It is easy to set up the JSF page to be used for logging in to the application, and maintaining state within the session bean is not a problem. This is a VW app created using NetBeans 6.1.
The question, to which I have yet to find an answer, is how to configure the navigation within the application so that data supplied in the registration and login forms are always sent over a secure port (using SL or TLS).
In the page navigation diagram that I see with faces-config.xml, I do not see any options that allow me to specify that a given navigation path is to happen only over a secure channel.
Nor do I see properties on the button used to submit the form data that would imply I can tell it to submit the request over a secure channel.
Ideally, I ought to be able to have the form, by default, submit credentials over a secure channel, and if the user is silly enough to edit the source to make the request in clear text, I ought to be able to check the credentials and invalidate them if they exist (because they may be compromised) and provide feedback to the user indicating that credentials must only be sent encrypted and have them reset their credentials.
And one last aspect of this. Setting up navigation is easy when there is only one possible target for a given action (as when the user clicks on the login button - when over a secure channel it always goes to the login page), but how do you handle it when the target could be any pagein the web application? If I put register/loging buttons on each page (so a user could login from any page), the target for a successful login ought to be the page the user logged in from: which could be the home page, a page showing charts for specific data, a page showing tables for different data, &c. It doesn't seem to me to be user friendly to make a user navigate back to the home page to register or login after having spent time exploring that part of the site that is open to everyone, or to return to the home page if the user has logged on from a report page. I'd have thought the logical place to find this would be the pageflow seen when faces-config.xml is open, but I have had no luck finding it.
In the old days, when I was hand coding HTML, I would just use https in the action for a form, and navigation was not so easy so I'd provide only one spot to opt to login and return only to one page when login was successful and another otherwise (using CGI programming). But now, some aspects of navigation seem easier and others are more hidden with these visual development tools.
Shouldn't this be a FAQ, since I can't imagine a web app, that is not a toy, not having login requirements like this, or more likely, more sophisticated than this?
Thanks
Ted
