What would happen if we join the stateless ideologies of REST with JSF? I thought I’d investigate so I wrote a little code to see how close to it I could get. Ultimately, I wanted to demonstrate the feasibility of making a secure semi-stateless JSF Single Page Application using minimal to no external frameworks. My focus was to hold onto the benefits and convenience of JSF and Bean development without introducing any hacky code.
Key features
- No session is created until after a user logs in
- GET Requests along with Ajax to navigate without browser needing to changes pages
- History.js to manage the browser back/forward functionality without refreshing whole page
- Pages can be refreshed and bookmarked
- Application server handles authentication / authorization
- Backwards compatible to work without Javascript working
I used a HttpSessionListener to track how many sessions were being made and where they were made. Also, I reused a template for all pages but tracked how it’s used depending on header information. When a page was loaded via an Ajax call the header requested for a fragment Layout. If the page was refreshed or hit from a bookmark, then no header information is present and a stand-alone layout is provided. Each JSF page had the following up top.
template="#{headerValues.Fragment[0] == 'true' ? '/WEB-INF/template/fragment-page.xhtml' : '/WEB-INF/template/standalone-page.xhtml'}" Each Ajax call to the server looks for or places a Fragment header piece.
url : State.url,
headers : {Fragment : "true"},
success : function(data, a, b, c) {
if(b.getResponseHeader('Fragement') === 'false') {
window.location.href = '/jsfspa/login.xhtml';
} else {
$("#testMe").html(data);
}
}In order to truely be stateless I implemented a custom AuthenticationMechanism to prevent creation of a session object. I needed to do this because what ended up happeneing originally is with the default FORM AuthenticationMechanism, if the servley detected that a secure page was accessed, a Session object was created to save the URL into. Then the login page would appear and upon a successful long, the saved URL would be accessed. I implemented a custom AuthenticationMechanism and overrode any creation of session object.
public void handleDeployment(DeploymentInfo deploymentInfo, ServletContext servletContext) {
deploymentInfo.addAuthenticationMechanism("NOREDIRFORM", new NoRedirectFormBasedAuthenticationMechanism.Factory());
}Wildfly Modifcations
Data Source
<datasource jndi-name="java:/jsfspaDS" pool-name="PostgrePool" enabled="true">
<connection-url>jdbc:postgresql://localhost/scafold</connection-url>
<driver>postgres</driver>
<security>
<user-name>postgres</user-name>
<password>password</password>
</security>
</datasource>Security Domain
<security-domain name="jsfspa-security-domain" cache-type="default">
<authentication>
<login-module code="Database" flag="required">
<module-option name="dsJndiName" value="java:/jsfspaDS"/>
<module-option name="principalsQuery" value="SELECT PASSWORD FROM APPUSER WHERE LOGIN = ?"/>
<module-option name="rolesQuery" value="SELECT R.NAME, 'Roles' FROM USER_ROLE UR INNER JOIN APPROLE R ON R.ID = UR.ROLE_ID INNER JOIN APPUSER U ON U.ID = UR.USER_ID WHERE U.LOGIN = ?"/>
</login-module>
</authentication>
</security-domain>Logging
<logger category="net.pannenko">
<level name="ALL"/>
</logger>To track how many sessions were actually in use, I found the following snippet to show me session counts in real-time.
<path>\wildfly-8.1.0.Final\bin\jboss-cli.bat
connect /deployment=jsfspa.war/subsystem=undertow :read-attribute(name=active-sessions)