custom filter / advice on security

[Cyril Marzin]

Hello, and thanks for your work, I use SPNEGO with Glassfish and it works seamlessly.
However, in my company, I want to redirect to an alternative login/password form when SSO fails (where we'll use an external web service). Thanks to some advice I read in this forum, I tried to implement it.

Here is how it works :
- /secured folder is filtered with a custom SPNEGO filter
- welcome page (/blank.xhtml) is a blank page sending an AJAX request (using jQuery) to a filtered URL (/secured/index.xhtml)
- if successful, user is redirected to /secured/index.xhtml
- if not, user is redirected to /loginform.xhtml
- when authentication is successful (using SPNEGO SSO or login form), I set a property "isLoggedIn" to true in a "session scoped" bean
- that way, regardless of auth method used, a logged in user can access /secured/dummy.xhtml, because in custom filter, spnego.doFilter call is bypassed if "isLoggedIn" property is true.

Do you think this is a good way to do it ? Or is it a mistake to rely on a session scoped bean to grant or deny access to different pages ? I welcome any comments or suggestions.

[Steffen Ryll]

Cyril,
basically, what you described is the typical way most web app keep they authentication/authorization info, so it's sensible.
However, I'd advise you to store not just a boolean flag logged in/not, but rather some more data about the current user as well: user name, permissions (that you may have retrieved from some other system), timestamp of login, etc., depending on what you need.