This content has been marked as final.
Show 4 replies
-
1. Re: JSF/Seam/EJB3 security best-practices
gavin.king Dec 7, 2005 5:12 PM (in response to patrick_ibg)IANASE (I Am Not A Security Expert) but, IMO, EJB3 interceptors give you the potential to define a declarative security model on top of any underlying security infrastructure you like.
But it was my impression that JBoss security is so pluggable that there are other places you can customize the container managed security used by EJB3. -
2. Re: JSF/Seam/EJB3 security best-practices
patrick_ibg Dec 7, 2005 5:28 PM (in response to patrick_ibg)EJB3 interceptors give you the potential to define a declarative security model on top of any underlying security infrastructure you like.
Yep. Which is why I thought SEAM (which uses servlet filters and ejb3 interceptors) might be an ideal place to provide an easy to use security model. I think 80% of web applications probably have the same basic security needs. -
3. Re: JSF/Seam/EJB3 security best-practices
gavin.king Dec 7, 2005 6:00 PM (in response to patrick_ibg)I guess it might be interesting (and easy) to integrate Acegi into Seam. Christian says it is good, and better than JAAS.
-
4. Re: JSF/Seam/EJB3 security best-practices
lcoetzee Dec 8, 2005 4:01 AM (in response to patrick_ibg)One benefit of using the JBoss container security (JAAS) is that one can easily control the rendering of Tomahawk components through the JAAS roles (e.g. enableOnUserRole):
<t:commandLink action="#{nestedSetAction.loadAllTopicals}"
enabledOnUserRole="TopicalManager" id="nestedSet">Nested Set</t:commandLink>
However, I still have to verify if access to all secure JSF resources are really controlled (don't know how much the fact that the URL in the browser does not get updated will impact on the defined-url pattern in a security-constraint in the web.xml).
L