How to Create a Secure JSF/JPA Web App on Glassfish 4

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome to this screencast on how to configure your JavaServer faces web application for security using a MySQL database to get your system up and running as quickly as possible there are several tasks that have to be completed in order here are the first four and here are the final four this doesn't include testing your applications so actually that would be a night there are many ways to create the database tables that you're going to need to do secure access to your web application basically you're going to have to have some user accounts and you're going to have to have some group membership information but there are many different ways to do this and a lot of the information on the Internet either is misleading or dead wrong so I can't cover the hundreds of different ways of doing this but I can show you one way that works very well and gives you a lot of flexibility now I'm using MySQL I think it's version 5.5 some of you might be using the newer version and your workbench may look different than mine however the basic concepts are going to be the same so what we're going to do is we're going to view our data our existing databases here are mine yours look obviously going to be different and what we're going to do is I'm going to give you an SQL script that's going to create a sample database just for the demo program and this database will be called JDBC realm you can see I've already created it so to load the script to create this database you're going to find an icon or many a selection to open an SQL script and then you're going to navigate to the demo project which is called JSF secure and in the source directory under main SQL you'll find the script open that up and take a look at what it's going to do it's going to create a data database called JDBC realm it's going to use that database to create tables it's going to create a table called users it's going to create another table called groups and within each of those tables the users table will have a username and password notice that the username is a varchar' of up to 235 characters it is required so let's not know it is also going to be the primary key and then there's a password field also of our char of 255 characters that's very important because we're not going to store our passwords as simple plaintext passwords we're going to encrypt them and we'll need all of those characters for the encryption we won't encrypt them immediately however you'll see how that unfolds in a moment now the groups table is these are the roles that these users can play and this particular version has a user name which matches up with the user name in the users table and a group name which associates a particular user with a particular group now there are other ways of doing this that are more efficient we're going to with doing it this way we're going to have some duplication in other words let's say that we have a group called admin or or if for example here's a group called user let's say here's Sally who's in the user group and Tom who's also in the user group so you cannot repeat in this group's table you're going to have one entry for each user and you'll be repeating group names in some cases like we did with user but that's okay because it doesn't take up a lot of space and this is really the easiest way to do it now I don't recommend that you modify the group table at all however the users table if you want to store additional information about your users let's say you want to store address phone number whatever you can add those fields just don't modify these existing fields also I strongly recommend that your user name be an email address rather than creating a separate email field the reason for this is that email addresses are almost always unique values and our great they serve a dual purpose if you use them as a username because not only do you have a username which you have an email address that you can use to send them information on the other hand if you prefer the traditional username concept and a separate email field you're free to do that as well okay so we're going to create these two tables and then we're going to insert some sample accounts so we've got Bob who is an administrator we've got Sally and Tom who are users and temporarily we're just going to use password one password two and password three those will be changed later and you'll see how that works so this script is going to create everything you need to use on the sample program and you can use similar concepts within your own database so to run the script find the icon arm to execute the script I'm not going to execute it because I've already done that and that will create your database okay now that we have the database tables created and the sample accounts entered in we're going to need to replace the clear text passwords that were provided we remember we had password one password two and password three we're going to need to replace those with hashed versions now the there's a set there's a utility class that I've provided it's called hash password generator and if you open that up this code will generate the hash versions for these three passwords now the reason we need to do this is that this is a flow of hashing as a form of encryption it's specifically one way it's called a one-way hash and that means that the passwords are encrypted but they cannot be decrypted that's why it's called a one-way hash so it's a very good form of security and the reason we need to store passwords in encrypted form is so that any sensitive data stored in the database is not available to anyone who might have mischievous ideas in mind for example you could have a disgruntled employee that's a system administrator that might have access to the database and they could steal sensitive information so encrypting passwords and other sensitive information is just a good basic thing best practice for managing Web Apps so um we're going to use this sample code to call this method we pass in a password and it returns a hashed version and then we're just going to output that to the council here I'm creating three at a time you could you could change this and you know create one at a time or whatever you want to do but we're going to go ahead and run this I'm just going