On Apr 16, 2009, at 2:39 AM, viola lu wrote:

Thanks, But jsf tag lib can't identify form attributes like  name="login" action="j_security_check" method="POST", my code snippnet is:

<%@ taglib uri="http://java.sun.com/jsf/core" prefix="f">
<%@ taglib uri="http://java.sun.com/jsf/html" prefix="h">

....
.....
<f:view>
<h:form name="login" action="j_security_check" method="POST">
</h:form>
</f:view>

....

if i deploy this login.jsp. errors:attribute invalid for Form.

So may Database sql realm can't support jsf page?

I know almost nothing about jsf so I'm not sure exactly what the problem here is.  However, the problem is with the message dialog between the browser and the built in FORM authenticator, not with the security realm you want to use.

I googled a bit and apparently you can't have a jsf page be the login form, cf. http://download-uk.oracle.com/docs/cd/B31017_01//web.1013/b25947/adding_security005.htm

If you really need the login page to be jsf based, you'll need to write something like a security filter for your app that handles the authentication dialog.  After you've obtained the username and password you can login to your realm using something like this:

CallbackHandler handler = ...
Subject subject = ContextManager.login(realmName, handler);
ContextManager.setCallers(subject, subject);
//call next filter
ContextManager.setCallers(null, null);

You'll want to cache the subject somewhere such as the session.

thanks
david jencks




On Wed, Apr 15, 2009 at 1:30 PM, David Jencks <david_jencks@yahoo.com> wrote:

On Apr 14, 2009, at 7:30 PM, viola lu wrote:

Hi,ALL:

 i created a database security realm following link: http://cwiki.apache.org/GMOxDOC20/database-sql-realm.html,and create a dynamic web application, create login/register pages using JSF,  login is controlled by loginbean and regsiterbean which authorizes user/password by connecting to database, but i want to use database security realm to
verify user login like this:

 <login-config>
      <auth-method>FORM</auth-method>
      <realm-name>MYREALM</realm-name>
      <form-login-config>
         <form-login-page>login.jsp</form-login-page>
         <form-error-page>login_error.jsp</form-error-page>
      </form-login-config>
    </login-config>
But it seems, login action always call loginbean not realm to authorize.
Something is missing?Thanks.

To use "built in" form authentication your login page needs to have a form with action "j_security_check", something like this:

<form name="login" action="j_security_check" method="POST">

If you want anything fancier you'll need to wait for servlet 3 where there's going to be a programatic way to log into the configured security realms such as the db one you defined.  I haven't looked at this proposal in detail but I think it will let you do stuff like logging in from the jsf loginbean.

thanks
david jencks



--
viola




--
viola