Suggestion on JSF authorization

眉间皱痕 提交于 2019-12-22 00:27:01

问题


I learnt how to use container authentication with JDBC realm. I searched a lot on internet but I couldn't find anything on JSF authorization except the following article. JSF authorization

My goal is to avoid access to protected pages using direct links and to show/hide menu items and form components based on the authenticated user privileges. The last part can be implemented using the rendered attribute of JSF tags but before creating my own dirty and high coupled solution I wonder if there are some specific best practices or libraries that can help. in fact the number of components to be conditionally rendered is quite high and I wouldn't like to write a specific function for each of them. Perhaps I can create for each authenticated user a map with the names (id) of all the conditionally rendered components and a single function with a String parameter (the unique name/id of the component). Is that a good idea ? What alternatives do I have ? I wouldn't like to add to the project other general purpose frameworks such as spring for using only a small part of them (the security one).

Thanks Filippo


回答1:


With the Expression Language version in Java EE 6 you should be able to use expressions like these:

<h:inputText rendered="#{facesContext.externalContext.isUserInRole('foo')}" />

With older versions, you can create a managed bean of this form:

public class RoleMap implements Map<String, Boolean> {

    public Boolean get(Object key) {
        ExternalContext extCtxt = FacesContext.getCurrentInstance()
                                              .getExternalContext();
        return extCtxt.isUserInRole(key.toString());
    }

    //TODO: other methods; mostly throwing UnsupportedOperationException

The test can then be expression in the form:

<h:inputText rendered="#{roleMap['foo']}" />

Third party frameworks offer other options, such as the Apache Tomahawk library's visibleOnUserRole component attributes.




回答2:


Take a look at Apache Shiro, a dedicated security framework (and supposedly erasier to use than Spring Security).



来源:https://stackoverflow.com/questions/7037642/suggestion-on-jsf-authorization

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!