Hi, thank you for your examples and links. I think this is exactly the way I will resolve the problem.
Best regards, Rudi On 5/16/07, Bernd Bohmann <[EMAIL PROTECTED]> wrote:
Hello Rudi, take a look at http://svn.apache.org/repos/asf/myfaces/tobago/trunk/contrib/security/ This example use a different ApplicationFactory that returns a MethodBindingImpl that check the role of the user. The security package is used in the http://svn.apache.org/repos/asf/myfaces/tobago/trunk/example/addressbook Regards Bernd Rudi Steiner wrote: > Hi Petr, hi Martin, > > I think the right way is to register an action-listener in the > faces-config and to determine in the method processAction(ActionEvent > event), if the current user has the role to execute this action. > > Has anyone an idea, how to implement the role-check, maybe with > annotations on the method which is going to be called? How can I find > out from the event-param, which method in the backingbean is going to > be called by this action? > > thanks a lot, > Rudi > > > On 5/15/07, Martin Marinschek <[EMAIL PROTECTED]> wrote: >> You wouldn't register a phase-listener, you'd rather decorate the >> action-listener to find a solution to this. >> >> faces-config.xml: >> <application> >> <action-listener>your decorator goes here</action-listener> >> </applicaton> >> >> ... the default-action listener calls all actions! >> >> regards, >> >> Martin >> >> On 5/15/07, Petr Kotek <[EMAIL PROTECTED]> wrote: >> > Hi Rudi, >> > >> > I am only begginer in JSF and I don't now if exisist better way to >> > handle login but next code may help You. >> > >> > PhaseListener >> > ------------------------------------------- >> > public class LoginPhaseListener implements PhaseListener { >> > private final String LOGIN_SOURCE = "loginButton"; >> > private final String METHOD_GET = "GET"; >> > private final String MAIN_PAGE = "main.jsp"; >> > private final String LOGIN_PAGE = "index.jsp"; >> > >> > public LoginPhaseListener() { >> > } >> > >> > public PhaseId getPhaseId() { >> > return PhaseId.RESTORE_VIEW; >> > } >> > >> > public void beforePhase(PhaseEvent phaseEvent) { >> > } >> > >> > public void afterPhase(PhaseEvent phaseEvent) { >> > FacesContext ctx; >> > ExternalContext ex; >> > JSFSession session; >> > HttpServletRequest hsrq; >> > String login; >> > String password; >> > HttpServletResponse hrsp; >> > >> > ctx = phaseEvent.getFacesContext(); >> > session = >> > >> (JSFSession)ctx.getApplication().createValueBinding("#{JSFSession}").getValue(ctx); >> >> > if (!session.isLogged()) { >> > ex = ctx.getExternalContext(); >> > try { >> > hsrq = (HttpServletRequest)ex.getRequest(); >> > // If source is loginButton, then try doLogin >> > if >> (LOGIN_SOURCE.equalsIgnoreCase(hsrq.getParameter("source"))) { >> > // Get ifo from login page >> > login = hsrq.getParameter("login"); >> > password = hsrq.getParameter("password"); >> > // Check it >> > if ((login == null) || (password == null) || (login.length() >> > == 0) || (password.length() == 0)) { >> > ctx.addMessage(null, new >> > FacesMessage(FacesMessage.SEVERITY_ERROR, "Login or Password can't be >> > empty!", null)); >> > } else if (session.doLogin(login, password)) { >> > if (METHOD_GET.equalsIgnoreCase(hsrq.getMethod())) { >> > // Special login (for debug app - autologin) from request >> > parameters (?source=loginButton&login=name&password=psw) - redirect to >> > main.jsp >> > ex.redirect(MAIN_PAGE); >> > } >> > } else { >> > ctx.addMessage(null, new >> > FacesMessage(FacesMessage.SEVERITY_ERROR, "Bad Login or Password!", >> null)); >> > } >> > } else if (hsrq.getRequestURI().indexOf(LOGIN_PAGE) < 0) { >> > ctx.addMessage(null, new >> > FacesMessage(FacesMessage.SEVERITY_ERROR, "Session Logged Out or >> > Expired!", null)); >> > ex.redirect(LOGIN_PAGE); >> > } >> > } catch (Exception e) { >> > e.printStackTrace(); >> > ctx.addMessage(null, new >> > FacesMessage(FacesMessage.SEVERITY_ERROR, "Unexpected login error!", >> > e.getMessage())); >> > try { >> > ex.redirect(LOGIN_PAGE); >> > } catch (IOException f) {;} >> > } >> > } >> > } >> > } >> > ------------------------------------------- >> > Navigation Handler >> > ------------------------------------------- >> > public class LoginNavigationHandler extends NavigationHandler { >> > private final NavigationHandler deflNavHandler; // Original handler >> > >> > public LoginNavigationHandler(NavigationHandler navHandler) { >> > super(); >> > deflNavHandler = navHandler; >> > } >> > >> > public void handleNavigation(FacesContext facesContext, String >> > fromAction, String outcome) { >> > JSFSession