Tuesday, 2 March 2010

Beginning Java EE 6. JSF 2.0 Tutorial. Part 3. Implementing Security. Access Control Logic via Annotations

OK. Its time for security. In the previous tutorials Part 1 and Part 2
we laid some foundational work. Now we are going to move into the real application development.

I did an extensive search on the internet looking for best practise with regards to implementing
security in a Java EE 6/JSF 2.0 Application. The reference samples from Sun..(Ooops Oracle..lol)
only provide example of how to use the Authentication functions of the Container. However, in
a real world, user access credentials and roles are mostly stored in the database and can therefore not
be hardcoded in the web.xml file.

Alternative solutions seem to use ACEGI Security for implementing Access Control Logic(ACL). However, I'm not keen on
learning Spring at this time just to implement Security. That solution also exponentially increase the number of
jars I have to worry about during deployment.

Another alternative is to use frameworks like JBoss Seam that provide in-built ACLs but at the time of this writing,
Seam is not compliant with the JSF2.0 Specification. Also , IMHO, this is not enough reason to adopt a full framework for this project,
So we will implemet it ourselves.

Lets get started.

I assume you have read Part 1 and Part 2. If you haven't please do as I will
make a lot of assumptions to tasks such as your simplea folder location, having run setenv.bat etc.
However, the main concept should be easy to follow without reading those previous sessions.

Also we are using the JSF 2.0 reference implementation (Mojarra). If you are using a different implementation such
as Apache myFaces, you will have to find the corresponding class names in your distribution and make the changes accordingly.
whiles we go along, I will mention it whenever we use anything Mojarra Specific


NB. Since we are not using an IDE yet, I want to say that if I say we create a
Java Class com.simplea.here.Foobar, I mean you should create the folder structure

com\simplea\here in the folder src\main\java and
in that folder create a file with name Foobar.java

Task 1.
Add the following to your pom.xml file

So your complete pom.xml looks like this

Task 1.
create Java Class com.simplea.jsf.extensions.CustomApplicationFactory

Enter the following in the file

NB: In this class, we are overiding a sun specific class. You must replace it with the corresponding
classname in your JSF 2.0 Implementation

Task 2.
create Java Class com.simplea.jsf.extensions.CustomActionListener
Enter the following in the file

Task 3.
create Java Class com.simplea.jsf.extensions.CustomApplication

Enter the following in the file

Task 4.
create Java Class com.simplea.security.SecurityManager

Enter the following in the file

The authenticate method is overloaded to accept different Security credentials depending on the client environment
At the moment it will only take UsernamePasswordCredentials so lets go ahead and create it

Task 5.
create Java Class com.simplea.security.UsernamePasswordCredentials

Enter the following in the file

Task 5.
create Java Class com.simplea.annotations.SecuredClass

Enter the following in the file

Task 6.
create Java Class com.simplea.annotations.SecuredMethod

Enter the following in the file

Task 7.
create Java Class com.simplea.handler.DashboardHandler

Enter the following in the file

This Handler has the SecuredClass Annotation on it. That means no method on it should
be called without being logged in. At the moment that is what we will use to test our SecuredClass Annotation

Task 8.
create Java Class com.simplea.handler.LoginHandler

Enter the following in the file

The Login Handler does not have any of our security annotations so you can click the login button.

Now lets test our classes to make sure they compile.

All these instructions are on the Command Prompt

Run setenv.bat. I assume you know how to do that.

Then cd to your simplea folder.

From now on, when I say type an mvn command, I will assume you have run setenv.bat in your current command prompt, and changed directory to the root of the simplea application folder.

type command

If that does not produce any errors, then you are good to proceed to the next Step. Make sure your code
compiles before proceeding to Step 2.


This is the site security story at the moment. To be built on.
Any user can access the index.xhtml and login.xhtml pages without having to log in.

To access the dashboard.xhtml page, the user must be logged in. At the moment, since only the LoginHandler
calls the securityManager.authenticate(), we will assume the user has logged in. In the next session when
we integrate a database, we will finish that up.

We accomplish the security requirements for the dashboard.xhtml by just annotating the DashboardHandler
with @SecuredClass

1.a) Create a file in the src\main\webapp\WEB-INF folder called faces-config.xml

1.b) Enter the following into that file

2.a) Create a file in the src\main\webapp folder called login.xhtml

2.b) Enter the following into that file

3.a) Create a file in the src\main\webapp folder called dashboard.xhtml

3.b) Enter the following into that file

We need to update the index.xhtml to include links to those pages

4. Delete the content of the index.xhtml and insert the following

I am sure you have noticed the repetition in those pages and are wondering why dont we templatize them.Yes, we will do that
when we start actually designing the site. At this stage, its important we don't deviate.

Step 3

Undeploy Deploy.
Our undeploy deploy sequence is becoming repetitive so i have created a batch file to do that for us

In the folder C:\home\training\simplea, create a file called undeploy_deploy.bat

Enter the following into that file

Also, I have updated C:\home\setenv.bat so the default path is in the application folder
So open it and replace the content with this

Make sure Glassfish is running Instructions on doing that is available in the previous sessions

Open comand prompt, change directory to C:\home\training\simplea and type

and press enter

Now browse to

You will observe that clicking the dashboard take you to the login screen. Just enter anything
to login. Then you will be taken to the dashboard. Also see that once logged in, clicking the dashboard link
doesn't require you to login again.

In the next installation of this series,

We will integrate a Database,(Mysql 5) and JPA. Then we will complete this security by doing a proper check
from the database and acting according. Stay Tuned


Timofey said...

thanks, very useful post

Gordan Jugo said...

Good post...
Here is article how to implement security with jdbc security realm to secure jsf application.

Karl Meier said...

This is very well explained and useful. Where can I find the part where you are creating the DB and connect it to the application?