This morning I went to chapters 39.40 and 41 of the JEE6 textbook. But I am very, very confused. I do not have security information about web applications with JEE6, and I have great difficulty understanding and implementing.
I need to create an authorization mechanism for my web application, my script is also not very simple for a beginner in JEE6, like me, so I decided to try to find the easiest way to do this.
I thought about explaining my idea, so you can correct me and give me some tips on how this would be the easiest way to do this.
Idea:
My web application uses a primfaces component called a docking station that displays a login dialog when a user clicks on the last item. This navigation tool is also located in the JSF template, which is used by all other pages of the application.
<h:body> <p:dock position="top"> <p:menuitem value="Naslovna" icon="unsecuredimages/naslovna.png" url="main.xhtml" alt="The image could not be found." /> <p:menuitem value="Register" icon="unsecuredimages/register.png" url="registration.xhtml" alt="The image could not be found." /> <p:menuitem value="Cesta pitanja" icon="unsecuredimages/faq.png" url="faq.xhtml" alt="The image could not be found." /> <p:menuitem value="Login" icon="unsecuredimages/login.png" url="#" onclick="dlg.show()"/> </p:dock> <p:dialog header="Prijavite se" widgetVar="dlg" modal="true" draggable="false" resizable="false" effect="SLIDE"> <h:outputText value=" Em@il :" /><h:inputText id="email" value=""/> <br/> <h:outputText value="Lozinka:" /><h:inputText id="password" value=""/> <br/> <h:commandButton value="Prijavi se" /> </p:dialog> <br/><br/><br/><br/><br/><br/> <ui:insert name="mainForm" /> <ui:insert name="registrationForm" /> <ui:insert name="registrationBuyerForm" /> <ui:insert name="registrationSellerForm" /> <ui:insert name="faqForm" /> <ui:insert name="registrationSuccessForm" /> </h:body>
I think JSF should have bean support that handles email and password for EJB.
import javax.ejb.EJB; import javax.enterprise.context.SessionScoped; import javax.faces.bean.ManagedBean; import ejbinterfaces.IAuthentificationEJB; @ManagedBean @SessionScoped public class SecurityController { @EJB private IAuthentificationEJB authentificationEJB; private String email; private String password; public void logIn() { authentificationEJB.saveUserState(email, password); } public String getEmail() { return email; } public String getPassword() { return password; } public void setEmail(String email) { this.email = email; } public void setPassword(String password) { this.password = password; }
}
Then EJB should log in and log out (this is where I got really confused):
@Stateful(name = "ejbs/AuthentificationEJB") public class AuthentificationEJB implements IAuthentificationEJB { //Login public boolean saveUserState(String email,String password) { //1-Send query to database to see if that user exist //2-If the query returns the user object, store it somewhere in the session(HOW?) //3-return true if the user state was saved //4-return false otherwise return false; } //Logout public void releaseUserState() { //1-Check if there is something saved in the session(or wherever the state is saved) //2-If 1 then flush it } //Check if user is logged in public boolean checkAuthentificationStatus() { //1-Check if there is something saved in the session(This means the user is logged in) //2-If there is not a user already loged, then return false return false; }
}
I decided not to use the jdbc scope or other authentication mechanisms described in the JEE6 tutorial because I was really confused, so I think itβs easier for me to do this manually now. These are some doubts about my approach:
- Is this approach right (can this be done)?
- If the EJB is @Stateless or @Statefull in this case (the user retrieved from the database has 2 string fields)?
Where should I store the identifier of the received user from the database in order to last until the user decides to log out?
If I need to save the state of a user in a session until he / she decides to log out, how can I do this?
- With this approach, the session for the user will be deleted when the browser is closed without logging out (if not, how can I expire his / her session automatically after some time, if there is no activity?)
I really appreciate your help.