session; >> > try { >> > session = >> > >> (JSFSession)facesContext.getApplication().createValueBinding("#{JSFSession}").getValue(facesContext); >> >> > if (!session.isLogged()) { >> > outcome = "logout"; >> > } >> > } catch (Exception ex) { >> > ex.printStackTrace(); >> > } finally { >> > deflNavHandler.handleNavigation(facesContext, fromAction, >> outcome); >> > } >> > } >> > } >> > ------------------------------------------- >> > >> > >> > Where JSFSession is session bean with boolean .isLogged() and boolean >> > .doLogin(login, password) methods. Actually I checked login/password >> > against database table with valid users. >> > >> > Petr >> > >> > >> > >> > Rudi Steiner wrote: >> > > Hi Veit, >> > > >> > > I don't use spring, so I can't use this mechanism :( >> > > >> > > Is there a possibility to get the action to call over the >> facesContext? >> > > >> > > thanks, >> > > Rudi >> > > >> > > On 5/15/07, Walter Oliver (BR/ICI3) <[EMAIL PROTECTED]> >> > > wrote: >> > >> Frau Nolte wird heute abend 16:30 erste Testbestellungen absenden. >> > >> >> > >> Kunden können ebenso bereits bestellen. >> > >> >> > >> Gruss Oliver Walter >> > >> >> > >> > -----Ursprüngliche Nachricht----- >> > >> > Von: Veit Guna [mailto:[EMAIL PROTECTED] >> > >> > Gesendet: Dienstag, 15. Mai 2007 12:11 >> > >> > An: MyFaces Discussion >> > >> > Betreff: Re: MyFaces and Security >> > >> > >> > >> > I didn't follow the whole thread, but isn't acegi (if you use >> > >> > spring) a solution? I use it to protect specific url's as >> > >> > well es method invocations on backing beans. Works fine for >> > >> > me (but I'm using spring). I must also admit, that I'm using >> > >> > jsf-spring to let spring create the backing beans for me (and >> > >> > thus let acegi take over security). >> > >> > >> > >> > /Veit >> > >> > >> > >> > >> > >> > -------- Original-Nachricht -------- >> > >> > Datum: Tue, 15 May 2007 12:03:21 +0200 >> > >> > Von: "Rudi Steiner" <[EMAIL PROTECTED]> >> > >> > An: "MyFaces Discussion" <[email protected]> >> > >> > Betreff: Re: MyFaces and Security >> > >> > >> > >> > > Hi Cagatay, >> > >> > > >> > >> > > thanks for the hint. This is definitely one step in making >> > >> > an jsf-app >> > >> > > secure. >> > >> > > >> > >> > > I would like to increase the security of my app by writing a >> > >> > > phaselistener, which checks the action the current request >> > >> > is calling >> > >> > > and makes sure, that the current user has the right to call this >> > >> > > action (example calling the method deleteUser() in a >> backingbean). >> > >> > > >> > >> > > Could anyone please tell me, how I can determine in a >> phaselistener >> > >> > > which action is going to be called in the current request? >> > >> > > >> > >> > > best regards, >> > >> > > Rudi >> > >> > > >> > >> > > On 5/14/07, Cagatay Civici <[EMAIL PROTECTED]> wrote: >> > >> > > > Hi, >> > >> > > > >> > >> > > > Regarding your concerns about the viewstate at client; >> > >> > > > >> > >> > > > http://wiki.apache.org/myfaces/Secure_Your_Application >> > >> > > > >> > >> > > > Cagatay >> > >> > > > >> > >> > > > >> > >> > > > On 5/14/07, Rudi Steiner <[EMAIL PROTECTED]> wrote: >> > >> > > > > Hello, >> > >> > > > > >> > >> > > > > I'm in the final state of a project and thinking about, >> > >> > which is the >> > >> > > > > best way to make a myFaces-App secure (authentication, >> > >> > authorization, >> > >> > > > > ...) >> > >> > > > > >> > >> > > > > I'm thinking about the Tomcat build in mechanism or an >> > >> > alternative >> > >> > > > > like securityFilter. But thinking about it, I got some >> > >> > questions like, >> > >> > > > > how about to fake the view state on the client side. >> > >> > > > > >> > >> > > > > Could It be, that for example a normal user who knows the >> > >> > > > > applicationcode, fakes the viewstate on the client for >> > >> > a page which >> > >> > > > > has for example some commandbuttons which are rendered >> > >> > for an admin >> > >> > > > > but are not rendered for a normal user? Has anyone made >> > >> > experiences in >> > >> > > > > this area? >> > >> > > > > >> > >> > > > > thanks a lot, >> > >> > > > > Rudi >> > >> > > > > >> > >> > > > >> > >> > > > >> > >> > >> > >> > -- >> > >> > GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS. >> > >> > Alle Infos und kostenlose Anmeldung: >> http://www.gmx.net/de/go/freemail >> > >> > >> > >> >> > > >> > >> >> >> -- >> >> http://www.irian.at >> >> Your JSF powerhouse - >> JSF Consulting, Development and >> Courses in English and German >> >> Professional Support for Apache MyFaces >> >
