users@glassfish.java.net

Re: restrict access based on user type/role

From: Felipe Gaúcho <fgaucho_at_gmail.com>
Date: Thu, 22 Jan 2009 19:45:35 +0100

google for jdbc realm glassfish...

later on you will edit your web.xml file with something like this:

        <security-constraint>
                <display-name>Restrict advertisement pages to customers</display-name>
                <web-resource-collection>
                        <web-resource-name>CustomerPages</web-resource-name>
                        <description />
                        <url-pattern>/pages/advertisement/*</url-pattern>
                        <http-method>GET</http-method>
                        <http-method>POST</http-method>
                        <http-method>HEAD</http-method>
                        <http-method>PUT</http-method>
                        <http-method>OPTIONS</http-method>
                        <http-method>TRACE</http-method>
                        <http-method>DELETE</http-method>
                </web-resource-collection>
                <auth-constraint>
                        <description>Only Let customers access to advertisment pages</description>
                        <role-name>customer</role-name>
                </auth-constraint>
        </security-constraint

        <security-role>
                <description />
                <role-name>customer</role-name>
        </security-role>
        <security-role>
                <description />
                <role-name>admin</role-name>
        </security-role>
On Thu, Jan 22, 2009 at 7:40 PM, <glassfish_at_javadesktop.org> wrote:
> Guys,
>
> I am creating a Java EE application. I have a application level managed bean in which I have a member variable called userType. This variable holds the type of user(either site admin or app admin or general user and so on...) currently logged into the site.
>
> Using this variable how can I restrict access to jsp pages. For example, if I have a admin.jsp page...I want to make it available to only user whose type is site admin and deny for everyone else.
>
> Currently, although I was able to successful hide (Admin Tab...admin.jsp) using rendered="#{myApplicationBean.userType=='siteAdmin'}"
>
> but if the user directly types in the URL after loggin in, he/she can access the page...
>
> what do I need to make sure they cannot access the page this way...
>
> thanks
>
> -Amor
> [Message sent by forum member 'amorous' (amorous)]
>
> http://forums.java.net/jive/thread.jspa?messageID=327694
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.