We use PhaseListener to manage security. We listen to the REDER_RESPONSE phase. We get the viewId from: FacesContext.getCurrentInstance().getViewRoot().getViewId();
Based on any kind of rules (the path of the viewid, the complete page...) and the current user (we usually have a session bean with the information) we can maintain the viewId or change it to a default. I don't know if this is a good solution but It works well and I can't imagine a way to bypass it. We also use phaseListener to redirect when the page is incorrect (example: if user goes to 'Edit' when a bean/property is null or empty redirect to the 'Table' to select the correct entity with an action/actionListener). Does any one else use PhaseListener for security? What do you think about this approach? El jue, 19-04-2007 a las 10:10 +0200, Zohner, Michael escribió: > Hi, > > I am trying to protect several pages in our jsf application (myFaces, > facelets, richfaces). > > We have a security server where our users have specific roles. > > Its an https application. > > This is in my web.xml: > > <security-constraint> > <web-resource-collection> > <web-resource-name>SSL Rule Pages</web-resource-name> > <description /> > <url-pattern>/rule/ruleList.xhtml</url-pattern> > <http-method>GET</http-method> > <http-method>PUT</http-method> > <http-method>POST</http-method> > </web-resource-collection> > <auth-constraint> > <description /> > <role-name>RDSstaticdatarulesrw</role-name> > </auth-constraint> > <user-data-constraint> > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > </user-data-constraint> > </security-constraint> > > So, when I become an "RDSstaticdatarulesrw" user, I can see the page. > It has no effect. > > When I write <url-pattern>/rule/*</url-pattern> instead of > <url-pattern>/rule/ruleList.xhtml</url-pattern>, I cannot see ANY pages. > Also not the pages which are NOT in directory "rule". > > So, HOW can I get this working ? > > The best would be to protect whole dirs and single pages. > > Best regards > Michael > > > ________________ > Dresdner Bank AG > Sitz/Registered Office: Frankfurt am Main, Handelsregister/Commercial > Register: Amtsgericht/Local Court, Frankfurt am Main, HRB 14000 > Vorsitzender des Aufsichtsrats/Chairman of the Supervisory Board: Michael > Diekmann > Vorstand/Board of Managing Directors: Herbert Walter (Vorsitzender/Chairman), > Andreas Georgi, Stefan Jentzsch, Wulf Meier, Andree Moschner, Klaus > Rosenfeld, Otto Steinmetz, Friedrich Woebking > > This e-mail is confidential and the information contained in it may be > privileged. It should not be read, copied or used by anyone other than the > intended recipient. If you have received it in error, please contact the > sender immediately by telephoning +44 (0)20 7623 8000 or by return email, and > delete the e-mail and do not disclose its contents to any person. We > believe, but do not warrant, that this e-mail and any attachments are virus > free, but you must take full responsibility for virus checking. Please refer > to http://www.dresdnerkleinwort.com/disc/email/ and read our e-mail > disclaimer statement and monitoring policy. > ________________ > > -- _______________________________________________ Josué Alcalde González [EMAIL PROTECTED] Dpto. Desarrollo CSA - Centro Regional de Servicios Avanzados C/ López Bravo, 1 Pol. Ind. Villalonquéjar (Burgos) Tel. (+34) 947 256 250 Fax. (+34) 947 256 583 Web: http://www.csa.es
