Together with our team partner, the base of login and signup functionalities are completed and their internalization integrations work correctly. Error checks do exist and shown and they are also internalizated.
However, controlling the authentication system and in case of the failures, opening new ticket will be very beneficial for the security and maintenance considerations.
“authentication” verifies who you are and “authorization” verifies what you are authorized to do.
What types of authentication systems exist? We can roughly say there are two types. Basic and form based model. Form-based systems get rid of the implementation of authentication system by themselves. At first glance, this type may seem difficult to maintain however it shows its benefits very soon. A kind of implementation is available at:
http://www.onjava.com/pub/a/onjava/2002/06/12/form.html
Filtering the user input is another important topic in authentication system. If we want every operation that is performed by current user to be authenticated, we may ensure that every action that is performed by user to be passed from filter. It is surely more efficient way than checking the status of user in each page. An example of authentication filter:
http://www.adventnet.com/products/webnms/help/developer_guide/web_client/web_customize_login.html
In a simple login page, mainly we should create and configure three parts. First “login.jsp” for visual design and calling validating function. Second “login Bean”( Simple Java Class) for getting information from jsp page and creating this bean instance and also this java file includes the validation function. Third, “faces-config.xml” file for managing bean and redirecting the client according to the result of the validate function.
Then how should we check the logged-in status of the clients? One way is the check the attribute of a session object. Another way, which is proper to JSF, is to use “PhaseListener”.
How about session objects? Session Objects live on the server and are automatically associated with clients. Session objects are not travelled along networks only unique identifiers are used. “request.getSession” is enough to get the session object, we do not need to use our own cookies and hash tables, url-rewriting or hidden form fields.