|
Yes protecting views by role in the same way that Struts can assign
roles to an Action is next on the list - I just have to think about the
best way to do this and co-exist with any custom viewhandler impls and
a reasonable format for the additional metadata required. Duncan Martin Marinschek wrote: This is a very interesting project - will need to check it out for my next web-app ;)Will you also restrict delivering a view based on the user role? This is the third layer of security restrictions necessary in JSF... regards, Martin On 10/6/05, Duncan Mills <[EMAIL PROTECTED]> wrote:Right - the nice thing about the jsf-security EL extensions is that they don't have to be driven from Container Security you can plug in pretty much any home grown concept of a login page to authenticate and then your own auth mechanism as well. For instance if you take the approach of using a "userInfo" bean on the session which is generated by your own login process then it's trivial to hook that up into the EL interface I guess the next phase of js-security where we're going to start protecting navigation targets based on role will be of interest to you was well Duncan Dave wrote: This is great! I posted a message before about how to login without any protected page. I looked at authenticator package where there is FormAuthenticator. I like to do similar, but without a protected page. User can click a login link and register all necessary info with session after successful authentication, and stay in the same page. The page will render differently depending on roles. It was suggested to have a dummy protected page that will redirect to current page. The problem is that the current page is stateful using <saveState>, and the data will not be available by redirecting from the dummy protected page. I looked the source code of servlet authenticator package. But have not figured out how to the realm object to call authenticate(....). Any help is appreciated. Thanks. Dave Duncan Mills <[EMAIL PROTECTED]> wrote: Several Points here 1) Using Security Attributes within your pages. I'm about to release 1.0 of the jsf-security project on SourceForge (www.sourceforge.net/projects/jsf-security) this provides extensions to EL which will give you a new scope #{securityScope} and a bunch of attributes and pseudo functions such as #{securityScope.isUserInRole['manager,admin']} which allow you to use expressions to control rendering and read-only states of components - even if they are not "role" enabled in the way that the myfaces components are. jsf-security is fully pluggable and so if you use Acegi or a home grown Authorization / Authentication mechanism you can plug it in underneath the same consistent EL. The current version hooks into Container Security, and we've j ust started a JAAS adapter as well. If anyone wants to get involved - particularly of you use Acegi today get in touch. For more info on this see this blog entry: and the project on SF. You can pull the source from CVS today and build - it all works I just need to write the doc and the localize the message strings... 2) Using the database to Authenticate / Authorize Your mileage will vary from container to container, but with OC4J (& Oracle App server) you can plus in your own custom login modules that can do just this - Frank and I who work on the jsf-security project just posted a paper on that process a few weeks back: Declarative J2EE authentication and authorization with JAAS Duncan Dave wrote: hi Andrew, How to get a Realm object so that I can call authenticate()? I am using Database to store username and password. Thanks. Andrew robinson <[EMAIL PROTECTED]> wrote: I am using the built in Tomcat DataSourceRealm so that single sign-on is possible. My login is still using a normal JSP instead of JSF, so I can't use JSF components to build my login page. Has anyone integrated the form-base web.xml authentication with a JSF login page? On 10/4/05, Mike Kienenberger <[EMAIL PROTECTED] > wrote: I've switch from a login page to a filter that authenticates and sets the User database record in the session. (Actually, I fetch this record every request, and store it in the request, but that may be too excessive for your situation). I then have additional filters that work on that data to provide coarse-grain security (ie, if you don't pass the filter, you can't access any of the application). I also have a SecurityRoleManager bean that provides fine-grain control by operating on the record stored in the session. Ie, "securityRoleManager.canEditDate()" On 10/4/05, Eurig Jones <[EMAIL PROTECTED]> wrote: > I'm trying to decide on a Login/Logout system to protect my files using > JSF.. I've played about with extending NavigationHandler, but the > problem is, it doesn't protect the files which aren't JSF, a nd you can > still run the JSP files if you wanted to... > > How have you people gone about a database driven login/logout system > using Faces? > Yahoo! for Good Click here to donate to the Hurricane Katrina relief effort. -- Regards Duncan Mills Senior Principal Product Manager Oracle Application Development Tools [EMAIL PROTECTED] Yahoo! for Good Click here to donate to the Hurricane Katrina relief effort. -- Regards Duncan Mills Senior Principal Product Manager Oracle Application Development Tools [EMAIL PROTECTED]-- http://www.irian.at Your JSF powerhouse - JSF Trainings in English and German |
- Re: Login system security Duncan Mills
- Re: Login system security Martin Marinschek
