If you're already in the Spring game, Acegi seems a reasonable incremental solution.
-- Adam On 7/10/07, Shane Petroff <[EMAIL PROTECTED]> wrote:
Frank Nimphius wrote: Usually authorization is enforced on the business service layer and surfaces in the UI. If e.g. a user has a permission, JAAS or container managed, to update an attribute then this could/should be exposed in the UI through expression language, referencing a method on the model that performs the check permission call. What are the current best practices regarding security and JSF? Am I better off integrating with something like Acegi (since I already use Spring)? Googling the 2 suggests that Acegi integration can be painful, but now that was then... A JAAS based approach seems like it gives one lots of flexibility, but requires more work on the developers part. What are other people using to provide method level authorization checks? Shane Beside of this, security needs to be on page navigation, which is something you need to implement in the JSF engine (MyFaces or JSF RI). Have a look at http://www.orablogs.com/fnimphius/archives/001790.html http://www.orablogs.com/fnimphius/archives/001836.html where I created a sample for container managed and JAAS authorization. However, from this little development experience I can say that security in JSF is nothing you implement within an afternoon but requires a well thought through security framework that integrates not only with the UI but also the model fro a consistent security enforcement. The easiest way to get started with such an effort is to look at the security design patterns that exist and work your way back to JSF- Frank > Hi all, > > > > Can anyone please point me in the right direction as regards methods > to execute authorisation & authentication to a Trinidad webapp. > Something along the lines of Java Authentication and Authorization > Service (JAAS). > > We want to implement an authorisation 'front door' as an underlining layer. > > > > Has Trinidad its own implementation? I can't seem to find any > information in this regards. > > Any info' would be appreciated! > > > > Best regards, > > Darren. > > > > P Please consider the environment before printing this email > _________________________________________________________ > > 1. The information contained in this E-mail, including any files > transmitted with it, is confidential and may be legally privileged. > This E-mail is intended only for the personal attention of the stated > addressee(s). Any access to this E-mail, including any files > transmitted with it, by any other person is unauthorised. If you are > not an addressee, you must not disclose, copy, circulate or in any > other way use or rely on the information contained in this E-mail or > any files transmitted with it. Such unauthorised use may be unlawful. > If you have received this E-mail in error, please inform the sender > immediately and delete it and all copies from your system. You may not > forward this E-mail without the permission of the sender. > > 2. The views expressed in this E-mail are those of the author, and do > not necessarily represent the views of AMT-SYBEX. Internet > communications are not secure and AMT-SYBEX cannot, therefore, accept > legal responsibility for the contents of this message nor for any > damage caused by viruses. > > AMT-SYBEX Limited is a UK company, registration number GB03036807 at > address The Spirella Building, Bridge Road, Letchworth, SG6 4ET. > AMT-SYBEX (NI) Limited is a UK company, registration number NI024104 > at address Edgewater Office Park, Edgewater Rd, Belfast, BT3 9JQ. > For more information on the AMT-SYBEX Group visit http://www.amt-sybex.com > _________________________________________________________ > -- Frank Nimphius -- Shane
