Hi,
The way for this might be;
public class ActionListenerImpl
implements ActionListener
{
public void processAction(ActionEvent actionEvent) throws
AbortProcessingException
{
FacesContext facesContext = FacesContext.getCurrentInstance();
Application application = facesContext.getApplication();
ActionSource actionSource =
(ActionSource)actionEvent.getComponent();
MethodBinding methodBinding = actionSource.getAction();
Method method = methodBinding.getMethod();
if(method.isAnnotationPresent(Secure.class))
//more check and if user has the role call methodbinding.invoke
}
And use it like
@Secure(ifGranted="admin")
public String secureAction() {
..
}
Unfortunately, MethodBinding api does not reveal the method it's wrapping,
so maybe using the getExpressionString it'd be possible to reach the method
instance. But it'd be ugly.
Cagatay
On 5/16/07, Rudi Steiner <[EMAIL PROTECTED]> wrote:
Hi,
I found out, that configuring an action-listener in the facesconfig,
the action defined in the action-attribute of a commandButton is not
called anymore. Does this mean, that configuring an action-listener in
the facesconfig, this is the one and only actionlistener for all
actions and the actions defined in the attributes in the tags in the
jsp-page are ignored?
Best regards,
Rudi
On 5/16/07, Rudi Steiner <[EMAIL PROTECTED]> wrote:
> Hi Petr, hi Martin,
>
> I think the right way is to register an action-listener in the
> faces-config and to determine in the method processAction(ActionEvent
> event), if the current user has the role to execute this action.
>
> Has anyone an idea, how to implement the role-check, maybe with
> annotations on the method which is going to be called? How can I find
> out from the event-param, which method in the backingbean is going to
> be called by this action?
>
> thanks a lot,
> Rudi
>
>
> On 5/15/07, Martin Marinschek <[EMAIL PROTECTED]> wrote:
> > You wouldn't register a phase-listener, you'd rather decorate the
> > action-listener to find a solution to this.
> >
> > faces-config.xml:
> > <application>
> > <action-listener>your decorator goes here</action-listener>
> > </applicaton>
> >
> > ... the default-action listener calls all actions!
> >
> > regards,
> >
> > Martin
> >
> > On 5/15/07, Petr Kotek <[EMAIL PROTECTED]> wrote:
> > > Hi Rudi,
> > >
> > > I am only begginer in JSF and I don't now if exisist better way to
> > > handle login but next code may help You.
> > >
> > > PhaseListener
> > > -------------------------------------------
> > > public class LoginPhaseListener implements PhaseListener {
> > > private final String LOGIN_SOURCE = "loginButton";
> > > private final String METHOD_GET = "GET";
> > > private final String MAIN_PAGE = "main.jsp";
> > > private final String LOGIN_PAGE = "index.jsp";
> > >
> > > public LoginPhaseListener() {
> > > }
> > >
> > > public PhaseId getPhaseId() {
> > > return PhaseId.RESTORE_VIEW;
> > > }
> > >
> > > public void beforePhase(PhaseEvent phaseEvent) {
> > > }
> > >
> > > public void afterPhase(PhaseEvent phaseEvent) {
> > > FacesContext ctx;
> > > ExternalContext ex;
> > > JSFSession session;
> > > HttpServletRequest hsrq;
> > > String login;
> > > String password;
> > > HttpServletResponse hrsp;
> > >
> > > ctx = phaseEvent.getFacesContext();
> > > session =
> > >
(JSFSession)ctx.getApplication().createValueBinding("#{JSFSession}").getValue(ctx);
> > > if (!session.isLogged()) {
> > > ex = ctx.getExternalContext();
> > > try {
> > > hsrq = (HttpServletRequest)ex.getRequest();
> > > // If source is loginButton, then try doLogin
> > > if (LOGIN_SOURCE.equalsIgnoreCase(hsrq.getParameter("source")))
{
> > > // Get ifo from login page
> > > login = hsrq.getParameter("login");
> > > password = hsrq.getParameter("password");
> > > // Check it
> > > if ((login == null) || (password == null) || (login.length
()
> > > == 0) || (password.length() == 0)) {
> > > ctx.addMessage(null, new
> > > FacesMessage(FacesMessage.SEVERITY_ERROR, "Login or Password can't
be
> > > empty!", null));
> > > } else if (session.doLogin(login, password)) {
> > > if (METHOD_GET.equalsIgnoreCase(hsrq.getMethod())) {
> > > // Special login (for debug app - autologin) from
request
> > > parameters (?source=loginButton&login=name&password=psw) - redirect
to
> > > main.jsp
> > > ex.redirect(MAIN_PAGE);
> > > }
> > > } else {
> > > ctx.addMessage(null, new
> > > FacesMessage(FacesMessage.SEVERITY_ERROR, "Bad Login or Password!",
null));
> > > }
> > > } else if (hsrq.getRequestURI().indexOf(LOGIN_PAGE) < 0) {
> > > ctx.addMessage(null, new
> > > FacesMessage(FacesMessage.SEVERITY_ERROR, "Session Logged Out or
> > > Expired!", null));
> > > ex.redirect(LOGIN_PAGE);
> > > }
> > > } catch (Exception e) {
> > > e.printStackTrace();
> > > ctx.addMessage(null, new
> > > FacesMessage(FacesMessage.SEVERITY_ERROR, "Unexpected login error!",
> > > e.getMessage()));
> > > try {
> > > ex.redirect(LOGIN_PAGE);
> > > } catch (IOException f) {;}
> > > }
> > > }
> > > }
> > > }
> > > -------------------------------------------
> > > Navigation Handler
> > > -------------------------------------------
> > > public class LoginNavigationHandler extends NavigationHandler {
> > > private final NavigationHandler deflNavHandler; // Original
handler
> > >
> > > public LoginNavigationHandler(NavigationHandler navHandler) {
> > > super();
> > > deflNavHandler = navHandler;
> > > }
> > >
> > > public void handleNavigation(FacesContext facesContext, String
> > > fromAction, String outcome) {
> > > JSFSession session;
> > > try {
> > > session =
> > >
(JSFSession)facesContext.getApplication().createValueBinding("#{JSFSession}").getValue(facesContext);
> > > if (!session.isLogged()) {
> > > outcome = "logout";
> > > }
> > > } catch (Exception ex) {
> > > ex.printStackTrace();
> > > } finally {
> > > deflNavHandler.handleNavigation(facesContext, fromAction,
outcome);
> > > }
> > > }
> > > }
> > > -------------------------------------------
> > >
> > >
> > > Where JSFSession is session bean with boolean .isLogged() and
boolean
> > > .doLogin(login, password) methods. Actually I checked login/password
> > > against database table with valid users.
