Hi.
And u uses this with commandButtons like <t:commandButton
visibleOnUserRole="xxxx"/>???
Also, do you control the access to specific apps? I mean, user x can't
access the app y???
If i'm not wrong when you put the user info in UserPrincipal i can use
enableOnUserRole and visibleOnUserRole attributes of Tomahawk role aware
components, right?
I think you'd better check out ACEGI and read their reference guide. There's too
much peculiarities in all this. With ACEGI you can authenticate users versus
various sources, SSO, databases, "remember-me" cookies and so on. The
authentified principal is integrated into the servlets framework on which JSF is
really based, so you'll be able to use visibleOnUserRole or enabledOnUserRole
attributes in your webapp code, ACEGI is fully transparent here.
ACEGI can also control access to the backing services for you. Like, you may let
ACEGI check access to the every single method.
So, in the first approach, you can be interested in three aspects of security.
Authentication, customization of the UI and actuall access control. The first
and the last are done by ACEGI just fine, with the second it's usually enough to
use enabledOnUserRole and visibleOnUserRole attributes. If the case is more
complex, you may also need enabled and rendered attributes with custom functions
or even c:if/c:choose constructs in the JSP/Facelet page.
I would really recommend ACEGI if you're into serious security architecture.
Bye.
/lexi