to say run file and in a few seconds you'll see the hashed versions and passwords and here they are here here they are in order now we're going to copy each of these individually so just copy the first one that's password and we're going to go to our database we're going to go to the user table in our JDBC realm and we're going to edit the user table and we're going to now I've already done it but you're going to highlight the clear text password and paste in the hashed version and after you've done that you'll hit this apply changes so after you've replaced all three you'll hit apply changes I don't have any changes but you will and then you'll have stored the hashed versions so you can see why we needed 255 characters these things get very very long okay that's mandatory so please be sure you do this exactly as described okay the next thing we need to do is we need to do something called configuring the JDBC realm and a realm is a security term that indicates that the server has to be configured to support handling security for us so here's how we're going to do that we're going to switch to the services tab and netbeans we're going to find our GlassFish server and we're going to do a start now I've already started mine so to save time I've already pre started it once the server is running you can tell by this little green chevron icon once it's running go to right click on it and go to view domain admin console this will bring up in your web browser it'll bring up the administrative screen for the server and here's our main screen now what I want you to do is I want you to go over to this navigation area and I want you to find under configurations server config and under server config I want you to go to the Security section and under security I want you to go to realms and under and when you click on realms you'll see at this screen here now I've already created a JDBC Rome you're going to need to create yours by clicking this new button now when you click that you're going to get the following dialog box which I've already filled in and you're going to type in the name of the realm as and use the same terminology I'm using gee all lowercase JDBC - realm okay so enter that in for the name and then you're going to set this jazz context exactly as you see it here lower case JDBC and then Rome you're going to set the gin D name exactly as you see it here exactly then you're going to identify your user table this is the schema name and this is the actual table name then you're going to identify the user column the username column the password column the group table the group table user name column in the group table the group name column you then must enter a es for the encryption algorithm we will be also using the default value for digest algorithm which is sha-256 so we're not going to fill anything in here because that's the default md5 is an older system that's not as secure so sha is the better choice we can skip the rest of these fields however we are going to use utf-8 for the character set and that's all there is to this configuration so be sure you double check all of these entries and get them exactly as I show you here again I'll give you a chance to take notes or whatever you have to do or do a screen dump ok so there's all of the settings then click the Save button now I'm going to click cancel because I haven't changed anything ok now once you've saved your changes you can exit this screen and you will have to stop your server because we're those changes won't take effect until the server is restarted so that's how you setup the JDBC realm okay now that we have our JDBC realm created let's go ahead and create a maven web project now I've shown you how to do this in the past but I'm going to go through it again in detail and come and this time we'll cover a lot more ground than we have in the past so this will be a great reference for just generally creating maven projects alright let's create a new project it'll be a maven web application and for this demo I'm not going to bother with the name I'm just going to go with the defaults and I'll do the same thing for the group ID version and package but you should really use appropriate group ID and package names that make sense for your application okay so here we go next we're going to make sure that we're using GlassFish 4 and J EE 7 and finish and in just a few moments we'll have our project there's our project and you'll note that we have a poem which controls the libraries that are used and we have initially just the plain HTML file and no source packages at all what we're going to do first is we're going to make sure that our project is configured to use Java server faces now if you were not using GlassFish as a application server you would need to modify the palm and you would need to add the JSF libraries as dependencies so you would have to add a new dependency for JavaServer faces but we're using GlassFish so we don't need to add those libraries because they're already built-in so all we have to do is tell our prompt is tell our project that we want to use JSF so we're going to right click on the project we're going to go to properties and we're going to select frameworks and click Add I'm going to pick JavaServer faces and then very important wait wait for this to appear for JSF to point to to appear as a server library and wait for the registered libraries to appear in greyed out text right here make sure you wait long enough for all of that to set before you hit OK and then in a few moments you'll notice that now you have an XHTML file that's our JSF home page and we no longer need the plain HTML so I'm just going to go ahead and delete that ok so we have our plane or JSF file there's our home page and that's it that's all that's all it's really done for us now the next thing we're going to want to do is we're going to want up we're going to want to add any libraries that are additional libraries that are necessary in our palm so we're going to open up the palm and we're going to look for the dependency area and the first dependency that I'm going to add is for a library called Google guava Google guava is a let's take a look Google guava is a utility library that Google makes available for free and it has all kinds of utilities for doing things like text manipulation and a whole range of things we're