This was answered already in this maillist under "Authorization via
view-handler", but for your convenience I put it below.
Best practice for doing authentication/authorization is through a servlet
filter.
Citation from JavaWorld
(http://www.javaworld.com/javaworld/jw-07-2004/jw-0719-jsf.html):
* Use a base backing bean: This solution is simple. However, it ties the
backing beans to a specific inheritance hierarchy.
* Use a JSF ViewHandler decorator: This way, the security logic is tightly
coupled with a specific Web tier technology.
* Use a servlet filter: A JSF application is no different from other Java-based
Web applications. It makes a filter the best place
to handle authentication checking. This way, the authentication logic is decoupled from the Web application.
Additionally, by using a ServletFilter the configuration keeps in web.xml and
it's a snap to force SSL for example.
There is an interesting article about page authorization in JSF on
http://jdj.sys-con.com/read/250254.htm
We generally put secured page in different directories (user role dependent) and close the whole directory with a security constraint.
I'm pretty sure, you'd like to store authentication/authorization information in a JSF backing
bean, thus you'll ask yourself: "How to access backing beans in a servlet filter?" A
quick google search ("access jsf backing bean from servlet filter") showed up a very good
hit at the first place (http://www.thoughtsabout.net/blog/archives/000033.html)[EMAIL PROTECTED]
schrieb:
Patrick
Hello
Is there a good solution for a login check mechanism? Some page may
be called only if the user has logged in.
My idea is, if the user presses the link, a login page is showed.
After a successful link the user context is forwarded to the link
page.
Has anyone a example for such a feature?
Thanks
