JSF authentication and authorization

Question

What is the best way to go about implementing authentication and authorization for a JSF web application? Preferrably I\'d still want to use container-based security, as I n

Answer 1

I use JSF Seam and have used Seam's built-in authentication and authorization and find it extremely easy to use.

For authentication, you simply implement 1 method, public boolean login(String username, a String password) { ... } and returns boolean. Then you can mark pages as "login-required" and seam takes care of the rest.

For authorization, Seam gives you a @Restrict Annotation that you can put on your Controller or Service methods and again, Seam takes care of the rest.

Advanced authorization: You can also handle more advanced authorization with Seam where roles are dynamic - e.g. in a bulletin board you are "author" of some posts, but "reader" or other posts, by simply delegating your @Restrict annotation to a Java method.

I would encourage you to take a look at Seam. Seam is just a layer on top of JSF so technically you would still be running on JSF . If for some reason you cannot use Seam, maybe you can borrow some ideas from how Seam handles Authorization and Authentication in JSF.

Answer 2

You can use the Spring Security framework, see instructions here http://ocpsoft.com/java/acegi-spring-security-jsf-login-page/

Answer 3

Try to check out the blog for using JAAS with JSF. This is the example of how to deploy the JAAS with JSF for authentication and authorization.

I hope it helps.

Tiger

Answer 4

You could use the Servlet 3.0 HttpServletRequest API as shown in this answer to a JSF 2.0 question:

JSF 2.0 Simple login page