Login system with Java EE

Question

I´m trying to make a simple login system with Java EE (Hibernate, Glassfish, JSF). I am done with the handling of user id data i.e the users can enter username and password and it checks with the database and logs them in if its correct. But, I want to include certain pages that only logged in members can see. How can I keep track if a member is logged in ? and how can I get the information of that specific user?

Ex: I login and want to change my password, so I go to a page with my user details and enters a new password. How can I manage this serverside ?

Do I use a servlet? Cookies? Sessions? I´m lost (a)

I hope my question is clear, and would really appreciate some help. Thanks alot in advance!

Answer 1

There is no need to duplicate a feature that Java EE & GlassFish already supports.

Check out the Java EE Tutorial on how to do this with the JDBC Realm:

• http://docs.oracle.com/javaee/6/tutorial/doc/bnbxj.html
• http://java.dzone.com/articles/jdbc-realm-and-form-based

Answer 2

In Java EE 6 you can use the JASPIC api to create and register authentication modules. There are a number of authentication modules available for reuse.

You then configure constraints for URL patterns in web.xml for which a user has to be logged-in and for which one or more roles are required.

Answer 3

You should store your user information in as a SessionAttribute, and the on the other pages chek if the session has a user or not. If it has then the page loads correctly, if not you can redirect to the login screen.

The other question (the password change): you can create a page for this with a form. You ask the user for his/her old password, and the new password twice. Then on submit check the old password (as at login), check the new password (if you hyave any criteriy about that. ie: length, character types), chek if the two new passwords are the same. If so then update your DB and login your user with the new password.