Frank Nimphius wrote:
Usually authorization is enforced on the business service layer and
surfaces in the UI. If e.g. a user has a permission, JAAS or container
managed, to update an attribute then this could/should be exposed in
the UI through expression language, referencing a method on the model
that performs the check permission call.
What are the current best practices regarding security and JSF? Am I
better off integrating with something like Acegi (since I already use
Spring)? Googling the 2 suggests that Acegi integration can be painful,
but now that was then... A JAAS based approach seems like it gives one
lots of flexibility, but requires more work on the developers part. What
are other people using to provide method level authorization checks?
Shane
Beside of this, security needs to be on page navigation, which is
something you need to implement in the JSF engine (MyFaces or JSF RI).
Have a look at
http://www.orablogs.com/fnimphius/archives/001790.html
http://www.orablogs.com/fnimphius/archives/001836.html
where I created a sample for container managed and JAAS authorization.
However, from this little development experience I can say that
security in JSF is nothing you implement within an afternoon but
requires a well thought through security framework that integrates not
only with the UI but also the model fro a consistent security
enforcement. The easiest way to get started with such an effort is to
look at the security design patterns that exist and work your way back
to JSF-
Frank
Hi all,
Can anyone please point me in the right direction as regards methods
to execute authorisation & authentication to a Trinidad webapp.
Something along the lines of Java Authentication and Authorization
Service (JAAS).
We want to implement an authorisation 'front door' as an
underlining layer.
Has Trinidad its own implementation? I can't seem to find any
information in this regards.
Any info' would be appreciated!
Best regards,
Darren.
P Please consider the environment before printing this email
_________________________________________________________
1. The information contained in this E-mail, including any files
transmitted with it, is confidential and may be legally privileged.
This E-mail is intended only for the personal attention of the stated
addressee(s). Any access to this E-mail, including any files
transmitted with it, by any other person is unauthorised. If you are
not an addressee, you must not disclose, copy, circulate or in any
other way use or rely on the information contained in this E-mail or
any files transmitted with it. Such unauthorised use may be unlawful.
If you have received this E-mail in error, please inform the sender
immediately and delete it and all copies from your system. You may not
forward this E-mail without the permission of the sender.
2. The views expressed in this E-mail are those of the author, and do
not necessarily represent the views of AMT-SYBEX. Internet
communications are not secure and AMT-SYBEX cannot, therefore, accept
legal responsibility for the contents of this message nor for any
damage caused by viruses.
AMT-SYBEX Limited is a UK company, registration number GB03036807 at
address The Spirella Building, Bridge Road, Letchworth, SG6 4ET.
AMT-SYBEX (NI) Limited is a UK company, registration number NI024104
at address Edgewater Office Park, Edgewater Rd, Belfast, BT3 9JQ.
For more information on the AMT-SYBEX Group visit
http://www.amt-sybex.com
_________________________________________________________
--
Frank Nimphius
--
Shane
