I didn't follow the whole thread, but isn't acegi (if you use spring) a solution? I use it to protect specific url's as well es method invocations on backing beans. Works fine for me (but I'm using spring). I must also admit, that I'm using jsf-spring to let spring create the backing beans for me (and thus let acegi take over security).
/Veit -------- Original-Nachricht -------- Datum: Tue, 15 May 2007 12:03:21 +0200 Von: "Rudi Steiner" <[EMAIL PROTECTED]> An: "MyFaces Discussion" <[email protected]> Betreff: Re: MyFaces and Security > Hi Cagatay, > > thanks for the hint. This is definitely one step in making an jsf-app > secure. > > I would like to increase the security of my app by writing a > phaselistener, which checks the action the current request is calling > and makes sure, that the current user has the right to call this > action (example calling the method deleteUser() in a backingbean). > > Could anyone please tell me, how I can determine in a phaselistener > which action is going to be called in the current request? > > best regards, > Rudi > > On 5/14/07, Cagatay Civici <[EMAIL PROTECTED]> wrote: > > Hi, > > > > Regarding your concerns about the viewstate at client; > > > > http://wiki.apache.org/myfaces/Secure_Your_Application > > > > Cagatay > > > > > > On 5/14/07, Rudi Steiner <[EMAIL PROTECTED]> wrote: > > > Hello, > > > > > > I'm in the final state of a project and thinking about, which is the > > > best way to make a myFaces-App secure (authentication, authorization, > > > ...) > > > > > > I'm thinking about the Tomcat build in mechanism or an alternative > > > like securityFilter. But thinking about it, I got some questions like, > > > how about to fake the view state on the client side. > > > > > > Could It be, that for example a normal user who knows the > > > applicationcode, fakes the viewstate on the client for a page which > > > has for example some commandbuttons which are rendered for an admin > > > but are not rendered for a normal user? Has anyone made experiences in > > > this area? > > > > > > thanks a lot, > > > Rudi > > > > > > > -- GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS. Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail
