javawug presentations birds of feather xv friday, 3 rd january 2006
DESCRIPTION
JAVAWUG Presentations Birds of Feather XV Friday, 3 rd January 2006. javawug.com. JSF Security Quickie Problems and Solutions. Duncan Mills J2EE Evangelist Oracle Corp. Issues with Container Security. No redirect – no protection JSF Screens don't make great login pages - PowerPoint PPT PresentationTRANSCRIPT
The Java Web Users Group © 2006
JAVAWUG PresentationsBirds of Feather XV
Friday, 3rd January 2006
javawug.com
04/19/23 2
The Java Web Users Group © 2006
JSF Security QuickieJSF Security QuickieProblems and Solutions
Duncan MillsJ2EE Evangelist
Oracle Corp
The Java Web Users Group © 2006
Issues with Container Security
● No redirect – no protection● JSF Screens don't make great login pages
– Certainly don't mix logon and content– Filters not activated – rules out some
components● No simple recognition of security in
component spec– Exception: MYFaces core components have
"role" attr
The Java Web Users Group © 2006
Tackling The Issues
● Don't try and build a custom login form in JSF– (Could use <f:verbatim> & <form>)– Better to use JSP / HTML
● How do I get at security information?– Container does not expose the info in a useful way
(e.g. through EL)– Create a managed bean
● Expose getRemoteUser() as an attribute● Expose isUserInRole() through fake HashMap
The Java Web Users Group © 2006
One Approach
● Saw this today – acegi-jsf Components
http://www.jroller.com/page/cagataycivici?entry=acegi_jsf_components_hit_thehttp://sourceforge.net/projects/jsf-comp/
● Not the correct approach!– Security is metadata not UI
<acegijsf:authorize ifAllGranted="ROLE_SUPERVISOR,ROLE_ADMIN"> <h:outputText….></acegijsf:authorize>
The Java Web Users Group © 2006
Introducing the jsf-security project
● A better way…?– www.sourceforge.net/projects/jsf-security
● Provides an extension to JSF EL for security purposes
● Plugs into standard EL extension point● Implementation independent● Pluggable architecture can use (or is planned
to)– J2EE container security, JAAS, Flat file for testing– Other possibles: Acegi?
The Java Web Users Group © 2006
jsf-security
● Introduces new EL scope #{securityScope}
● Attributes:
#{securityScope.securityEnabled}
#{securityScope.remoteUser}
#{securityScope.authType}
#{securityScope.userInRole['role1,role2,…']}
#{securityScope.userInAllRoles['role1,role2,…']}
The Java Web Users Group © 2006
<application> <property-resolver> com.groundside.jsf.securityresolver.SecurityPropertyResolver </property-resolver> <variable-resolver> com.groundside.jsf.securityresolver.SecurityVariableResolver </variable-resolver></application>
jsf-security
● Plugs in to faces-config.xml
● jsf-security.jar already has this defined
The Java Web Users Group © 2006
jsf-security
● Pluggable resolver– Application scoped
● Configured in web.xml through context init param (optional):
com.groundside.jsf.SECURITY_EL_RESOLVER
– Defaults to container security– Impls just extend AbstractAttributeResolver
● Can choose what functions they support
The Java Web Users Group © 2006
Interesting Things to Investigate
● On the To-Do list…– Application Auditing – navigation etc.– Facelets – Tiles like templating ++– Extensions to jsf-security
● Restrict navigation based on role (like Struts)● Secure the UI without individual expressions
04/19/23 11
The Java Web Users Group © 2006
DEMO
JSF-Security In Action
04/19/23 12
The Java Web Users Group © 2006
Q & AYour Questions and Answers
04/19/23 13
The Java Web Users Group © 2006
Thank You
The Java Web Users Group © 2006
JAVAWUG PresentationsBirds of Feather XV
Friday, 3rd January 2006
javawug.com