3 Replies Latest reply on Oct 23, 2006 4:28 PM by texan

    Role enforcement on a RESTful page

    texan
    texan Oct 23, 2006 3:00 PM

      I'm still struggling to get my Role based security working. When protecting an action, I'm in pretty good shape when the action is called first and then determines the outcome.

      However, I'm having trouble with some pull-style pages.

      I can't use my current approach of intercepting the action calls and returning a different destination (auth failure page). I can't throw an exception because JSF just pukes up an error page instead of letting me handle it and hijack the output.

      Have any of you had success in controlling access to JSF pages based on roles? This is a customer-facing application, so I need to display a kind & gentle error page, preferably one that indicates which role is needed.

      The only thing I can't think of (which I will attempt next) is an outer Facelets template that checks for the existence of a permission error object (using EL) and displays and error instead of rendering the normal content.

      • 88951 Views
      • Tags:
        • 1. Re: Role enforcement on a RESTful page
          texan
          texan Oct 23, 2006 3:11 PM (in response to texan)

          Hmm, that won't work either, because the processing of the JSF components will have already happened, which means that a bunch of calls were already made to the action.

          I'm trying to catch it before any actions get invoked. Maybe a global action entry in the pages.xml file.

          Isn't it scary when you're having a conversation with yourself on a forum?

            • Actions
          • 2. Re: Role enforcement on a RESTful page
            cja987 Oct 23, 2006 3:49 PM (in response to texan)

            We do that all the time ;)

            Seriously, it does make it easier to google solutions for a problem when one talks themself through the solution publicly.

            chuck

              • Actions
            • 3. Re: Role enforcement on a RESTful page
              texan
              texan Oct 23, 2006 4:28 PM (in response to texan)

              Is it as simple as putting the role constraint in web.xml and including an <error-page> tag for a 403? The problem I was having with interceptors is that I really want to control access to the page rather than the assortment of methods that get called from the page.

                • Actions