-
1. Re: Security in JSF / Richfaces 4
jhuska Nov 23, 2012 1:25 PM (in response to cherrera28)1 of 1 people found this helpfulHey Carlos,
I do know much about security, just once I came across these projects:
https://github.com/jboss-jdf/jboss-as-quickstart/tree/master/servlet-security
https://github.com/jboss-jdf/jboss-as-quickstart/tree/master/ejb-security
Check them out whether they can help you somehow. In other case hopefully someone more experienced will reply you.
-
2. Re: Security in JSF / Richfaces 4
cherrera28 Nov 23, 2012 2:47 PM (in response to jhuska)Thanks Juraj...
Actually, i was implement declarative security (with security contraints, roles, login configuration) in the web.xml deployment descriptor, but i cant evaluate dinamically the roles configured in the descriptor against roles persisted in some directory (in RDBMS or LDAP). This kind of security is the same depicted in the documents that you gave me.
Do you know another techniques for secure this kind of applications?
Thanks again for your support.
Regards.
-
3. Re: Security in JSF / Richfaces 4
iabughosh Nov 24, 2012 1:20 AM (in response to cherrera28)1 of 1 people found this helpfulHello Carlos,
you need to look for your application server security documentations to achieve this, for example JBoss 7.1 documentation :
https://docs.jboss.org/author/display/AS71/Security+subsystem+configuration
regards.
-
4. Re: Security in JSF / Richfaces 4
cherrera28 Feb 12, 2013 1:37 PM (in response to cherrera28)Thanks guys...
I can archieve this goal following the next process:
- Create roles mapped to LDAP groups of users that will use the application (in web.xml file).
- Create security constraints for collections of secured resources provided by declarative container security module (in web.xml).
- Create login configuration specifying the realm name previously defined in the container and the auth method (in web.xml).
- In my case, im using glassfish 3.1.2 as application server, so i was forced to map the security roles in glassfish-web.xml.
My deployment descriptors looks something like:
glassfish-web.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glassfish-web-app PUBLIC "-//GlassFish.org//DTD GlassFish Application Server 3.1 Servlet 3.0//EN" "http://glassfish.org/dtds/glassfish-web-app_3_0-1.dtd">
<glassfish-web-app error-url="">
<security-role-mapping>
<role-name>AdminApps</role-name>
<group-name>AdminApps</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>OperacionesApp</role-name>
<group-name>OperacionesApp</group-name>
</security-role-mapping>
<class-loader delegate="true"/>
<jsp-config>
<property name="keepgenerated" value="true">
<description>Keep a copy of the generated servlet class' java code.</description>
</property>
</jsp-config>
</glassfish-web-app>
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<context-param>
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value>Production</param-value>
</context-param>
<context-param>
<param-name>org.richfaces.skin</param-name>
<param-value>DEFAULT</param-value>
</context-param>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.jsf</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>secure/index.jsf</welcome-file>
</welcome-file-list>
<error-page>
<error-code>403</error-code>
<location>/AccessDenied.html</location>
</error-page>
<security-constraint>
<display-name>Secure</display-name>
<web-resource-collection>
<web-resource-name>Secure</web-resource-name>
<description/>
<url-pattern>/secure/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>AdminApps</role-name>
<role-name>OperacionesApp</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>ldap-realm</realm-name>
<form-login-config>
<form-login-page>/Login.jsf</form-login-page>
<form-error-page>/Login.jsf</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description/>
<role-name>AdminApps</role-name>
</security-role>
<security-role>
<description/>
<role-name>OperacionesApp</role-name>
</security-role>
</web-app>
All navigation can be natural because de authorization is handled by the container.
The project runs perfect now.
Thanks.