Apache MyFaces 2.0 authentication and authorization

Question

I need to create a webapp that has a login system. the user should authenticate against a database. I want to save the userrole in session - or are there other (better) ways?

Furthermore there are areas for user access. Guest area, user area, admin area.

The question now is. How can I easily implement the authorization with jsf2.0? I don't want to test on each site, if the user is permitted to acces the site or not.

Is there a configuration in web.xml or faces-config.xml that test the cases?

Can someone show me a tutorial or sample code?

Thanks and best regards veote

"I don't want to test on each site, if the user is permitted to acces the site or not." can you elaborate 'each site', are you looking single point authentication for multiple sites? or did you mean checking on each page/link ?? — baba.kabira, Mar 16 '12 at 13:59
[link @ SO might help](http://stackoverflow.com/questions/1187949/jsf-authentication-and-authorization) — baba.kabira, Mar 16 '12 at 14:04

score 2 · Accepted Answer · edited May 11 '13 at 10:36

2

You can also look at options (Framewroks)

Spring Security

Apache Shiro

Java EE Security Tutorial

As already suggested Application Server provided Authentication/Authorization.

Implement a Filter (Custom home grown logic for Authentication/Authorization)

Blogs covering AnA in JSF

User session filter

Access Control in JSF using a PhaseListener

Hope this helps

edited May 11 '13 at 10:36

Arjan Tijms

37,782
12
108
140

answered Mar 16 '12 at 14:18

baba.kabira

3,111
2
26
37

I didn't know Apache Shiro, is it worth to try?Especially in comparison with Spring Security(if you have experience with both of them) – Petr Mensik Mar 16 '12 at 15:13
@PetrMensik I havent tried it but as seen in blogs and at times at SO its definitely worth a try people do use it. – baba.kabira Mar 16 '12 at 17:00
Thank you very much, I think shiro is what I wanted. I will try this – veote Mar 19 '12 at 07:18
@veote you are welcome, you can mark my reply as answer to your question, I'll gain some points ;) – baba.kabira Mar 19 '12 at 07:45

Petr Mensik · Answer 2 · 2012-03-16T13:52:34.473

0

You can try this approach, it uses PhaseListener to check if user has rights for accessing current site during the RESTORE_VIEW phase. It is quite easy to implement it and it's portable between different servers(opposite from realms)

edited Mar 16 '12 at 13:52

answered Mar 16 '12 at 13:45

Petr Mensik

26,874
17
90
115

Thanks, that seems nice. Is there maybe another way to configure this in web.xml / faces-config? – veote Mar 16 '12 at 13:54
Well, not really in such a good manner. You can specify the restricted pages and how to log the user, but it usually works fine only with realms(and that is sometimes hard to set it all up and wire it together). And BTW, why do you want use just these xml files?Seems to me more cleaner and readeble to stick with classic programming style instead of bothering yourself with XML – Petr Mensik Mar 16 '12 at 14:01

score 0 · Answer 3 · answered Mar 16 '12 at 13:50

0

I am not familiar with Websphere, but since it is a Java EE 6 compliant application server, you can create a JDBCRealm for this purpose. See this chapter of the Java EE 6 tutorial.

answered Mar 16 '12 at 13:50

Matt Handy

29,855
2
89
112

Thank you, but I for me it's not the best way I think, because maybe I want to change the db with a ldap. – veote Mar 16 '12 at 13:53
1

@veote I use weblogic but changing authentication provider in a realm is not that hard you can switch technologies with ease. – baba.kabira Mar 16 '12 at 14:02
If you look at the example in the tutorial (and from my experience), I agree with gbagga that switching should not be that complicated. – Matt Handy Mar 16 '12 at 14:04

Apache MyFaces 2.0 authentication and authorization

3 Answers3

Linked