going to need this for some of the encryption that we're going to use for security and I'll explain the details of that later so for now what I want you to do is what we're going to do is I've already in my sample program JSF secure I've already given you the dependency we're just going to copy and paste that right here I'm just going to copy and paste that into our new project there you have it so there's the Google guava library that's the that's one of the libraries we're going to want to use I've shown you in previous videos how to add the primefaces libraries I'm not going to duplicate that here so for this security demo all we really need is the Google guava libraries so that that's it we're done with that and go ahead and save that and we're ready to continue okay the next thing we're going to want to do is um consider the content in our website that needs to be secured this folder that I'm highlighting this web pages folder that's the root directory for your web pages and right now we just have one file or home page that is in that folder any I want I want you to consider that anything in this folder is public in other words you don't have to be logged in to view it it's public content but if you want secured content for different people in different roles I recommend that you create separate directories for that so for example I'm going to create a new folder you go to other you go to other and then find the folder and we're going to create I'm going to create a folder called admin and then I'm going to create another folder in the root called user now you can create any folders you want but as an example I would use this folder for content that only logged in administrators can view and I would use this folder for content that only logged in users could view now you may not want to call them users you might want to call them members it really doesn't matter call them whatever you want for now I'm going to use the term users you can create as many of these directories with as many terms as you want but the idea is that we segregate the content for these different groups of user of logged in users so that way we can when we do our configuration we can say hey anything in this folder you need to be an administrator to view and anything in this folder you need to be a user to view but anything outside of those folders is public you don't need to be logged in so that's the easiest way to configure your your project ok the next thing we're going to need to do is add some optional configuration files now when you when we first created this maven project we got this webbing directory and and once we added the JSF capability we got this web.xml that's one configuration file that we need because what that's used for right now is it's used for configuring the JavaServer faces servlet and it's also used for our welcome page all right that's our home page but we need some at it we're going to need some additional configuration files just in general not not necessarily for security but just in general we we're going to need some additional ones so let's go ahead and create them right click on your project new other and the first thing we're going to do is going to go to job server faces and we're going to pick the faces configuration and just accept the defaults and you'll see that it adds this faces config now initially there's nothing in here but in the future we can use this for all kinds of things the primary thing that we would use this for would be things like internationalization which I've already demonstrated in a previous video so right now we're just not going to use that but we want to have it available if we need it the next one we're going to need again go to new other is we're going to need what's called a glassfish config descriptor so go ahead and select that again go with the defaults and you can see it has now added this GlassFish web.xml this is going to be used for some of our security settings so we're going to need that and then one more we're going to need one more and that will be again go to new other and under I believe it is GlassFish again no under context in dependency injection add a beans XML and against accept the defaults and now you see you have your beans XML this file is necessary for CDI and CDI is the more is the new modern way of doing JSF it also allows us to do more advanced dependency injection and some other things that I'm not going to cover in this video so it's just good to have that for the future and now we have all the config files under web ins all the config files we need be very careful with this directory you don't want to be accidentally putting your webpages in there the only thing that should be in there are XML files okay okay the next thing I recommend you do is under other sources we're going to want to add a directory to store our database backup files this is really a good idea because should you ever need to restore your database from a backup it's nice to have them in your project and under source control by get so that you always have your database backups under get source control so this folder is a special folder that really hides the real location if you go if you switch from the projects tab to the files tab you'll see that under source there's a main and then under main there are various directories you don't see all this from the projects view so and you can't add directories using the right-click method here but what we can do is right-click on the project and say new other go to folder under other and then next and now we're going to type in a folder name for our backup so I'm just going to call this SQL as the folder name I'm going to browse for the parent directory and you want to pick main under source and then it's going to add that SQL directory inside of the main directory click finish now you don't see it here but you will see it here under main now it will appear here if you close the prot and it's kind of goofy you got to close your project and reopen it when I reopen it and go to other sources now you'll see your SQL directory and you can pick right now this is empty of course you can paste anything you want into there for example in the demo project JSF secure that I provided you'll see that in the SQL directory there is a SQL file let's pretend that this was one of your database backup files from MySQL