From: Lane <software.research.development_at_gmail.com>
Date: Wed, 16 Apr 2014 20:52:13 -0500

I have a small web app that I'm trying to secure in glassfish4. What I
want to accomplish, is to be able to deploy one instance of the web app for
different remote users. The remote user is the "app admin" and shall create
other users and groups that will use the web app. These users do not know
enough about working with the glassfish admin console, so their use is
strictly within the application.

I plan to host the app and keep it app infrastructure running.

My problem is I'm a bit confused on the container managed way and me pulling
from my own database, so I'm not sure of the method I should use to secure
it in the way that I explained above. So I jumped right in trying to
understannd it, and here's what I have so far (doesn't yet work, but I feel
its close).

Here is my index.xhtml page which uses primefaces.

---
<h:panelGrid columns="3">
    <h:outputLabel for="username" value="Username: *"/>
    <p:inputText id="username" required="true" label="Username"
value="#{loginController.username}">
        <f:validateLength minimum="3"/>
    </p:inputText>
    <p:message for="username"/>
    <h:outputLabel for="password" value="Password: *"/>
    <p:password id="password" required="true" label="Password"
value="#{loginController.password}">
    </p:password>
    <p:message for="password"/>
</h:panelGrid>
    <p:commandButton id="loginButton" value="Login"
action="#{loginController.login}"/>
And here is the backing bean.
---
@EJB(name="ejb/LoginBean", beanInterface=ILogin.class)
@ManagedBean(name="loginController")
@ViewScoped
public class LoginController {
    private boolean authenticated = false;
    private ILogin ilogin;
    private String username;
    private String password;
    private User user;
    public LoginController() {
        try {
            ilogin = (ILogin)
                (new
InitialContext()).lookup("java:comp/env/ejb/LoginBean");
        }
        catch (Exception e) {
            e.printStackTrace();
        }
    }
    public String getUsername() {
        return username;
    }
    public void setUsername(String username) {
        this.username = username;
    }
    public String getPassword() {
        return password;
    }
    public void setPassword(String password) {
        this.password = password;
    }
    public boolean isAuthenticated() {
        return authenticated;
    }
    public String login() throws IOException {
        FacesContext context = FacesContext.getCurrentInstance();
        ExternalContext externalContext = context.getExternalContext();
        HttpServletRequest request =
            (HttpServletRequest) externalContext.getRequest();
        System.out.println("user: " + this.username);
        System.out.println("pass: " + this.password);
        try {
            request.login(this.username, this.password);
            user = ilogin.getUser();
            System.out.println("user.getUserName: " + user.getUserName());
            System.out.println("user.getPassWord: " + user.getPassWord());
            if (user.getUserName().equals(username)) {
                if (user.getPassWord().equals(password)) {
                    authenticated = true;
                    return "success";
                }
            }
            /*if (request.isUserInRole("ADMIN")) {
                return page;
            }
            else {
            }*/
        }
        catch (ServletException e) {
            e.printStackTrace();
        }
        catch (Exception e) {
            e.printStackTrace();
        }
And I added this to my web.xml.
---
<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>JDBCRealm</realm-name>
    <form-login-config>
    <form-login-page>/faces/login.xhtml</form-login-page>
    <form-error-page>/faces/loginError.xhtml</form-error-page>
    </form-login-config>
</login-config>
<security-constraint>
    <display-name>Admin Pages</display-name>
    <web-resource-collection>
        <web-resource-name>Protected Admin Area</web-resource-name>
        <url-pattern>/faces/admin/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
        <http-method>HEAD</http-method>
        <http-method>PUT</http-method>
        <http-method>OPTIONS</http-method>
        <http-method>TRACE</http-method>
        <http-method>DELETE</http-method>
    </web-resource-collection>
    <auth-constraint>
        <description/>
        <role-name>admin</role-name>
    </auth-constraint>
</security-constraint>
<security-constraint>
    <display-name>All Access</display-name>
    <web-resource-collection>
        <web-resource-name>None Protected User Area</web-resource-name>
        <description/>
        <url-pattern>/faces/users/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
        <http-method>HEAD</http-method>
        <http-method>PUT</http-method>
        <http-method>OPTIONS</http-method>
        <http-method>TRACE</http-method>
        <http-method>DELETE</http-method>
        </web-resource-collection>
    <auth-constraint>
        <description/>
        <role-name>admin</role-name>
        <role-name>user</role-name>
    </auth-constraint>
</security-constraint>
I've also created user and group tables in my database.
Any help much appreciated.