I would recommend looking at the Acegi Framework. http://www.acegisecurity.org/ and Acegi-JSF http://www.jroller.com/page/cagataycivici?entry=acegi_jsf_components_hit_the
Adam Brod Product Development Team "Craig McClanahan" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 08/08/2006 11:46 AM Please respond to [email protected] To [email protected] cc Subject Re: Central Authentication On 8/8/06, Nikish Parikh <[EMAIL PROTECTED]> wrote: > > I want to implement centralized authentication and authorization using > shale framework. > > > > So when any user tries to access any of application pages or faces, this > authorization process will allow/restrict as per there security > configurations. This authorization process will have one database where > all authorization details are provide. > > > > I would like to know little technical implementation feasibility. > > Will this be possible by implementing in one single Managed Bean? > > How I can control and manager further navigation? > > > > I will be thankful to all, who will provide suggestions and solutions. The most popular approaches to this problem in Java-based web applications is to use either the security environment provided by your application server (typically called "container managed security" if you want to Google for it), or a third party library like SecurityFilter[1] from SourceForge that emulates this architecture. Either would work fine with Shale and JSF. The basic idea is that you want to restrict access to some or nearly all of the pages of your application to those who have successfully logged on (you would normally want to allow them to get to the logon page without logging on first :-). Thus, any attempt by an unauthenticated user to access any secured page would be redirected to the logon page. Further, you can associate a set of "roles" with each user, and then declare rules like "only a manager can see the personnel details page". The interesting part of this tends to be how you hook up the existing knowledge in your database to the security infrastructure. With container managed security, you have to use container-specific facilities to accomplish this goal (for Tomcat, for instance, you can either define a Realm[2] or use one of the existing implementations if your database structure matches the default Realm's expectations). For things like SecurityFilter, there will typically be some sort of adapter API that you need to implement that provides the information the authentication filter needs ... more details are in the docs. The key point to remember, though, is that these authentication approaches work both with and without JSF (and therefore with and without Shale) ... don't restrict your search only for something like a "JSF based authentication system." Craig [1] http://sourceforge.net/projects/securityfilter [2] http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html Thanks in advance > > > > > > Nikish Parikh Disclaimer: This electronic mail and any attachments are confidential and may be privileged. If you are not the intended recipient, please notify the sender immediately by replying to this email, and destroy all copies of this email and any attachments. Thank you.
