Login by hyperlink with username and password in email with JSF and Spring Secutity

Question

Login by hyperlink with username and password in email with JSF and Spring Secutity

Navigation

#1 by (4 votes)

3

I have a system in JSF (with primefaces) with spring security. When the user registers, he receives an email with a username and password.

Ok - It works.

However, I would like to send in the body of the email a hyperlink where the user could click and already entered the validated system.

What I have tried to do so far as a test. At least send the user and password as parameters (I will encrypt logic) of the login page by automatically filling in the user and password fields. With the fields already filled, click on the login button. I do not know if it would be very elegant but it would already help.

However I can make the system populate the user but not the password.

Below the xhtml excerpt.

<h:outputLabel for="username" value="Email" />
<p:inputText id="username" required="true"
    label="Informe seu email" value="#{securityController.email}" />

<h:outputLabel for="password" value="Senha" />
<p:password id="password" required="true"
    label="Informe sua senha" value="#{securityController.password}" />

<p:spacer />
<p:commandButton process="username password @this" value="Logar"
    id="botaoLogar" update="msgs" ajax="false"
    styleClass="ms-botao-login ms-cor-botao"
    action="#{securityController.processaLogin()}" />

Managed Bean

@Named
@SessionScoped
public class SecurityController implements Serializable {

    private static final long serialVersionUID = 1L;

    private String email;
    private String password;


    public void processaLogin() throws ServletException, IOException{
        FacesUtil.redireciona("/spring_security_check");
    }

    public void preRender(){
        FacesContext facesContext = FacesContext.getCurrentInstance();
        HttpServletRequest request = ((HttpServletRequest) facesContext.getExternalContext().getRequest());

        String user__ = request.getParameter("user__");
        String pass__ = request.getParameter("pass__");

        this.email = user__;
        this.password = pass__;

   // gets and sets

}

jsf spring-security primefaces

asked by anonymous 24.03.2017 / 15:00

1 answer

How to return cells based on identifier in R Regex in javascript to match partial URL

score 4 · Accepted Answer

If you want to try your initial goal of following the link and get authenticated, why not try to use a JSON Web Token to encode the username ensuring that the message can not be modified manually?

My proposal is to generate a link of type

MYITE.com? CONCEPT?

Where the confirmation parameter contains a payload with the username and an expiration date. On the server use the java library available on link to decode the token and as it comes hashed with your security key, you will know that it is an information trusted link from your link.

To generate the token you will need the code before sending the email through the same process.

The code in the link:

 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Im1ldS51c2VyIiwiZXhwaXJlcyI6MTQ5MTAwNDgwMH0.MvU1565xwqaMsqCgcB7shScvh0Bo80SfGO2b6szLwbw

represents payload:

{
  "username": "meu.user",
  "expires": 1491004800
}

where the date is a linux time: link that is the number of seconds since 1 Jan 1970 (UTC)

This way you can prevent old links from being used after the desired period simply by checking the date. The password used in this hash is "secret" and you can experiment on the jwt.io site itself that the decoding is this.

Embrace