JAAS login module in Tomcat 7 example (Part 2)


Part 1 of this tutorial demonstrated how to implement a login module using JAAS + Tomcat 7. This next segment shows how to create a login form and call the login module.

Folder Structure:

/protected/index.html (protected via our web.xml file)

Simple JSF login page

The following is a simple form used to submit the username and password to a backing bean called loginBean. The form uses HTML5 passthrough elements, as well as built in JSF validators on the input fields. All errors are displayed using the h:messages output.

    <h3>Please sign in</h3>
    <h:inputText id="username" value="#{loginBean.username}" required="true" requiredMessage="Please enter your username" p:placeholder="Username" p:autofocus="true">
        <f:validateLength maximum="50" minimum="3" />

    <h:inputSecret id="password" value="#{loginBean.password}" required="true" requiredMessage="Enter your password" p:placeholder="Password">
        <f:validateLength maximum="20" minimum="3" />


    <h:commandButton type="submit" value="Sign in" id="submit" action="#{loginBean.login()}"/>

Calling the login module

Once the form passes validation the login() action is called. The login action uses the submitted username / password to request a login from the servlet container. This will call the login module created in part 1 of this tutorial. If the request.login() servlet request fails, it throws a LoginException which is caught in the form of a ServletException below. If the login succeeds then the user is redirected to the protected page.

@ManagedBean(name = "loginBean")
public class LoginBean implements Serializable {
    private static final long serialVersionUID = 1L;

    private String username;
    private String password;

     * @return
    public String login() {

        try {

            // Get the current servlet request from the facesContext
            FacesContext ctx = FacesContext.getCurrentInstance();
            HttpServletRequest request = (HttpServletRequest) ctx.getExternalContext().getRequest();

            // Do login from the container (will call login module)
            request.login(username, password);

            return "/protected/index.xhtml?faces-redirect=true";

        } catch (ServletException ex) {

            FacesContext.getCurrentInstance().addMessage(null, new FacesMessage(FacesMessage.SEVERITY_ERROR, "An Error Occured: Login failed", null));
            Logger.getLogger(LoginBean.class.getName()).log(Level.SEVERE, null, ex);

        return "login.xhtml";

     * @return the username
    public String getUsername() {
        return username;

     * @param username the username to set
    public void setUsername(String username) {
        this.username = username;

     * @return the password
    public String getPassword() {
        return password;

     * @param password the password to set
    public void setPassword(String password) {
        this.password = password;


This concludes the configuration and implementation of JAAS container managed security. The original working copy of the complete project is available on Github.

Leave a Reply

Your email address will not be published.