you can just copy the backup file and paste it in and now you'll have your backup files in your project under get source control it's a great way of protecting yourself from failure because as we all know we can lose things or we can screw things up and it's just a good idea to have these backups so that's it that's just a good general idea it has it isn't necessarily something you need for security but it's just a good idea to do that okay now we're going to configure our application for database access using JPA the first thing we're going to need to do is we're going to need to have a connection pool on the server that connects to our database for performance efficiency now normally to do that you would need to go into your server you would need to start up start it up and then you would need to go to the admin console and you would need to configure that arm on the server now we could do that but that means that whenever you move your app from one computer to another you're going to have to do that all over again a better way is to create a configuration file that we can use to automatically install that on the server regardless of what computer you're on so that's the technique we're going to use so to do this we have to have under services under the services tab we have to have our MySQL server connected now I've shown you how to have NetBeans connect to MySQL server in the past so I'm not going to repeat that but what we what we want to do is have a connection to one of our databases now the database we're going to connect to is the JDBC Rome database that I showed you how to create previously so if I wanted to create a connection to this in NetBeans I would simply right click inside connect now I've already done that and I've got my connection right here I'm going to go ahead and enable it you can see the icon is solid now instead of being broken and that means that we have a connection to that database and we can go in there and we can look at the tables and we can view data just like that and it's a beautiful thing okay so we have our connection established under the services tab and you do want to connect to that JDBC realm arm database for the security then we're going to go back to projects and what we're going to do is we're going to right click on our project and we're going to go to other and we're going to go to GlassFish and we're going to create a JDBC resource now you're probably wondering why resource why not connection pool well you need a connection pool and then you need a resource that connects to the connection pool so by using this wizard we'll get both and you'll see that in a moment so we're going to go ahead and click Next and we're going to create a new JDBC connection pool this is assuming you haven't done this already and we would fill in the UM we would create a custom gin D name you can call this whatever you want for now I'm going to use um tests but in the JSF secure demo um I used security data source okay but I've already got that created I want to I don't want to create it again so I'm gonna go ahead and just say test for now again you can use whatever you want but it should be preceded by JDBC slash this part you can have whatever you want again in the JSF secure demo I used security data source now we click Next and we can skip this screen and now you need to give it a connection pool name now in the in the JSF secure demo I use JDBC realm pool ok for again I've already got that so I don't want to create it again so I'm just going to say JDBC test pool and then I select the connection in NetBeans that points to the database so that it's the JDBC realm database and we're creating a connection pool that connects to that ok so you click Next and then you have to select the connection pool data source from the drop down menu and then you need to change this class name to the one for the connection pool data source want to change this to look like that MySQL connection pool data source be careful how you type it notice the upper and lowercase letters so take a good long look at that you have to type that in manually okay click Next you could modify some of these features this Jeff this tells you how big your pool is if you had lots of lots of users connecting simultaneously you'd want to up these values but for now we're just going to go with the defaults okay now we've created the connection pool and the JDBC resource now you don't see anything different what I want you to do is I want you to close your project and reopen it and now look under other sources and you'll see a set up folder and in that set up folder you're going to see GlassFish resources in this XML file points to the pool name you just created the gin dname that you identified and then it identifies the database connection and your username and password to connect to that so what happens is this file is used when you run your project to create those the connection pool in the resource on the server if they don't already exist if they already exist it doesn't recreate it so this way no matter where you run your project no matter what computer you run it on it's automatically going to make sure that you have a connection pool configured and running on that server it's a really nice way to work with connection pools using GlassFish okay so we have a connection pool again the reason we want to use that is performance efficiency because connections are expensive to create so this will make sure that we reuse existing connections for performance benefits all right now the next thing we're going to need to do is for JPA we need a persistence unit that works with this connection pool so we're going to right click on our project new other we're going to go to persistence and then we're going to you create a persistence unit so I'm going to click Next I want to create a persistent unit name and I don't want to use this default this should describe you know your connection for example if I for the demo I had JDBC I think I had JDBC realm persistence unit but it could be anything you want by convention we we usually end it with capital P you standing for persistence unit we're using Eclipse we could use other things like hibernate but eclipse is the default and then the datasource is the one you created a little earlier so in this case I'm going to use test for my JSF secure demo I used