Sorry, forgot about the MyFaces wiki...
Just found the page about "Access FacesContext from Servlet"
http://wiki.apache.org/myfaces/AccessFacesContextFromServlet
Patrick Dreyer schrieb:
Hi Jan
Don't do authentication/authorization through a ViewHandler, use a servlet
filter instead.
Citation from JavaWorld
(http://www.javaworld.com/javaworld/jw-07-2004/jw-0719-jsf.html):
* Use a base backing bean: This solution is simple. However, it ties the
backing beans to a specific inheritance hierarchy.
* Use a JSF ViewHandler decorator: This way, the security logic is tightly
coupled with a specific Web tier technology.
* Use a servlet filter: A JSF application is no different from other Java-based Web applications. It makes a filter the best place > to handle authentication checking. This way, the authentication logic is decoupled from the Web application.
Additionally, by using a ServletFilter the configuration keeps in web.xml and
it's a snap to force SSL for example.
There is an interesting article about page authorization in JSF on
http://jdj.sys-con.com/read/250254.htm
We generally put secured page in different directories (user role dependent) and close the whole directory with a security constraint.
I'm pretty sure, you'd like to store authentication/authorization information in a JSF backing
bean, thus you'll ask yourself: "How to access backing beans in a servlet filter?" A
quick google search ("access jsf backing bean from servlet filter") showed up a very good
hit at the first place (http://www.thoughtsabout.net/blog/archives/000033.html).
Patrick
janw schrieb:
Hello,
I'd like to use a ViewHandler for authorization.
I use tiles, so I have already a Viewhandler defined in my application
(JspTilesViewHandlerImpl).
How can I integrate these two view-handlers? I think I cannot define a
second view-handler.
I know there are frameworks like SecurityFilter, Acegi, but I need only a
very simple auth mechanism.
Regards,
Jan
