Hi, in my JSF app I'm using attribute rendered to hide form for users that haven't admin role. I don't want hide all content. Is it complete protection? Shouldn't I secure methods in controller? How does it work in JSF?
Thanks
Securing form against user role
- andyba
- Expert Member
- Posts: 2473
- Joined: 31 Mar 2011, 16:27
- Location: Steinfeld, near Bremen/Osnabrück, DE
- Contact:
This isn't part the JSF spec IIRC, can't remember which part of Java EE security realms is covered in however it does cover quite of a lot of the other specs with things like method level authorisation and user delegation.
Not really a PrimeFaces subject. You should really secure methods that really should only be used by users with specific roles as you can never be sure how these methods will be used or called in the future.
Not really a PrimeFaces subject. You should really secure methods that really should only be used by users with specific roles as you can never be sure how these methods will be used or called in the future.
PF 4.x (Elite versions), PF 5, Pf 5.1, PF 6.0
Glassfish 4.1, Mojarra 2.x, Java 8, Payara 4.1.1.
If you haven't read the forum rules read them now
Glassfish 4.1, Mojarra 2.x, Java 8, Payara 4.1.1.
If you haven't read the forum rules read them now
Hello
We have been using Apache Shiro with success in JSF applications, told be true there is not too much information about jsf and apache shiro but it can be used in it. With shiro apart from control authentication and authorization you can decorate methods
@RequiresPermissions(users:create)
@RequiresRoles(admin)
I don't know if rendered attribute is reliable.
Hope it helps
We have been using Apache Shiro with success in JSF applications, told be true there is not too much information about jsf and apache shiro but it can be used in it. With shiro apart from control authentication and authorization you can decorate methods
@RequiresPermissions(users:create)
@RequiresRoles(admin)
I don't know if rendered attribute is reliable.
Hope it helps
Primefaces 5.3.X / 6.X
NetBeans 8.1
WildFly 10
Linux Mint & freeBSD
NetBeans 8.1
WildFly 10
Linux Mint & freeBSD
-
- PrimeFaces Core Developer
- Posts: 3979
- Joined: 03 Dec 2010, 14:11
- Location: Bavaria, DE
- Contact:
You can also have a look at Apache DeltaSpike which also gives you great JSF/CDI features.
Thomas Andraschko
PrimeFaces | PrimeFaces Extensions
Apache Member | OpenWebBeans, DeltaSpike, MyFaces, BVal, TomEE
Sponsor me: https://github.com/sponsors/tandraschko
Blog: http://tandraschko.blogspot.de/
Twitter: https://twitter.com/TAndraschko
PrimeFaces | PrimeFaces Extensions
Apache Member | OpenWebBeans, DeltaSpike, MyFaces, BVal, TomEE
Sponsor me: https://github.com/sponsors/tandraschko
Blog: http://tandraschko.blogspot.de/
Twitter: https://twitter.com/TAndraschko
Thanks for the replies, I thought jsf could generate new token for each form rendering but I don't know. I finally secured methods with spring security, but I had to use spring aop to be able annotate @Secured and handle AccessDeniedException. It works.
- andyba
- Expert Member
- Posts: 2473
- Joined: 31 Mar 2011, 16:27
- Location: Steinfeld, near Bremen/Osnabrück, DE
- Contact:
Java Security has nothing to do with JSF. You can use it within the Servlet Spec, JSF, EJBs, CDI managed beans, Web Services (all flavours) and so on.
Standard annotation provided with the Java EE 6/7 spec can be used to secure methods or to provide boolean values for tag rendered attributes.
There is no need to use Spring, DeltaSpike or any other addon library although these can make life easier in the short term.
Java EE provides a standard framework for securing resources which works out of the box.
I strongly suggest you find a Java EE 6/7 tutorial, work through it and go from there.
Standard annotation provided with the Java EE 6/7 spec can be used to secure methods or to provide boolean values for tag rendered attributes.
There is no need to use Spring, DeltaSpike or any other addon library although these can make life easier in the short term.
Java EE provides a standard framework for securing resources which works out of the box.
I strongly suggest you find a Java EE 6/7 tutorial, work through it and go from there.
PF 4.x (Elite versions), PF 5, Pf 5.1, PF 6.0
Glassfish 4.1, Mojarra 2.x, Java 8, Payara 4.1.1.
If you haven't read the forum rules read them now
Glassfish 4.1, Mojarra 2.x, Java 8, Payara 4.1.1.
If you haven't read the forum rules read them now
-
- Information
-
Who is online
Users browsing this forum: No registered users and 24 guests