the security datasource so we're going to we're going to pick the one that we want to use and then we want to make sure we use the job transaction API so that's important we're not going to create any tables right now we're just going to go with that typically you would say none here this is used if you have entity classes and you want the tables to be generated automatically from the entity classes but we're just using an existing database that's got all the tables in it so we're going to say no don't generate anything we've already created the database all right click finish and in a few moments you will have a new folder under other sources source main resources going to have this meta F and then persistence XML and that's what this is so this gives you a graphical view we can also look at it as an XML file and that's all we need to get to start using JPA so we're going to close that and let's review what we've done this little guy here establishes our connection pool and this guy uses our Jin D name to talk to that connection pool so that when we use JPA it'll know which database to talk to ok ok the next thing we're going to need to do is we're going to need a login page now we're also going to need an error page that displays any login problems now I've already provided you with some samples of these so I'm going to I'm going to steal the samples here they are log in and log in error I'm going to just copy those from the sample that I gave you and I'm gonna paste them in to my web pages folder in my in this in this project and so there they are let's take a look at each one first the login page and I've got some descriptive information here that you should read but the basic idea here is that we're using a combination of JSF tags and plain HTML tags normally and I've told you this before we want to avoid the plain HTML versions we want to use the JSF versions and that's true in almost all situations however for this security system we have to go back to using some plain HTML and the reason for that is not that it's absolutely mandatory it's just that this is going to be the easiest way to get a login page working I could create a login page with all JSF tags but then I wouldn't be able to then I have to write some server-side code to process the login and I don't want to do that I want to take advantage of the built-in capabilities of GlassFish so we're going to use a normal HTML form tag and the advantage of this is going to be that we can set the action property to point to J underscore security check it's got to be spelled exactly like that what that is is that's the name of a hidden belt in servlet that is in GlassFish and what that means is we don't have to write any code to process the login but this doesn't work from a JSF form tag so this only works from an HTML form tag so that's why we're using that now I can still use some JSF tags I'm using a panel grid for for layout purposes I'm using an output label for a prompt and but then I'm using a normal HTML input and again I have to do that if I want to use this built-in servlet that has to have a name equal to j underscore username that has to be spelled exactly like that and that is where the username is entered and then we're going to have a password field as well it's got a VJ underscore password and then we need a normal submit button with type people to submit and you can have whatever value here you want but this again if you were to use that the JavaServer faces version it would not you know like say a command button here it would not go to this servlet and and so you know then we'd have to write our own server-side code but by using this normal HTML input for a submit button then it'll go to this servlet so that's why we're using a mixture of HTML and JSF and and that's that's it for the login page you can you can um you know you can lay this out any way you want you can use cascading stylesheets you know you can get creative with how this looks but for now this will be our demo for that so there's the login page now we're also going to need a 1 hour page and the the error page is what is going to configure later is going to be the page you see when somebody's login fails and so what I've got here is a headline style in red that says sorry access denied and then there's a paragraph that says your credentials could not be verified or you are not authorized to view the content and then it takes it gives you a link back to the home page again you don't you know you can you can say whatever you want here you can do whatever you want on this page but you should have an error page that people will go to when their login fails for some reason so there's the error page now next thing we have to do is configure this to be used so here's what how you do that you go to this web injector II and you open up the web.xml file and then we're going to go over to the security button ok now under login configuration we want to set the type to form ok and we're going to identify the login page by browsing for it and we're going to select our login page now unfortunately this GUI interface isn't smart enough to do what it should be doing and what it should be doing is saying faces slash login because this is a JavaServer faces page and it will not be processed correctly if we don't proceed it with the term faces and why is that well if you go back to the source view we can see that our JavaServer faces facelet ours the server faces servlet expects all JavaServer faces pages to be preceded by the word faces that's why so if we don't proceed it with faces it won't be interpreted as a JavaServer faces page and it won't work correctly now we need to do the same thing for the air page and again proceed it with faces okay so we have our login page we have our error page identified and now we need to identify the JDBC realm name that we created earlier so that's JDBC - the realm okay all right that's the login configuration just go ahead and save our changes we can close that up the next thing we need to do is have some security rules these are the roles or groups that our users are going to belong to so we're going to click Add and we're going to say well I've got a role name admin now the name could be anything you want it to be but I'm going to recommend that your names of your roles match up with the names of your folders in your