1 / 14

JAVAWUG Presentations Birds of Feather XV Friday, 3 rd January 2006

JAVAWUG Presentations Birds of Feather XV Friday, 3 rd January 2006. javawug.com. JSF Security Quickie Problems and Solutions. Duncan Mills J2EE Evangelist Oracle Corp. Issues with Container Security. No redirect – no protection JSF Screens don't make great login pages

Download Presentation

JAVAWUG Presentations Birds of Feather XV Friday, 3 rd January 2006

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. JAVAWUG Presentations Birds of Feather XV Friday, 3rd January 2006 javawug.com

  2. JSF Security Quickie Problems and Solutions Duncan Mills J2EE Evangelist Oracle Corp

  3. Issues with Container Security • No redirect – no protection • JSF Screens don't make great login pages • Certainly don't mix logon and content • Filters not activated – rules out some components • No simple recognition of security in component spec • Exception: MYFaces core components have "role" attr

  4. Tackling The Issues • Don't try and build a custom login form in JSF • (Could use <f:verbatim> & <form>) • Better to use JSP / HTML • How do I get at security information? • Container does not expose the info in a useful way (e.g. through EL) • Create a managed bean • Expose getRemoteUser() as an attribute • Expose isUserInRole() through fake HashMap

  5. One Approach • Saw this today • acegi-jsf Componentshttp://www.jroller.com/page/cagataycivici?entry=acegi_jsf_components_hit_thehttp://sourceforge.net/projects/jsf-comp/ • Not the correct approach! • Security is metadata not UI <acegijsf:authorize ifAllGranted="ROLE_SUPERVISOR,ROLE_ADMIN">    <h:outputText….></acegijsf:authorize>

  6. Introducing the jsf-security project • A better way…? • www.sourceforge.net/projects/jsf-security • Provides an extension to JSF EL for security purposes • Plugs into standard EL extension point • Implementation independent • Pluggable architecture can use (or is planned to) • J2EE container security, JAAS, Flat file for testing • Other possibles: Acegi?

  7. jsf-security • Introduces new EL scope #{securityScope} • Attributes: #{securityScope.securityEnabled} #{securityScope.remoteUser} #{securityScope.authType} #{securityScope.userInRole['role1,role2,…']} #{securityScope.userInAllRoles['role1,role2,…']}

  8. jsf-security • Plugs in to faces-config.xml • jsf-security.jar already has this defined <application> <property-resolver> com.groundside.jsf.securityresolver.SecurityPropertyResolver </property-resolver> <variable-resolver> com.groundside.jsf.securityresolver.SecurityVariableResolver </variable-resolver></application>

  9. jsf-security • Pluggable resolver • Application scoped • Configured in web.xml through context init param (optional):com.groundside.jsf.SECURITY_EL_RESOLVER • Defaults to container security • Impls just extend AbstractAttributeResolver • Can choose what functions they support

  10. Interesting Things to Investigate • On the To-Do list… • Application Auditing – navigation etc. • Facelets – Tiles like templating ++ • Extensions to jsf-security • Restrict navigation based on role (like Struts) • Secure the UI without individual expressions

  11. DEMO JSF-Security In Action

  12. Q & A Your Questions and Answers

  13. Thank You

  14. JAVAWUG Presentations Birds of Feather XV Friday, 3rd January 2006 javawug.com

More Related