Automatically logging in to the JSF app when you visit again after logging in

For the typical most typical Internet sites, when you log in and leave the web site by simply closing the tab (without logging out), then upon repeated visits you may not need to re-enter your credentials or login, you are directly logged in the system.

How does all this happen on the backend? How to enable such a mechanism in my JSF 2.1 application?


Using JSF 2.1 on Tomcat7 Server

+6
source share
2 answers

This is mainly done with long-lived cookies. This functionality is not provided by the JSF API, as it is simply an MVC framework based on simple components. This functionality is also not provided by the standard Java EE APIs. Some authentication frameworks such as Spring Security and Apache Shiro suggest this functionality.

If you need to implement this using the "simple" Java EE / JSF, you will need to create a long-lived cookie when you log in to ExternalContext#addResponseCookie() . The cookie value must be long, unique, auto-generated, and hard to access (e.g. java.util.UUID ), which you also store in the DB associated with the user ID. You can then use a simple servlet filter to check the cookie on HttpServletRequest#getCookies() when a registered user is confirmed to be absent. If the cookie is found and valid, then automatically log in to the user.

To increase security, provide enduser with the opportunity to β€œblock” this cookie on the IP address of the user, which you also store in the database, along with the cookie ID and ID.

See also:

+8
source

If you use Spring Security or Apache Shiro, both of them support this with the appropriate filter. For Spring backend, Security works with a permanent store to remember tokens for me, and Shiro, I think, marks a hash value.

Here's the Spring manual: http://static.springsource.org/spring-security/site/docs/3.0.x/reference/remember-me.html

Here's the shiro guide: http://shiro.apache.org/java-authentication-guide.html

If you use Java EE Security (please tell me that it is not), you are limited by what your container can support if you do not want to create a login filter. A client filter can sign a cookie with a MAC code and check it against a database. I don’t think tomcat 7 has a built-in module, you will probably need to check GlassFish (which supports SSO, I don’t think it supports, remember me).

+1
source

Source: https://habr.com/ru/post/911340/


All Articles