web app so I've got an admin folder for administrators a user's folder for users and I want and those should match your role name they don't have to but it makes it easier to keep things straight in your mind if you use the same terminology so let's go back to over here create one more role this will be our users role and again we now we have two roles admin and users that match up with our folders all right now we need some security constraints so click on this button and we're going to just name these appropriately we're going to have one security constraint for admin role and one for user's role so I'm just going to give this the name admin constraint and we're going to click this Add button under web resource collection and we're going to say that this is the admin a constraint or resource and what we're going to say is that any folder any code in the what we say is that anything that goes to faces admin folder and anything inside of it so that star means any file any page inside this folder and again we have to proceed it with faces because that means that we're treating all this content as JavaServer faces pages so what we're saying is that we want to secure the content in the admin directory to be only available to people with the role admin I don't recommend you select all HTTP methods I recommend you only select get and post I've had problems when all of these are selected I've had problems getting the security to work so I recommend just getting post you don't really need these other ones anyway okay so let's click OK we now have an admin constraint that says hey if you're in if a page is in the admin directory you might you must be an administrator now we also need to enable this constraint and tell it which roles are allowed to access that content so we say oh only administrators okay so those are the rules that are allowed to view the content in in this directory and then one more thing we have to do is we have to enable a user data constraint and we have to set the transport guarantee to confidential what that does is it enables SSL secure socket layer which is the thing that encrypts all of our data flow between client and server okay so there's our admin constraint now let's do a user constraint so for our users we're going to add users URL pattern is faces slash users that's our directory anything in that direct is going to be treated securely and then we need to enable the authentication constraint and we want to enable both administrators and users to view that content so the idea here is that for the administrator constraint only the administrators can view that content but for the user constraint both administrators and users can view this content okay and then again we want to enable because otherwise if you didn't do that administrators would be locked out we don't want that that's what an administrator should be able to see everything when we need to enable the constraint the transport guarantee to confidential okay that concludes that portion of security setup now again if you had more roles than just these two then you would have additional constraints you can have as many roles as you want all right okay we're almost done one more configuration to complete the security setup we're going to double-click on under web in under web pages we're going to go to the GlassFish web.xml and we're going to go over to the security button and you're going to notice that you already have a entry for admin and for users that matches up with what we did earlier but we need to configure these we need to map these names to the groups that you have in your database now these names don't necessarily have to match but if you use the sample database that I had you generate earlier I'll give you a quick look at that where we had an admin group and a user group notice user singular not plural I did that on purpose because I want to show you that this security role may match the group name in this case it does okay but for users the role name does not match the group in the database the group name in the database is user and I did that on purpose just to show you that the name for the role does not have to manage match the name in your database for the group okay so that concludes our security configuration this GlassFish web.xml we look at it as source code you can see how the how those role mappings were added and then same thing for the web.xml we were looking at it graphically we can look at it source code and you can see it's added a lot of stuff here for the configuration of security so once again you can see why web.xml is a pretty important file that concludes the setup of the maven project let's review what we've accomplished we've added to the poem a custom library for guava and you'll see how that's used in a little bit we've added this now if we wanted to use primefaces we would add the primefaces dependencies as well and i've shown you how to do that in a previous video we've set up a project for JSF by going to properties frameworks and we added the JavaServer faces libraries we added some additional configuration files two of which we're not doing much with right now and the other two were used for security configuration we've also added directories that will house right now there's nothing in them but they will house content that is exclusive to those users and they'll end to access that content you have to log in the other content is does not require a login and then we added a directory for sqr database backups we also generated a glassfish resources XML and that was done to get a connection pool and we also generated our persistence XML for JPA so this this is the connection pool this is enabled JPA so we've got JPA we've got JSF configured we've got security configured we are done you know obviously we'd have to create some content but I've already done that and so I'm going to switch over to my demo project JSF secure which is already set up with some content so let's take a look at the content under webpages I have the home page the login page and the login error page now on the home page what I did is I put a whole bunch of instructional material in here we'll look at that in a moment I also have a JSF form with a command link pointing to a logout function and that's necessary because you want to give people a way to log out so that you don't leave your