Securing form against user role

UI Components for JSF
Post Reply
atticus
Posts: 2
Joined: 12 Jul 2014, 22:39

28 Oct 2014, 20:08

Hi, in my JSF app I'm using attribute rendered to hide form for users that haven't admin role. I don't want hide all content. Is it complete protection? Shouldn't I secure methods in controller? How does it work in JSF?

Thanks

User avatar
andyba
Expert Member
Posts: 2473
Joined: 31 Mar 2011, 16:27
Location: Steinfeld, near Bremen/Osnabrück, DE
Contact:

29 Oct 2014, 16:35

This isn't part the JSF spec IIRC, can't remember which part of Java EE security realms is covered in however it does cover quite of a lot of the other specs with things like method level authorisation and user delegation.
Not really a PrimeFaces subject. You should really secure methods that really should only be used by users with specific roles as you can never be sure how these methods will be used or called in the future.
PF 4.x (Elite versions), PF 5, Pf 5.1, PF 6.0
Glassfish 4.1, Mojarra 2.x, Java 8, Payara 4.1.1.
If you haven't read the forum rules read them now

soekris
Posts: 76
Joined: 29 Apr 2013, 16:54
Location: Barcelona

29 Oct 2014, 21:16

Hello

We have been using Apache Shiro with success in JSF applications, told be true there is not too much information about jsf and apache shiro but it can be used in it. With shiro apart from control authentication and authorization you can decorate methods


@RequiresPermissions(users:create)
@RequiresRoles(admin)


I don't know if rendered attribute is reliable.

Hope it helps
Primefaces 5.3.X / 6.X
NetBeans 8.1
WildFly 10
Linux Mint & freeBSD

tandraschko
PrimeFaces Core Developer
Posts: 3979
Joined: 03 Dec 2010, 14:11
Location: Bavaria, DE
Contact:

29 Oct 2014, 21:53

You can also have a look at Apache DeltaSpike which also gives you great JSF/CDI features.
Thomas Andraschko

PrimeFaces | PrimeFaces Extensions

Apache Member | OpenWebBeans, DeltaSpike, MyFaces, BVal, TomEE

Sponsor me: https://github.com/sponsors/tandraschko
Blog: http://tandraschko.blogspot.de/
Twitter: https://twitter.com/TAndraschko

atticus
Posts: 2
Joined: 12 Jul 2014, 22:39

30 Oct 2014, 17:04

Thanks for the replies, I thought jsf could generate new token for each form rendering but I don't know. I finally secured methods with spring security, but I had to use spring aop to be able annotate @Secured and handle AccessDeniedException. It works.

User avatar
andyba
Expert Member
Posts: 2473
Joined: 31 Mar 2011, 16:27
Location: Steinfeld, near Bremen/Osnabrück, DE
Contact:

30 Oct 2014, 18:18

Java Security has nothing to do with JSF. You can use it within the Servlet Spec, JSF, EJBs, CDI managed beans, Web Services (all flavours) and so on.
Standard annotation provided with the Java EE 6/7 spec can be used to secure methods or to provide boolean values for tag rendered attributes.
There is no need to use Spring, DeltaSpike or any other addon library although these can make life easier in the short term.
Java EE provides a standard framework for securing resources which works out of the box.

I strongly suggest you find a Java EE 6/7 tutorial, work through it and go from there.
PF 4.x (Elite versions), PF 5, Pf 5.1, PF 6.0
Glassfish 4.1, Mojarra 2.x, Java 8, Payara 4.1.1.
If you haven't read the forum rules read them now

Post Reply

Return to “PrimeFaces”

  • Information
  • Who is online

    Users browsing this forum: No registered users and 24 guests