JSF Security - PowerPoint PPT Presentation

1 / 14
About This Presentation
Title:

JSF Security

Description:

The Java Web Users Group 2006. JAVAWUG Presentations ... (Could use f:verbatim & form ) Better to use JSP / HTML. How do I get at security information? ... – PowerPoint PPT presentation

Number of Views:250
Avg rating:3.0/5.0
Slides: 15
Provided by: duncan47
Category:
Tags: jsf | security | verbatim

less

Transcript and Presenter's Notes

Title: JSF Security


1
JAVAWUG Presentations Birds of Feather XV Friday,
3rd January 2006
javawug.com
2
JSF Security Quickie Problems and Solutions
Duncan Mills J2EE Evangelist Oracle Corp
3
Issues with Container Security
  • No redirect no protection
  • JSF Screens don't make great login pages
  • Certainly don't mix logon and content
  • Filters not activated rules out some components
  • No simple recognition of security in component
    spec
  • Exception MYFaces core components have "role"
    attr

4
Tackling The Issues
  • Don't try and build a custom login form in JSF
  • (Could use ltfverbatimgt ltformgt)
  • Better to use JSP / HTML
  • How do I get at security information?
  • Container does not expose the info in a useful
    way (e.g. through EL)
  • Create a managed bean
  • Expose getRemoteUser() as an attribute
  • Expose isUserInRole() through fake HashMap

5
One Approach
  • Saw this today
  • acegi-jsf Componentshttp//www.jroller.com/page/c
    agataycivici?entryacegi_jsf_components_hit_theht
    tp//sourceforge.net/projects/jsf-comp/
  • Not the correct approach!
  • Security is metadata not UI

ltacegijsfauthorize
ifAllGranted"ROLE_SUPERVISOR,ROLE_ADMIN"gt   
lthoutputText.gtlt/acegijsfauthorizegt
6
Introducing the jsf-security project
  • A better way?
  • www.sourceforge.net/projects/jsf-security
  • Provides an extension to JSF EL for security
    purposes
  • Plugs into standard EL extension point
  • Implementation independent
  • Pluggable architecture can use (or is planned to)
  • J2EE container security, JAAS, Flat file for
    testing
  • Other possibles Acegi?

7
jsf-security
  • Introduces new EL scope securityScope
  • Attributes
  • securityScope.securityEnabled
  • securityScope.remoteUser
  • securityScope.authType
  • securityScope.userInRole'role1,role2,'
  • securityScope.userInAllRoles'role1,role2,'

8
jsf-security
  • Plugs in to faces-config.xml
  • jsf-security.jar already has this defined

ltapplicationgt ltproperty-resolvergt
com.groundside.jsf.securityresolver.SecurityProper
tyResolver lt/property-resolvergt
ltvariable-resolvergt com.groundside.jsf.securityr
esolver.SecurityVariableResolver
lt/variable-resolvergtlt/applicationgt
9
jsf-security
  • Pluggable resolver
  • Application scoped
  • Configured in web.xml through context init param
    (optional) com.groundside.jsf.SECURITY_EL_RESOLV
    ER
  • Defaults to container security
  • Impls just extend AbstractAttributeResolver
  • Can choose what functions they support

10
Interesting Things to Investigate
  • On the To-Do list
  • Application Auditing navigation etc.
  • Facelets Tiles like templating
  • Extensions to jsf-security
  • Restrict navigation based on role (like Struts)
  • Secure the UI without individual expressions

11
DEMO
JSF-Security In Action
12
Q A
Your Questions and Answers
13
Thank You
14
JAVAWUG Presentations Birds of Feather XV Friday,
3rd January 2006
javawug.com
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "JSF Security" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!