";
}
}
login.xhtml
<h:body>
<h:form>
<h:outputLabel for="username" value="Username" />
<h:inputText id="username" value="#{authentication.username}" required="true" />
<h:message for="username" />
<br />
<h:outputLabel for="password" value="Password" />
<h:inputSecret id="password" value="#{authentication.password}" required="true" />
<h:message for="password" />
<br />
<h:commandButton value="Login" action="#{authentication.login()}" />
<h:messages globalOnly="true" />
</h:form>
</h:body>
home.xhtml
<!DOCTYPE html>
<html xmlns='http://www.w3.org/1999/xhtml'
xmlns:f='http://java.sun.com/jsf/core'
xmlns:h='http://java.sun.com/jsf/html'
xmlns:ui='http://java.sun.com/jsf/facelets'
xmlns:p="http://primefaces.org/ui">
<h:head>
<link type="text/css" rel="stylesheet"
href="#{request.contextPath}/themes/cupertino/skin.css" />
</h:head>
<h:body>
<h:form>
<h:commandButton action="login" value="Log in" />
</h:form>
</h:body>
web.xml
....
<display-name>BadmintonPortal</display-name>
<welcome-file-list>
<welcome-file>/pages/protected/user/user_home.xhtml</welcome-file>
</welcome-file-list>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/faces/*</url-pattern>
<url-pattern>*.jsf</url-pattern>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
<context-param>
<param-name>primefaces.THEME</param-name>
<param-value>cupertino</param-value>
</context-param>
<!-- Protected area definition -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Restricted Area - ADMIN Only</web-resource-name>
<url-pattern>/pages/protected/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Restricted Area - USER and ADMIN</web-resource-name>
<url-pattern>/pages/protected/user/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<!-- Login page -->
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/pages/public/login.xhtml</form-login-page>
<form-error-page>/pages/public/loginError.xhtml</form-error-page>
</form-login-config>
</login-config>
<!-- System roles -->
<security-role>
<role-name>admin</role-name>
</security-role>
<security-role>
<role-name>user</role-name>
</security-role>
Edit:
Forgot to include faces-config.xml file
<?xml version="1.0" encoding="UTF-8"?>
<faces-config xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-facesconfig_2_1.xsd"
version="2.1">
<navigation-rule>
<navigation-case>
<from-outcome>login</from-outcome>
<to-view-id>/pages/protected/user/user_home.xhtml</to-view-id>
<redirect/>
</navigation-case>
</navigation-rule>
</faces-config>
jboss-web.xml
<?xml version='1.0' encoding='UTF-8'?>
<jboss-web>
<context-root>BadmintonPortal</context-root>
<security-domain>java:/jaas/BadmintonPortalRealm</security-domain>
</jboss-web>
Edit 2:
Working solution
@ManagedBean
@ViewScoped
public class Authentication {
...
public Authentication() {
ExternalContext eContext = FacesContext.getCurrentInstance()
.getExternalContext();
uri = (String) eContext.getRequestMap().get(
RequestDispatcher.FORWARD_REQUEST_URI);
}
public void login() {
FacesContext context = FacesContext.getCurrentInstance();
HttpServletRequest request = (HttpServletRequest) context
.getExternalContext().getRequest();
try {
Principal userPrincipal = request.getUserPrincipal();
if (userPrincipal != null) {
request.logout();
}
request.login(username, password);
user = service.find(username, password);
context.getExternalContext().getSessionMap().put("user", user);
context.getExternalContext().redirect(uri);
} catch (ServletException e) {
context.addMessage(null, new FacesMessage("Unknown login"));
} catch (IOException e) {
e.printStackTrace();
}
}
public String logout() {
FacesContext.getCurrentInstance().getExternalContext()
.invalidateSession();
return "login";
}
}
You’re taking over the login part by using a JSF form which performs a programmatic login in a JSF managed bean upon submit. If you were using a plain HTML form which submits directly to the container managed authentication URL
j_security_checkas outlined in the first part of this answer, then you would indeed automatically be redirected to the initial page.However, since you’re taking the login in own hands using JSF yourself, then you should also be navigating to the initial page using JSF yourself. As the login page is usually opened by a server-side forward by
RequestDispatcher#forward(), the initially requested page is available as a request attribute with the name as specified inRequestDispatcher.FORWARD_REQUEST_URIconstant. In JSF terms, that’s thus available as follows:(keep in mind to have a fallback URL for the case it returns
null, i.e. when it’s been opened directly without hitting a restricted URL first)The best place to collect it would be the (post)constructor of a
@ViewScopedbean associated with the login page. With the current session scoped bean approach, it’d probably be better to make it a view scoped one and during login explicitly put theUserin the session scope as follows:this way the user is available by
#{user}directly instead of#{authentication.user}.