Filters are the way to go IMO. We use container authentication to force login (with a custom screen) and then we rely on application logic to control access to fields. We use a session bean as others have mentioned to store user information.
We also have a "spoof" login page that is not controlled by the container. We use this for pretending to be other users in a production environment b/c all we have to do is replace the user bean and flip a "spoof" flag on it (so that we can prevent saving etc.) This has the advantage of allowing you to see exactly what your user sees with only a minimal amount of code (which reduces the chance that you might not realy be seeing what your user sees.) Those are some ideas at any rate. sean On 10/4/05, Dave <[EMAIL PROTECTED]> wrote: > hi Andrew, > > How to get a Realm object so that I can call authenticate()? I am using > Database to store username and password. Thanks. > > > Andrew robinson <[EMAIL PROTECTED]> wrote: > > I am using the built in Tomcat DataSourceRealm so that single sign-on is > possible. My login is still using a normal JSP instead of JSF, so I can't > use JSF components to build my login page. Has anyone integrated the > form-base web.xml authentication with a JSF login page? > > > On 10/4/05, Mike Kienenberger <[EMAIL PROTECTED] > wrote: > > I've switch from a login page to a filter that authenticates and sets > > the User database record in the session. (Actually, I fetch this > > record every request, and store it in the request, but that may be too > > excessive for your situation). > > > > I then have additional filters that work on that data to provide > > coarse-grain security (ie, if you don't pass the filter, you can't > > access any of the application). > > > > I also have a SecurityRoleManager bean that provides fine-grain > > control by operating on the record stored in the session. Ie, > > "securityRoleManager.canEditDate()" > > > > On 10/4/05, Eurig Jones <[EMAIL PROTECTED]> wrote: > > > I'm trying to decide on a Login/Logout system to protect my files using > > > JSF.. I've played about with extending NavigationHandler, but the > > > problem is, it doesn't protect the files which aren't JSF, and you can > > > still run the JSP files if you wanted to... > > > > > > How have you people gone about a database driven login/logout system > > > using Faces? > > > > > > > > > ________________________________ > Yahoo! for Good > Click here to donate to the Hurricane Katrina relief effort. > >
