for bigger projects where we need to integrate several systems with single-sign in we use JAAS, but for small projects that's way overkill.
cheers
dave
On 25/01/2005, at 3:03 PM, Guy Katz wrote:
you can use a rendered attribute on the JSF components you want to hide. the rendered will have a valueBinding that will check the userRole.
there is a specific tag for this in myfaces but i cant remember it now.
to check HTTP session variables use the external context to get the HTTPSession servlet API objects and access this like in a servlet or access it through the VB mechanism.
-----Original Message----- From: Heath Borders [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 25, 2005 3:54 PM To: MyFaces Discussion Subject: Re: How do you handle security with JSF?
We just have one level of security for all our JSF pages, but pages that cannot be secure (like the login page) must be done in plain JSP. Since we only have 1 or 2 of those, we just use a JSP and a servlet.
On Tue, 25 Jan 2005 14:21:41 +0100, niksa_os <[EMAIL PROTECTED]> wrote:How do you handle security with JSF web application?
For example, you have one admin and few users.
How do you protect some pages and how do you show/hide links for different
roles (admin, user) in navigation.jsf?
And for example, if I have in HttpSession attr TYPE=admin what to put in jsf
page to check for TYPE and if TYPE is wrong to redirect to login.jsp?
-- -Heath Borders-Wing [EMAIL PROTECTED]
