Skip to main content

cookie based "remember me" with jdbc realm container security

3 replies [Last post]
healeyb
Offline
Joined: 2010-01-26

I've got container security working with a jdbc realm using hashed passwords.
What I want to do is have a preRenderView on my login page which, if it detects
an appropriate cookie will auto-login the user. Not everyone thinks this is a good
idea, but, let's face it lots of sites implement "remember me".

There's a login(username, password) function on HttpServletRequest which does
what I want, the problem being that it takes plain text passwords. Exactly what
I don't want to do is store the plain text password in the cookie.

I thought it would be best to take a username from the cookie, check the ip
address of the http request against a stored value, then perhaps retrieve the
hashed password from the database for the user record and call a login function
that can use hashed passwords (or just not do this last step).

Does anyone know how to do this? I saw one post regarding a custom login
module but know nothing more than that.

Regards,
Brendan.

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
oyvindae
Offline
Joined: 2011-01-10

Has anyone figured out how to do this yet?
I am struggling with exactly the same thing.

healeyb
Offline
Joined: 2010-01-26

Hi, I think I pretty much figured out how to do this, but also decided against implementing it.
I figured that when you have the <form-login-page>/faces/login.xhtml</form-login-page>
entry in the deployment descriptor used in conjunction with a jdbc realm it's like the locked
front door. To implement a remember me system you'd need to use a custom realm which
would need to replicate that functionality, doing the database lookup and encrypting the
password etc... whilst also incorporating the cookie shortcut. My concern was that without
going through all the code I don't know what other clever anti-hacking stuff is built into the
form based container login mechanism. The key thing is the custom realm, which I did get
working, but it is very fiddly to configure. This blog may be of interest:
http://blogs.sun.com/nithya/entry/groups_in_custom_realms
Regards,
Brendan.

peternortan
Offline
Joined: 2013-12-04

have you sort this problem?
Me