In the core javaserver faces, there are infos about container security in chapter 11. Tomcat Database Realm or LDAP way
http://www.horstmann.com/corejsf/ I bought this book, it's very good ;) 2005/10/6, Sean Schofield <[EMAIL PROTECTED]>: > I can vouch for what Duncan is saying. We were able to write our own > custom authenticator for OC4J. It used Windows Active Directory for > authentication and Open LDAP for authorization. It was a bit more > cumbersome than Tomcat but it worked fine. > > sean > > On 10/5/05, Duncan Mills <[EMAIL PROTECTED]> wrote: > > Several Points here > > 1) Using Security Attributes within your pages. > > I'm about to release 1.0 of the jsf-security project on SourceForge > > (www.sourceforge.net/projects/jsf-security) this provides > > extensions to EL which will give you a new scope #{securityScope} and a > > bunch of attributes and pseudo functions such as > > #{securityScope.isUserInRole['manager,admin']} which allow you to use > > expressions to control rendering and read-only states of components - even > > if they are not "role" enabled in the way that the myfaces components are. > > jsf-security is fully pluggable and so if you use Acegi or a home grown > > Authorization / Authentication mechanism you can plug it in underneath the > > same consistent EL. > > The current version hooks into Container Security, and we've just started a > > JAAS adapter as well. > > If anyone wants to get involved - particularly of you use Acegi today get > > in touch. > > For more info on this see this blog entry: and the project on SF. You can > > pull the source from CVS today and build - it all works I just need to write > > the doc and the localize the message strings... > > > > 2) Using the database to Authenticate / Authorize > > Your mileage will vary from container to container, but with OC4J (& Oracle > > App server) you can plus in your own custom login modules that can do just > > this - Frank and I who work on the jsf-security project just posted a paper > > on that process a few weeks back: > > Declarative J2EE authentication and authorization with JAAS > > > > > > Duncan > > > > > > > > Dave wrote: > > > > hi Andrew, > > > > How to get a Realm object so that I can call authenticate()? I am using > > Database to store username and password. Thanks. > > > > Andrew robinson <[EMAIL PROTECTED]> wrote: > > I am using the built in Tomcat DataSourceRealm so that single sign-on is > > possible. My login is still using a normal JSP instead of JSF, so I can't > > use JSF components to build my login page. Has anyone integrated the > > form-base web.xml authentication with a JSF login page? > > > > > > On 10/4/05, Mike Kienenberger <[EMAIL PROTECTED] > wrote: > > I've switch from a login page to a filter that authenticates and sets > > the User database record in the session. (Actually, I fetch this > > record every request, and store it in the request, but that may be too > > excessive for your situation). > > > > I then have additional filters that work on that data to provide > > coarse-grain security (ie, if you don't pass the filter, you can't > > access any of the application). > > > > I also have a SecurityRoleManager bean that provides fine-grain > > control by operating on the record stored in the session. Ie, > > "securityRoleManager.canEditDate()" > > > > On 10/4/05, Eurig Jones <[EMAIL PROTECTED]> wrote: > > > I'm trying to decide on a Login/Logout system to protect my files using > > > JSF.. I've played about with extending NavigationHandler, but the > > > problem is, it doesn't protect the files which aren't JSF, and you can > > > still run the JSP files if you wanted to... > > > > > > How have you people gone about a database driven login/logout system > > > using Faces? > > > > > > > > > > > Yahoo! for Good > > Click here to donate to the Hurricane Katrina relief effort. > > -- > > > > Regards > > > > Duncan Mills > > Senior Principal Product Manager > > Oracle Application Development Tools > > > > [EMAIL PROTECTED] > > > -- hicham ABASSI [EMAIL PROTECTED]
