Hi, The standard approach is the best. Is most easy to set and, is working always, and will not need other library.
Cristi. Darren Hartford wrote: >The approached I've been using is the normal webapp >JAAS/<security-constraint> approach. > >As far as integrating this within the JSF framework, I use the following >snippets in my sessionbean: > >======================== > /** > * Getter for property username. > * @return Value of property username. A null is no user >authenticated. > */ > public String getUsername() { > return getExternalContext().getUserPrincipal().getName(); > } > >====================== > public boolean verifyRole(String role){ > return getExternalContext().isUserInRole(role); > } >====================== > >Although I'm sure there are more elegant approaches, this has worked for >me and keeps it relatively simple and as-close to 'standard >expectations' for most J2EE-style webapps. > >I did try the filter approach, unfortunately I've had issues with that >approach with JSF, some of which were rather obscure so I went with the >above approach to try to keep it simple and allow for per-page >authorization control (and per-object authorization control, such as >buttons enable/disable by role). > >Hope that helps, would be nice to have a wiki/howto on some of these >security integrations with JSF/myfaces (including Acegi, yes, but also >others like with Tomcat/Jboss security realms and how to handle >authorization seperately from authentication, etc.). > > >-D > > >