computer in a state where somebody can you know let's say you go grab a cup of coffee and you're logged in and somebody comes up behind you you know somebody comes up to your machine and it's unlocked and they can use your credentials to do whatever they want so you should always log out when you're when you're not you know when you're not flying your machine so unfortunately you have to write your own code to do that so what I gave you was a logout pane that is programmed to automatically log you out and to do that what we do is we set up a destination this is where you're redirected when you log out and this is going to take you to the home page you need this faces redirect you need this to actually redirect to that page then you use this technique to get access to the request object so the faces context gives you a way to get the quest object which is a h servlet request object and then that is what we use to actually log out and then you just go to the destination so this logout being is what is used by this guy to log you out then I've got the login page which I've already shown you and the home page which I just showed you and the error page we talked about that earlier now in these directories I have just home pages for each of those so it isn't necessary that you use the word index but index is the is the default for a home page name and so each of these directories has its own home page and basically what I do here is I display a message that lets you know you're on the users page I give you a way to go back home and I give you a way to log out on both of these so there's nothing fancy going on here keep in mind though that all the content in these directories requires that you be logged in with the appropriate role here you have to be logged in as an administrator here you have to be logged in as either an administrator or a user and we'll see that in a moment so there you have it very simple what what is what's not in here which you should probably consider adding is a directory for resources because that's what JSF uses for things like CSS and so now there's what I'm talking about is go ahead and create a new folder resources and in that folder is where you store things like what have images oops images clips images I'm probably going to want cascading style sheets so I have a folder for that and one more for if I have any JavaScript I'll just call that j/s so typically you got you're going to you know if you're going to use CSS images in JavaScript or any combination you want to store create folders inside of a resource directory because that's what JSF uses when you use the JSF tags to access these things and I've demonstrated this in the previous videos okay so let's let's run the program so this is the demo program that I gave you it's all pre-configured let's go ahead and run it oops run and I'm going to pause the recording until it starts up and here's our web application so first of all this describes some of the security concepts authentication is when you log in your credentials are checked against the database authorization is what groups do you belong to an encryption is how we make sure that hackers can't see our content we also want to encrypt data in a database which I'm going to show you shortly but let's go ahead and run this and show you how it works so for the demo I've got three accounts I've got Bob who's an administrator with with the password password 1 I've got Sally and Tom who are users and they have passwords as well so let's let's try first logging in as Sally so I'm going to go to the users section and because the user section and what we're talking about by user section is this folder here any content in there so this link points to the home page in that folder so if I click on this it's going to recognize that I'm not logged in it's war it's by the way it's warning me that SSL the encryption mechanism is based on the concept of a certificate we're using a developer certificate that's built in the GlassFish and because it isn't certified it's not trusted and that's fine for development we don't need a trusted certificate but in a production environment you would want to purchase a trusted certificate from someone like Verisign or thought and you pay good money and you are from a couple hundred bucks on up which is why we don't want to bother for a developer account so we're just going to say okay I understand proceed anyway and you'll notice it takes us immediately to the login page because it knows that we're not able to access that content unless we're logged in now if I go back to the home page I can view the home page without logging in because remember anything outside of these two directories users and admin is public content so we don't need to be logged in to view that content it's only when we go to one of these directories that we have to be logged in and so the only time the login form appears is when you go to a section that's secured so there we are now I'm going to type in Sally's nickname our user name Sally and her password pas SW Bo AR D - and I click login and you'll notice that I successfully get to the users page because I'm authenticated as Sally it found a match and I'm authorized to view this to view this content but if we go back to the home page and now remember I'm logged in as Sally if we go back to the home page and try to go to the admin such and go to the admin section you see that it says sorry access denied your credentials could not be verified or you are not authorized to view the content you desire you can't view the admin content which you can view the user content so that's basically how this works now to make that possible you have to have in your web XML you have to have it you have to have your error pages set to point to error code 403 make sure it's 403 and not 404 and make sure your error page is preceded by face if you have to go into source code to make that modification then do so okay right here all right so that concludes the JSF security devil you you

Info

Channel: Jim Lombardo

Views: 73,893

Rating: undefined out of 5

Keywords: JavaServer Faces, Java Persistence API (Software), Education (Word), wctc, jsf, jpa, glassfish, glassfish4, jee, jee7, web, webapp, java, maven, jdbcrealm, mysql

Id: 1xsU6juUZd0

Channel Id: undefined

Length: 64min 18sec (3858 seconds)

Published: Wed Dec 04 2013