jsr344-experts@javaserverfaces-spec-public.java.net

[jsr344-experts] [948] JSF Security

From: lamine <laminba2003_at_yahoo.fr>
Date: Thu, 1 Dec 2011 16:41:56 +0000 (GMT)

Hello Experts,

Sorry for disturbing you again but I'm wondering if we couldn't solve definitely this issue in JSF 2.2. 

1) http://java.net/jira/browse/JAVASERVERFACES_SPEC_PUBLIC-948

I'm coming with a proposal after having read this nice article about the <f:viewAction> component.

2) http://www.oracle.com/technetwork/articles/java/jsf22-1377252.html


As arjan tijms wrote, the goal of JSF was never to provide a security system. In fact, its goal is to provide the right abstraction that one can use safely to integrate with the existing security infrastructure. Here is one proposal about how this abstraction must be implemented and for the moment, we will keep it simple :

Authentication : we must take inspiration into SeamLoginModule

<h:form id="login">

   <h:panelGrid columns="2">
       <h:outputLabel for="username">Username</h:outputLabel>
        <h:inputText id="username" value="#{identity.username}"/>
         <h:outputLabel for="password">Password</h:outputLabel>
         <h:inputSecret id="password" value="#{identity.password}"/>
    </h:panelGrid>

<h:commandButton value="Login" action="#{identity.login}"/>

</h:form>

Authorization : we must have a view-level security in order to prevent non-authenticated users from accessing restricted views. And this authorization part can be achieved using the f:viewAction component with this simple action : "if the user is not logged in, navigate to login.xhtml ". We must just come with a standard action that one can reference in his views.


<f:metadata>

<f:viewAction  execute="#{identity.checkLogin}" />

</f:metadata>


And  as a convention, the default page for the security redirection is login.xhtml but this value must be configurable. No, no need to make it configurable, we can write this default behavior in a default faces-config.xml

<navigation-rule>
    <from-view-id>*</from-view-id>
    <navigation-case>
        <from-action>#{identity.checkLogin}</from-action>
        <if>#{not identity.LoggedIn}</if>
        <to-view-id>/login.xhtml</to-view-id>
        <redirect/>
    </navigation-case>
</navigation-rule>

And a developer can override it in its own faces-config.xml. This issue is currently blocking 971-Multi-templating. A JSF developer living in Dakar can download a template made by a template author living in New York. But without a security model, How can I ask the template authors to design the login form for them?


Thanks
Lamine    
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.