I'm building a Web application using jsf, ejbs and jpa. I currently use form based j_security_check to handle authentication.
I need to implement support for cookies ie "Remember me" option. Also I want to prevent brute force attacks. ie Lock a certain user after 5 failed logons.
I understand that the other option will be to do it programmatically using ServletFilters etc.
Is there any way of implementing all these Using j_security_check? or should I just switch back to doing it programmatically?
This has to be custom implementation around j_security_check. You can attach a servlet filter with j_security_check
<filter-mapping>
<filter-name>SecurityFilter</filter-name>
<url-pattern>/j_security_check</url-pattern>
</filter-mapping>
In the SecurityFilter, after security check returns userPrincipal, set further details in session and continue. But if userPrincipal is null, fetch the fail count from database and put the failure message (including fail count) in session, which can be displayed in login page.
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
Principal userPrincipal = null;
String username = httpServletRequest.getParameter("j_username");
String rememberme = httpServletRequest.getParameter("rememberme");
chain.doFilter(request, response);
userPrincipal = httpServletRequest.getUserPrincipal();
Remember me has to be set at cookies and the value of the variable "rememberme" will be available after the j_security_check is completed. Based upon success or failure in login, cookie can be set.