Andrew,
I was curious to see what you ended up using. I saw some comments
previously, and in the mail archives, that made me think you were trying
the phase listener approach. (See [1] and [2]) If so, how did that end
up for you? What prompted you to move to a servlet filter instead? Did
you run into any major issues?
[1]
http://www.nabble.com/NavigationHandler-%2B-Security-tf2081383.html#a5745371
[2]
http://www.nabble.com/obtaining-%22real%22-url-after-navigation-rules-tf692306.html#a1827241
Regards,
Jeff Bischoff
Kenneth L Kurz & Associates, Inc.
Andrew Robinson wrote:
For my company, I wrote our own custom servlet filter for security. We
did not want to introduce Spring into the framework so that ruled out
acegi. Container managed security in J2EE is a horrible specification
and does not fit well with JSF at all (not enough ways to customize it
and it only works on URLs, not view IDs).
I'd like to see Sun address security for J2EE that is JDK 1.5 enhanced
(annotation support in JSF backing beans for example) and is designed
for JSF compatibility.
On 11/3/06, Jeff Bischoff <[EMAIL PROTECTED]> wrote:
Greetings Colleagues,
I have often wondered what the majority of you are using for
authentication and authorization in your non-public websites. Over the
last year on this mailing list, I have seen bits and scraps of
discussion on this topic. Most often, I hear mention of solutions like
container-managed security and phase listeners. Sometimes custom
navigation-handlers or servlet filters get mentioned too. Cant' say I've
quite seen evidence of any consensus on which of these is preferred, so
I'm interested to hear your thoughts.
I have come across this article [1] which offers an approach (and some
source code) to authorization in JSF. What are your opinions on this
approach? Would you consider this and similar approaches to be best
practice? What other alternatives can you recommend (from experience)?
I will post my specific requirements for my security search as a reply
to this post, so as not to narrow the overall discussion.
[1] http://java.sys-con.com/read/250254_1.htm
Regards,
Jeff Bischoff
Kenneth L Kurz & Associates, Inc.
