JSF Authentication

I'm developing a Java EE application (JSF2 + 开发者_StackOverflow中文版richfaces+ Facelets + Tomcat). What's the best way to perform authentication when using JSF? Or should I make my own ?

People usually pick between ( in no specific order) :

JAAS ( wich is Java/Java EE default security framework )
Spring Security
Custom Made Security

I never used Spring Security but the documentation is huge, i gave up trying that once because of time constraint. JAAS have the advantages of being simple and work out of the box with Tomcat.

I've seen custom security built on top of JAAS too.

What you really have to do is figure out what you will especifically need in your application and check wich frameworks suits your needs better.

Without knowing your business needs, if you only need Authentication (User login) i would say JAAS is the most simple way to go as is it not application intrusive and you wont need to add Spring dependencies if you are not already using it.

Go for Spring Security

Here is how to integrate it with JSF

Edit:

http://ocpsoft.com/java/acegi-spring-security-jsf-login-page/

I think that Leonardo answered it correctly, but you could also consider Central Authentication Service(CAS) for enterprise wide security. It is a little more complex to configure, but the benefits are tremendous. It also supports an enormous number of out of the box authentication mechanisms from LDAP to NTLM. CAS also provides extension for custom authentication.

If you choose to use Java EE containers, and wish to use form based authentication, I have published a couple of examples for use with JSF 1.2 and 2.0 and j_security_check

• JSF 1.2 Facelets Form Based Authentication (j_security_check)
• JSF 2.x Facelets Form Based Authentication (j_security_check)

In addition, the Servlet 3.0 API provides login and authentication based on the container via the HttpServletRequest API.

JBoss Seam integrates EJB 3, Facelets, JSF, and hibernate really nicely. Also provides validation of data and some security stuff too. If you use it for all its features, it is really sweet. If you try to pick and choose only certain things out of it, then it is still cool, but you have a few work arounds. But I've been impressed with what I've seen of Seam so far.

Apart from the mentioned frameworks there's also Seam Security which integrates nicely with CDI through an Extension.

You can try Apache Shiro, which gives authentication, authorization and many other.

For simple authentication , a very simple approach is to check for valid user object in the template using JSTL, and show the login form if not. for exmaple , assume your template is webapp/WEB-INF/templates/default.xhtml , inside the template:

<html...>
.
.
<h:body>
<c:if test="#{mbSecurity.validUser}">
.
. authenticated template sections goes here
.
</c:if>

<c:if test="#{not mbSecurity.validUser}">
   <ui:include src="/WEB-INF/inc/login-form.xhtml" />
</c:if>
</h:body>
</html>

Advantages: Zero dependencies & zero-configurations, also if the session is expired, after the login, the user will back to the original page which he was in .