> > >
> > > Petr
> > >
> > >
> > >
> > > Rudi Steiner wrote:
> > > > Hi Veit,
> > > >
> > > > I don't use spring, so I can't use this mechanism :(
> > > >
> > > > Is there a possibility to get the action to call over the
facesContext?
> > > >
> > > > thanks,
> > > > Rudi
> > > >
> > > > On 5/15/07, Walter Oliver (BR/ICI3) <[EMAIL PROTECTED]
>
> > > > wrote:
> > > >> Frau Nolte wird heute abend 16:30 erste Testbestellungen
absenden.
> > > >>
> > > >> Kunden können ebenso bereits bestellen.
> > > >>
> > > >> Gruss Oliver Walter
> > > >>
> > > >> > -----Ursprüngliche Nachricht-----
> > > >> > Von: Veit Guna [mailto:[EMAIL PROTECTED]
> > > >> > Gesendet: Dienstag, 15. Mai 2007 12:11
> > > >> > An: MyFaces Discussion
> > > >> > Betreff: Re: MyFaces and Security
> > > >> >
> > > >> > I didn't follow the whole thread, but isn't acegi (if you use
> > > >> > spring) a solution? I use it to protect specific url's as
> > > >> > well es method invocations on backing beans. Works fine for
> > > >> > me (but I'm using spring). I must also admit, that I'm using
> > > >> > jsf-spring to let spring create the backing beans for me (and
> > > >> > thus let acegi take over security).
> > > >> >
> > > >> > /Veit
> > > >> >
> > > >> >
> > > >> > -------- Original-Nachricht --------
> > > >> > Datum: Tue, 15 May 2007 12:03:21 +0200
> > > >> > Von: "Rudi Steiner" <[EMAIL PROTECTED]>
> > > >> > An: "MyFaces Discussion" <[email protected]>
> > > >> > Betreff: Re: MyFaces and Security
> > > >> >
> > > >> > > Hi Cagatay,
> > > >> > >
> > > >> > > thanks for the hint. This is definitely one step in making
> > > >> > an jsf-app
> > > >> > > secure.
> > > >> > >
> > > >> > > I would like to increase the security of my app by writing a
> > > >> > > phaselistener, which checks the action the current request
> > > >> > is calling
> > > >> > > and makes sure, that the current user has the right to call
this
> > > >> > > action (example calling the method deleteUser() in a
backingbean).
> > > >> > >
> > > >> > > Could anyone please tell me, how I can determine in a
phaselistener
> > > >> > > which action is going to be called in the current request?
> > > >> > >
> > > >> > > best regards,
> > > >> > > Rudi
> > > >> > >
> > > >> > > On 5/14/07, Cagatay Civici <[EMAIL PROTECTED]> wrote:
> > > >> > > > Hi,
> > > >> > > >
> > > >> > > > Regarding your concerns about the viewstate at client;
> > > >> > > >
> > > >> > > > http://wiki.apache.org/myfaces/Secure_Your_Application
> > > >> > > >
> > > >> > > > Cagatay
> > > >> > > >
> > > >> > > >
> > > >> > > > On 5/14/07, Rudi Steiner <[EMAIL PROTECTED]>
wrote:
> > > >> > > > > Hello,
> > > >> > > > >
> > > >> > > > > I'm in the final state of a project and thinking about,
> > > >> > which is the
> > > >> > > > > best way to make a myFaces-App secure (authentication,
> > > >> > authorization,
> > > >> > > > > ...)
> > > >> > > > >
> > > >> > > > > I'm thinking about the Tomcat build in mechanism or an
> > > >> > alternative
> > > >> > > > > like securityFilter. But thinking about it, I got some
> > > >> > questions like,
> > > >> > > > > how about to fake the view state on the client side.
> > > >> > > > >
> > > >> > > > > Could It be, that for example a normal user who knows the
> > > >> > > > > applicationcode, fakes the viewstate on the client for
> > > >> > a page which
> > > >> > > > > has for example some commandbuttons which are rendered
> > > >> > for an admin
> > > >> > > > > but are not rendered for a normal user? Has anyone made
> > > >> > experiences in
> > > >> > > > > this area?
> > > >> > > > >
> > > >> > > > > thanks a lot,
> > > >> > > > > Rudi
> > > >> > > > >
> > > >> > > >
> > > >> > > >
> > > >> >
> > > >> > --
> > > >> > GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS.
> > > >> > Alle Infos und kostenlose Anmeldung:
http://www.gmx.net/de/go/freemail
> > > >> >
> > > >>
> > > >
> > >
> >
> >
> > --
> >
> > http://www.irian.at
> >
> > Your JSF powerhouse -
> > JSF Consulting, Development and
> > Courses in English and German
> >
> > Professional Support for Apache MyFaces
> >
>
