3 Replies Latest reply on Apr 23, 2007 10:21 AM by chubinator

    Login Best Practices

    chubinator
    chubinator Apr 21, 2007 11:10 AM

      I was wondering if there a good Wiki page covering best practices for Login security for web apps?

      One specific question I have is with regards to a login form on the home page (non-secure) that submits to the login action. Because I cannot specify a scheme with JSF/JBoss seam in the h:form tag, I cannot force it to submit to an https URL.

      The best I can do is use the pages.xml to require HTTPS, but that results in one non-secure request then a redirect to the secure request. So its pointless in this case.

      I reviewed a JIRA (http://jira.jboss.com/jira/browse/JBSEAM-741) where this was talked about and it appears that for now the Seam team is holding off supporting a scheme attribute in the link/form tags.

      It has me thinking there is a security concern with doing this sort of thing (submitting a non-secure form to a secure URL) and that perhaps I should just avoid having the convenient login box on the home page.

      Any feedback is very much appreciated.

      Thanks,
      Mark

      • 3068 Views
      • Tags:
        • 1. Re: Login Best Practices
          shane.bryzak
          shane.bryzak Apr 21, 2007 5:51 PM (in response to chubinator)

          Can you please raise this in JIRA?

            • Actions
          • 2. Re: Login Best Practices
            cptnkirk Apr 21, 2007 6:20 PM (in response to chubinator)

            My apps simply have their own secure login pages so I don't have a best practice, but I'll help hash something out. I suppose my first question is. Are you using Facelets? My knee jerk solution to this would be to write a simple <my:loginForm> tag with Facelets that used a regular html form and an https action URI. The action URI can be backed by a servlet that would get everything sorted. When it's all said and done you end up being redirected to your app's home jsf page with a new secure session and populated identity.

            Sure it would be nice if some nice jsf framework provider did all the work for you. Fortunately I don't think it's that much work and should fit the requirements. I'm sure Seam will eventually get there, they just need to step back and think about the problem. I think they've been burnt rushing into things in the past.

              • Actions
            • 3. Re: Login Best Practices
              chubinator
              chubinator Apr 23, 2007 10:21 AM (in response to chubinator)

              Thank you for the responses.

              Shane, it looks like a JIRA was already opened on the subject (see my link), but I could open another if you think its best?

              I am using facelets and I agree it would probably not be too much trouble to roll my own solution. I've just been trying to do things the "seam" way first.

              I also agree that its best for the Seam team to move carefully, especially in the area of security. It just had me wondering if there wasn't a good reason for not supporting a scheme attribute and perhaps a larger issue I should be aware of. After all, its not really a seam issue, JSF doesn't support it either.

              Anyhow, for us, we decided to replace our login form on the home page with a link to the login form instead.

              Thanks for the help.





                • Actions