|
For typical most typical internet facing websites when you login & leave the website by just closing the tab (without logging out), then on successive revisits, you may not be required to re-specify your credentials or login, you are directly logged in.
How does all that happen on the backend? How can I enable such mechanism on my JSF 2.1 application?
Using JSF 2.1 on Tomcat7 server
Best Answer-推荐答案
This is basically done by a long-living cookie. This functionality is not provided by the JSF API as it's just a simple component based MVC framework. This functionality is also not provided by the standard Java EE API. Some authenticaiton frameworks like Spring Security and Apache Shiro offer this functionality.
If you need to implement this using "plain" Java EE / JSF, then you'd need to create a long-living cookie yourself during login by ExternalContext#addResponseCookie(). The cookie value must be a long, unique, autogenerated and hard-to-guess value (e.g. java.util.UUID) which you also store in the DB associated with the user ID. Then, you can use a simple servlet filter to check for the cookie by HttpServletRequest#getCookies() when the logged-in user has been confirmed to be absent. If the cookie is found and is valid, then auto-login the user.
To improve security, provide if necessary the enduser the option to "lock" this cookie on the user IP which you also store in the DB along with the cookie ID and user ID.
See also:
| 
