Using JEE container-managed security

To secure a JSF web applications, you can use container-managed security, which is handled by a JEE-compliant web application server. This topic gives a few details, including sample login and error JSPs, as well as a list of EGL security-related functions.

You also may want to review the documentation for your web application server.

Assigning roles and constraints in web.xml

In JEE security, permission to access web resources is based on a security role such as clerk or manager. Each role is a developer-assigned status and is stored in the JEE deployment descriptor (web.xml) that accompanies the application code. Also stored in web.xml is a set of constraints that define which web pages are available to the users who are ultimately assigned to a given role.

To customize web.xml, do as follows:
  1. In your web project, right click the deployment descriptor and click the Pages tab
  2. In the Login box, specify the authentication method (for example, Form, which involves use of login and error pages), and specify the related detail (for example, references to the specific login and error pages)

Creating login and error pages

If you are using the Form authentication method, you can customize the following JSP pages:

  • Sample login JSP
    <%@ page language="java" contentType="text/html; charset=ISO-8859-1"
        pageEncoding="ISO-8859-1"%>
    <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 
        Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
    <html>
      <head>
        <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
        <title>Insert title here</title>
      </head>
      <H1>Login Page</H1>
      <body>
        <form method="POST" action="j_security_check">
          User Name : <input type="text" name="j_username"/>
          Password  : <input type="password" name="j_password"/>
          <input type="submit" value="Login"/>
        </form>
      </body>
    </html>
  • Sample error JSP
    <%@ page language="java" contentType="text/html; charset=ISO-8859-1"
        pageEncoding="ISO-8859-1"%>
    <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
    <html>
      <head>
        <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
        <title>Insert title here</title>
      </head>
      <H1>Login Error Page</H1>
      <body>
    	 Status   =  Login Error !!!
      </body>
    </html>

Assigning users and groups in application.xml

A deployer (usually a system administrator) associates each security role with specific users and groups. The deployer makes that association by customizing the EAR project deployment description (application.xml), usually by working at the Security tab for that file.

Using system functions that support JEE security

The following security-related functions, from the system library J2EELib, are available in any JSF handler, regardless of the authentication type.

Feedback