what is the best way to implement authorization in JSF2? through, servlet filter, phase listener or ther is something new that I am not aware of?
Asked
Active
Viewed 3,214 times
0
-
http://stackoverflow.com/a/2207147/2214674 – kinkajou Sep 05 '13 at 01:46
1 Answers
2
There are two pieces to this: Authentication, and Authorisation.
First Authentication: You can configure your web.xml to perform JAAS-based authentication according to a url pattern. Alternatively, if url-based authentication is too coarse-grained for you, you could do this manually with a PhaseListener or page actions using the HttpServletRequest login() method (new in Servlet 3.0). You can access this method through the FacesContext.getCurrentInstance().getExternalContext().
Once you are authenticated to a JASS realm, you can consider role based authorisation. Again there are a number of options:
- You can restrict page access to specified roles in the web.xml according to a url-pattern
- You can use the
FacesContext.getCurrentInstance().getExternalContext().isUserInRole("role")to programmatically access the current role in your backing beans. - You can conditionally render components in the view using Expression Language, based on the user role. (Seam has the s:hasRole EL expression, IceFaces has the renderedOnUserRole attribute, or you can expose the role from your own backing bean).
Brian Leathem
- 4,609
- 1
- 24
- 44