Hyperlink login with user and password in email with JSF and Spring Secutity

Asked

Viewed 248 times

3

I have a system in JSF(with primefaces) with spring security. When the user registers it receives an e-mail with user and password.

Okay - It works.

However I would like to send in the body of the email a hyperlink where the user could click and already enter the validated system.

What I’ve tried to do so far on a test basis. At least send the user and password as parameters (I will encrypt logico) of the login page by automatically filling the user and password fields. With the fields already filled in just click on the login button. I don’t know if it would be very elegant but it would help.

However I can make the system fill in the user but not the password.

Below the xhtml excerpt. 

<h:outputLabel for="username" value="Email" />
<p:inputText id="username" required="true"
    label="Informe seu email" value="#{securityController.email}" />

<h:outputLabel for="password" value="Senha" />
<p:password id="password" required="true"
    label="Informe sua senha" value="#{securityController.password}" />

<p:spacer />
<p:commandButton process="username password @this" value="Logar"
    id="botaoLogar" update="msgs" ajax="false"
    styleClass="ms-botao-login ms-cor-botao"
    action="#{securityController.processaLogin()}" />

Managed Bean

@Named
@SessionScoped
public class SecurityController implements Serializable {

    private static final long serialVersionUID = 1L;

    private String email;
    private String password;


    public void processaLogin() throws ServletException, IOException{
        FacesUtil.redireciona("/spring_security_check");
    }

    public void preRender(){
        FacesContext facesContext = FacesContext.getCurrentInstance();
        HttpServletRequest request = ((HttpServletRequest) facesContext.getExternalContext().getRequest());

        String user__ = request.getParameter("user__");
        String pass__ = request.getParameter("pass__");

        this.email = user__;
        this.password = pass__;

   // gets and sets

}
jsf primefaces spring-security

1 answer

4


If you want to try your initial goal of following the link and get soon authenticated, why not try using a JWT (JSON Web Token) to encode the username ensuring that the message cannot be modified manually?

My proposal is to generate a link of the type

meusite.com? confirmation=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Im1ldS51c2VyIiwiZXhwaXJlcyI6MTQ5MTAwNDgwMH0.Mvu1565xqamscgcb7shscvh0bo80sfgo2b6szlwbw

Where the confirmation parameter contains a payload with username and an expiration date. On the server use the java library available at http://jwt.io to decode the token and as it comes encrypted by hash with your security key, you will know that is reliable information coming from your link.

To generate the token you will have to encode it before sending the email by the same process.

The code on the link:

 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Im1ldS51c2VyIiwiZXhwaXJlcyI6MTQ5MTAwNDgwMH0.MvU1565xwqaMsqCgcB7shScvh0Bo80SfGO2b6szLwbw

represents the payload:

{
  "username": "meu.user",
  "expires": 1491004800
}

when the date is a linux era: http://www.unixtimestamp.com/index.php ie the number of seconds since 1 Jan 1970 (UTC)

So you can prevent old links from being used after the intended period by simply checking the date. The password used in this hash is "secret" and you can try on jwt.io site itself that the decoding is this.

Hug

  • Doubt is how to send this to spring security?

Browser other questions tagged jsf primefaces spring-security

You are not signed in. Login or sign up in order to post.