Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Automatic login to JSF application on revisits, after once logged in

Tags:

java

jsf

tomcat

primefaces

For typical most typical internet facing websites when you login & leave the website by just closing the tab (without logging out), then on successive revisits, you may not be required to re-specify your credentials or login, you are directly logged in.

How does all that happen on the backend? How can I enable such mechanism on my JSF 2.1 application?

Using JSF 2.1 on Tomcat7 server

like image 954
Rajat Gupta Avatar asked Mar 21 '12 17:03

Rajat Gupta

2 Answers

This is basically done by a long-living cookie. This functionality is not provided by the JSF API as it's just a simple component based MVC framework. This functionality is also not provided by the standard Java EE API. Some authenticaiton frameworks like Spring Security and Apache Shiro offer this functionality.

If you need to implement this using "plain" Java EE / JSF, then you'd need to create a long-living cookie yourself during login by ExternalContext#addResponseCookie(). The cookie value must be a long, unique, autogenerated and hard-to-guess value (e.g. java.util.UUID) which you also store in the DB associated with the user ID. Then, you can use a simple servlet filter to check for the cookie by HttpServletRequest#getCookies() when the logged-in user has been confirmed to be absent. If the cookie is found and is valid, then auto-login the user.

To improve security, provide if necessary the enduser the option to "lock" this cookie on the user IP which you also store in the DB along with the cookie ID and user ID.

See also:

  • How to implement "Stay Logged In" when user login in to the web application
  • How do I keep a user logged into my site for months?
like image 68
BalusC Avatar answered Nov 10 '22 17:11

BalusC

If you're using Spring Security or Apache Shiro, both of them support this with the proper filter. On the backend Spring Security works by having a persistent store of remember me tokens, and Shiro I think signs a hash value.

Here's the spring guide: http://static.springsource.org/spring-security/site/docs/3.0.x/reference/remember-me.html

Here's the shiro guide: http://shiro.apache.org/java-authentication-guide.html

If you're using Java EE Security (please tell me it ain't so), you're limited to what your container can support, unless you want to design a customer login filter. An customer filter could sign a cookie with a MAC code and validate it against a database. I don't believe tomcat 7 has this built in, you'd probably need to check out GlassFish (which supports SSO, I don't think it supports remember me).

like image 21
Jonathan S. Fisher Avatar answered Nov 10 '22 16:11

Jonathan S. Fisher
Sign in to Comment

Related questions

Annotation which invokes a method
Servlet. How to get parameters if their keys are not unique?
OverlappingFileLockException when trying to lock a file channel
Why is it that, the more '1' bits in my Key, the longer it takes to place in the HashMap?
Invalid class file error when trying to package Blackberry app
Regex to match any number (Real, rational along with signs)
Dynamic Nested Loop
How to add custom vertex labels in JUNG graph visualization?
Java: Best/elegant way to iterate over 2 lists
Cannot use Scala class in Java
Android's LinearLayout for Swing
Exception in thread "main" java.lang.OutOfMemoryError: Java heap space
Deserialize nested class using yamlbeans
JAXB Bindings to schemas in a JAR
Eclipse is saying there's an Illegal repetition in this regex
Acquiring multiple locks atomically in java
JPopupMenu display under Canvas
passing an argument to be used by instanceof
Encrypting AES key with RSA public key
What are "unavoidable generic type problems" in Eclipse for Java?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!