authorization in JSF2 | ansaurus

tags:

views:

222

answers:

1

Q:

authorization in JSF2

Hi!

what is the best way to implement authorization in JSF2? through, servlet filter, phase listener or ther is something new that I am not aware of?

A:

There are two pieces to this: Authentication, and Authorisation.

First Authentication: You can configure your web.xml to perform JAAS-based authentication according to a url pattern. Alternatively, if url-based authentication is too coarse-grained for you, you could do this manually with a PhaseListener or page actions using the HttpServletRequest login() method (new in Servlet 3.0). You can access this method through the FacesContext.getCurrentInstance().getExternalContext().

Once you are authenticated to a JASS realm, you can consider role based authorisation. Again there are a number of options:

You can restrict page access to specified roles in the web.xml according to a url-pattern
You can use the FacesContext.getCurrentInstance().getExternalContext().isUserInRole("role") to programmatically access the current role in your backing beans.
You can conditionally render components in the view using Expression Language, based on the user role. (Seam has the s:hasRole EL expression, IceFaces has the renderedOnUserRole attribute, or you can expose the role from your own backing bean).

Brian Leathem 2010-06-02 14:48:05

related questions

Should unauthorized actions in the UI be hidden, disabled, or result in an error?

Porting JDBCRealm from tomcat to OC4J

Any frameworks on Authentication & Authorization for Windows Form Application?

How to design database for authorization and authentication

ASP.NET MVC Authorization

Custom Rails authentication / authorization

How to handle authorization when using NHibernate in .NET

How to allow authorization to an rss feed using ASP.NET MVC?

Security integration with arcPlan Enterprise

Best way to implement fine-grained authorization for a web application?

Authentication system for ASP.NET web applications?

User Access Checking for Rights on Particular Database Objects or Records

Authorizing REST Requests

Why does AuthorizeAttribute redirect to the login page for authentication and authorization failures?

How do you restrict access to a certain user using ASP.NET MVC?

Scalable/Reusable Authorization Model

Forms Authentication Error in WCF

What are the best-practices around resource list authorization?

Can CLIENT-CERT auth-method be used with a JDBC realm within tomcat?

Non-interactive authentication/authorization for XML-RPC?

WCF Service authorization patterns

Managing large user databases for single-signon.

Best way to handle user account authentication and passwords

Best practise to authorize all users for just one page in asp.net

Why do I get the error "Unable to update the password" when calling AzMan?