4 Replies Latest reply on Dec 8, 2005 4:01 AM by lcoetzee

    JSF/Seam/EJB3 security best-practices

    patrick_ibg
    patrick_ibg Dec 7, 2005 5:07 PM

      I want to start a discussion on security implementation.

      The final stumbling block for me in the entire JSF/Facelets/SEAM/EJB3/JBoss stack is the security aspect. JAAS is a big hairy beast and is probably overkill for most web applications, and JSF doesn't seem to play well out-of-the-box with web-container managed security (Realms and Roles).

      There are some pertinent JSF security discussions in the java forums:.
      - An article by Ed Burns: http://forum.java.sun.com/thread.jspa?threadID=675281&tstart=0
      - Another discussion can be found here: http://forum.java.sun.com/thread.jspa?threadID=502322&start=0&tstart=0

      I like the @LoggedIn example used by the HotelBooking demo. Perhaps it can be generalized to work with multiple role-types. I think the key is to have a User entity (which can be polymorphic: CustomerUser, AdminUser, etc.) that lives in the Session context...

      • 7275 Views
      • Tags:
        • 1. Re: JSF/Seam/EJB3 security best-practices
          gavin.king
          gavin.king Dec 7, 2005 5:12 PM (in response to patrick_ibg)

          IANASE (I Am Not A Security Expert) but, IMO, EJB3 interceptors give you the potential to define a declarative security model on top of any underlying security infrastructure you like.

          But it was my impression that JBoss security is so pluggable that there are other places you can customize the container managed security used by EJB3.

            • Actions
          • 2. Re: JSF/Seam/EJB3 security best-practices
            patrick_ibg
            patrick_ibg Dec 7, 2005 5:28 PM (in response to patrick_ibg)

             

            EJB3 interceptors give you the potential to define a declarative security model on top of any underlying security infrastructure you like.


            Yep. Which is why I thought SEAM (which uses servlet filters and ejb3 interceptors) might be an ideal place to provide an easy to use security model. I think 80% of web applications probably have the same basic security needs.

              • Actions
            • 3. Re: JSF/Seam/EJB3 security best-practices
              gavin.king
              gavin.king Dec 7, 2005 6:00 PM (in response to patrick_ibg)

              I guess it might be interesting (and easy) to integrate Acegi into Seam. Christian says it is good, and better than JAAS.

                • Actions
              • 4. Re: JSF/Seam/EJB3 security best-practices
                lcoetzee
                lcoetzee Dec 8, 2005 4:01 AM (in response to patrick_ibg)

                One benefit of using the JBoss container security (JAAS) is that one can easily control the rendering of Tomahawk components through the JAAS roles (e.g. enableOnUserRole):


                <t:commandLink action="#{nestedSetAction.loadAllTopicals}"
                enabledOnUserRole="TopicalManager" id="nestedSet">Nested Set</t:commandLink>


                However, I still have to verify if access to all secure JSF resources are really controlled (don't know how much the fact that the URL in the browser does not get updated will impact on the defined-url pattern in a security-constraint in the web.xml).

                L

                  • Actions