Simple login and logout capabilities for my web app(JSF 2.0)

This morning i rode chapters 39,40 and 41 of the JEE6 tutorial. But i am very, very confused. I don't have a background on web-app security with JEE6, and i am having big dif开发者_StackOverflowficulties to understand and implement.

I need to create an authorization mechanism for my web app, my scenario is also not very simple for a begginer in JEE6 like me so i decided to try to find the easiest way to do it.

I thought to explain my idea, so you can correct me and give me some advice on how it would be the best easiest way to do it.

Idea:

My web app uses a primefaces component called dock that pops a log in dialog when the use clicks in the last item. Also this navigation tool is located in a JSF template that is used by all the other pages in the application.

    <h:body>
<p:dock position="top"> 
    <p:menuitem value="Naslovna" icon="unsecuredimages/naslovna.png" url="main.xhtml"
        alt="The image could not be found." />
    <p:menuitem value="Register" icon="unsecuredimages/register.png"
        url="registration.xhtml" alt="The image could not be found." />
    <p:menuitem value="Cesta pitanja" icon="unsecuredimages/faq.png"
        url="faq.xhtml" alt="The image could not be found." />
        <!-- The login will not have a page, it will pop up a login dialog -->
    <p:menuitem value="Login" icon="unsecuredimages/login.png" url="#" onclick="dlg.show()"/>       
</p:dock>
<p:dialog header="Prijavite se" widgetVar="dlg"  modal="true" draggable="false" resizable="false" effect="SLIDE">  
     <h:outputText value="Em@il:" /><h:inputText id="email" value=""/>
     <br/>  
     <h:outputText value="Lozinka:" /><h:inputText id="password" value=""/>
     <br/> 
     <h:commandButton value="Prijavi se" />
</p:dialog>     
    <br/><br/><br/><br/><br/><br/>  
<ui:insert name="mainForm" />
<ui:insert name="registrationForm" />
<ui:insert name="registrationBuyerForm" />
<ui:insert name="registrationSellerForm" />
<ui:insert name="faqForm" />
<ui:insert name="registrationSuccessForm" />
  </h:body>

That JSF i think should have a backing bean that handles the email and the password over to an EJB.

import javax.ejb.EJB;
import javax.enterprise.context.SessionScoped;
import javax.faces.bean.ManagedBean;
import ejbinterfaces.IAuthentificationEJB;
@ManagedBean
@SessionScoped
public class SecurityController {
@EJB
private IAuthentificationEJB authentificationEJB;
private String email;
private String password;

public void logIn() {
    authentificationEJB.saveUserState(email, password);
}

public String getEmail() {
    return email;
}

public String getPassword() {
    return password;
}

public void setEmail(String email) {
    this.email = email;
}

public void setPassword(String password) {
    this.password = password;
}   

}

Then the EJB should do the login and log out(This is where i get very confused):

@Stateful(name = "ejbs/AuthentificationEJB")
public class AuthentificationEJB implements IAuthentificationEJB {      
//Login
public boolean saveUserState(String email,String password) {
    //1-Send query to database to see if that user exist
    //2-If the query returns the user object, store it somewhere in the session(HOW?)
    //3-return true if the user state was saved
    //4-return false otherwise
    return false;
}


//Logout
public void releaseUserState() {
    //1-Check if there is something saved in the session(or wherever the state is saved)
    //2-If 1 then flush it
}

//Check if user is logged in
public boolean checkAuthentificationStatus() {
    //1-Check if there is something saved in the session(This means the user is logged in)
    //2-If there is not a user already loged, then return false
    return false;
}

}

I decided not to use a jdbc realm or other of the authentification mechanisms explained in the JEE6 tutorial, because i get really confused, so i think that for now it is easier for me to do it manually. This are some doubts i have about my approach:

• Is this approach correct(Can it be done this way)?
• Should the EJB be @Stateless or @Statefull in this case(The user retrived from the database ony has 2 String fields)?

• Where should i store the id of the retrieved user from the database, to last until the user decides to logout?

• If i have to store the user state in the session until he/she decides to logout, how can i do it?

• With this approach will the session for the user be delated when closes the browser without logging out(If no, how can i expire his/her session automatically after a while if there is not activity?)

Ill appreciate a lot your help.

Some pieces of the puzzle:

Is this approach correct(Can it be done this way)?

Yes it can. You can choose between container managed security or application managed.

Should the EJB be @Stateless or @Statefull in this case(The user retrived from the database ony has 2 String fields)?

If you store the id of the currently logged in user in session context (see below), I think you can do it with a stateless bean (from theory).

Where should i store the id of the retrieved user from the database, to last until the user decides to logout?

You can store it in session context:

FacesContext.getCurrentInstance().getExternalContext().getSessionMap().put("userID", email);

Use getSessionMap()#get("userID") in order to check the stored userID.

With this approach will the session for the user be delated when closes the browser without logging out(If no, how can i expire his/her session automatically after a while if there is not activity?)

No, the session will expire automatically when reaching a timeout. The timeout can be set in your web.xml:

<session-config>
   <session-timeout>60</session-timeout>
</session-config>

This setting means, that sessions will time out after 60 minutes of server inactivity.