Question

I learnt how to use container authentication with JDBC realm. I searched a lot on internet but I couldn t find anything on JSF authorization except the following article. JSF authorization

My goal is to avoid access to protected pages using direct links and to show/hide menu items and form components based on the authenticated user privileges. The last part can be implemented using the rendered attribute of JSF tags but before creating my own dirty and high coupled solution I wonder if there are some specific best practices or libraries that can help. in fact the number of components to be conditionally rendered is quite high and I wouldn t like to write a specific function for each of them. Perhaps I can create for each authenticated user a map with the names (id) of all the conditionally rendered components and a single function with a String parameter (the unique name/id of the component). Is that a good idea ? What alternatives do I have ? I wouldn t like to add to the project other general purpose frameworks such as spring for using only a small part of them (the security one).

Thanks Filippo

Answer 1

有了Java EE 6的表达语言版本,你就应当能够使用这些表达方式:

<h:inputText rendered="#{facesContext.externalContext.isUserInRole( foo )}" />

有了较老的版本,你就能够形成一种管理好的方式:

public class RoleMap implements Map<String, Boolean> {

    public Boolean get(Object key) {
        ExternalContext extCtxt = FacesContext.getCurrentInstance()
                                              .getExternalContext();
        return extCtxt.isUserInRole(key.toString());
    }

    //TODO: other methods; mostly throwing UnsupportedOperationException

试验可以表现为:

<h:inputText rendered="#{roleMap[ foo ]}" />

Third party frameworks offer other options, such as the Apache Tomahawk library s visibleOnUserRole component attributes.

Answer 2

参看,Apache Shiro,这是一个专门的安全框架(而且据称是晚期使用的安保系统)。

友情链接