140 likes | 224 Views
JAVAWUG Presentations Birds of Feather XV Friday, 3 rd January 2006. javawug.com. JSF Security Quickie Problems and Solutions. Duncan Mills J2EE Evangelist Oracle Corp. Issues with Container Security. No redirect – no protection JSF Screens don't make great login pages
E N D
JAVAWUG Presentations Birds of Feather XV Friday, 3rd January 2006 javawug.com
JSF Security Quickie Problems and Solutions Duncan Mills J2EE Evangelist Oracle Corp
Issues with Container Security • No redirect – no protection • JSF Screens don't make great login pages • Certainly don't mix logon and content • Filters not activated – rules out some components • No simple recognition of security in component spec • Exception: MYFaces core components have "role" attr
Tackling The Issues • Don't try and build a custom login form in JSF • (Could use <f:verbatim> & <form>) • Better to use JSP / HTML • How do I get at security information? • Container does not expose the info in a useful way (e.g. through EL) • Create a managed bean • Expose getRemoteUser() as an attribute • Expose isUserInRole() through fake HashMap
One Approach • Saw this today • acegi-jsf Componentshttp://www.jroller.com/page/cagataycivici?entry=acegi_jsf_components_hit_thehttp://sourceforge.net/projects/jsf-comp/ • Not the correct approach! • Security is metadata not UI <acegijsf:authorize ifAllGranted="ROLE_SUPERVISOR,ROLE_ADMIN"> <h:outputText….></acegijsf:authorize>
Introducing the jsf-security project • A better way…? • www.sourceforge.net/projects/jsf-security • Provides an extension to JSF EL for security purposes • Plugs into standard EL extension point • Implementation independent • Pluggable architecture can use (or is planned to) • J2EE container security, JAAS, Flat file for testing • Other possibles: Acegi?
jsf-security • Introduces new EL scope #{securityScope} • Attributes: #{securityScope.securityEnabled} #{securityScope.remoteUser} #{securityScope.authType} #{securityScope.userInRole['role1,role2,…']} #{securityScope.userInAllRoles['role1,role2,…']}
jsf-security • Plugs in to faces-config.xml • jsf-security.jar already has this defined <application> <property-resolver> com.groundside.jsf.securityresolver.SecurityPropertyResolver </property-resolver> <variable-resolver> com.groundside.jsf.securityresolver.SecurityVariableResolver </variable-resolver></application>
jsf-security • Pluggable resolver • Application scoped • Configured in web.xml through context init param (optional):com.groundside.jsf.SECURITY_EL_RESOLVER • Defaults to container security • Impls just extend AbstractAttributeResolver • Can choose what functions they support
Interesting Things to Investigate • On the To-Do list… • Application Auditing – navigation etc. • Facelets – Tiles like templating ++ • Extensions to jsf-security • Restrict navigation based on role (like Struts) • Secure the UI without individual expressions
DEMO JSF-Security In Action
Q & A Your Questions and Answers
JAVAWUG Presentations Birds of Feather XV Friday, 3rd January 2006 javawug.com