Session management functionality in jsf project - session

i am a beginner programmer and want to know how session management and login logout functionality can be incorporated in jsf project. Right now i can authenticate users from a table in the database but giving the direct url of the pages in the browser takes any anonymous user to the requested page of mine. i want only authenticated users to access the pages while their sessions are active. how is this done and what exactly i need to study to get this functionality in my application.
bundles of thanks in advance.

I suggest looking at something like Seam Security: http://seamframework.org/Seam3/SecurityModule

I was able to resolve this issue. There was a statement in my HibernateUtils class
session.close which was commented out and this is now working as expected after removing this comment.
Thanks for your help.

Related

How can I Login to website using Suitescript 2.0?

Literally, I do not know what module is to get values from http, https.
I'm trying to bring tracking numbers from kind of BANC, UPS, FedEx...
My purpose is this reference specific values from other site and bring back to Netsuite.
1 What modules do I use for that?
2 If there is a login session, is it possible to access using suitescript?
your answer will be great help to me.
Accessing that information is usually done via API with credentials rather than a login session. For that you normally use N/https.

Laravel 4 & Sentry 2 Session issues

I've developed an app in laravel and sentry2 as ACL. Login occurs through SAML.
Whenever a user logs in from SAML is redirected to my app where I check server variables, and if credentials are correct I let him pass to the site with sentry.
My issue occurs when I try to log in with the same account in two different browsers. Looks like when I log in in the second browser the existing session in the other browser gets overrided.
I've found out this looking into sessions table:
http://pastebin.com/6iEnRkEs
Any ideas? Will appreciate your help on this very much.
Thanks a lot!
Pablo
EDIT:
The idea would be that the app work like gmail/fb that allows the user to be logged in both browsers at the same time.
It's correct the way it is.
Different browsers different sessions. This is a security feature/matter every single app should enforce.
If you log in a different browser how could Laravel tell if it's not a different person login in from a different computer in the same network? Log someone off in this case it's also the correct thing to do, because if some kind of exploit is happening, user will see something is wrong and, maybe, change his/her password.
Some (ie: banking) also do: different browser tabs, different sessions, but this is not the Laravel case.

Padrino basic user authentication

I was wondering if anyone can shed some light on setting up basic user authentication. I've installed the admin app into my project and it works great. But I need a basic user role that can have it's own registration page etc.
I need to see something like
domain.com/users/user.slug
would take them to their profile page
I'm also going to have nested resources, so a user can have a project associated to them.
domain.com/users/user.slug/projects/project.slug
or
domain.com/users/user.slug/project.slug
The admin piece worked great, but I have no idea how to setup registration etc for a user model?
I've used devise in the past with Rails and I'm wondering if anything like it currently exists? I've seen some discussion around warden. Is there a defacto solution that people are using or am I able to implement the admin app to handle this? Right now /accounts is protected and can only be accessed by the admin role.. so I can't have users go to accounts/new
Thanks
For now I basically just copied the admin app.. into my own Users app while using my own User model.
The user model is basically a direct port of the account model.. as is the session controller etc. Just switched the model names around.
I'm still not sure if this is the best approach or if I'm able to leverage the admin app to handle this also?
This solution is working, though again, I'm not sure if it's the optimal approach.

Spring Security - Add TAN system

I'm using Spring Security 3.04 to authenticate the users of my system using 3 Roles, while all of them are allowed to access something like a landing page.
From this landing page, there should be another system which can only be accessed by one Role and by a TAN-authenticated user.
So my question is: What would be the best way to add a third login-attribute to spring security? Or is there a way to store attributes within the security context?
Or is there any other way to add a multi-level-authentication to my application using spring security?
Thanks in advance for any help!
Best regards,
Robert
There is an excellent walkthrough on how to integrate an external authentication mechanism here:
http://blog.springsource.com/2010/08/02/spring-security-in-google-app-engine/
That should get you on the right track.
Grant

Spring security LDAP connection

Hello i am new to spring.
I am trying to connect to ActiveDirectory from my server using Spring-security1.3.0 spring2.0.1.
I am using the documentation example (18.4.5)
I can see the the LdapAuthenticationProvider object is constructed at page load in the application-context.xml. few Questions:
I wonder where and when will the answer from the Active directory returns?
I think i should see the result in UserDetails object. but how to see this? what code does this?
My goal is to get the user role from the Active directory and search my DB(in my server) what this role is permitted to do. So i would like to know what object contains the role of the user.
thanks,
You could try
SecurityContextHolder.getContext().getAuthentication().getAuthorities();
to see, if any roles (authorities) have been added to the current user (authentication). This should work no matter how you authenticate/authorize your users.
Spring security is a great framework for securing your applications. However, for everything a little bit more complex than the demos, it's best to get a good "feeling" for the basics first. Try to get an understanding how everything works together, before you implement something non-trivial like an LDAP-DB-based solution. It might take some time at first, but it definitely pays off.

Resources