4 Replies Latest reply on Feb 12, 2013 1:37 PM by cherrera28

Security in JSF / Richfaces 4

cherrera28 Nov 22, 2012 11:24 AM

Hello Community...

Im working on a sales / invoicing application and all the functionallity has been delivered except the application security.

The requirement specify the next features:

The authentication process must be against LDAP (MS Active Directory).
The authorization process must be implemented using a user / role model and the information about this configuration must be stored in a RDBMS.

Does actually exist any project in jboss community to handle this application feature?, something like spring security (but simpler)?

Thanks for your support.

Regards.

1. Re: Security in JSF / Richfaces 4

jhuska Nov 23, 2012 1:25 PM (in response to cherrera28)

Hey Carlos,

I do know much about security, just once I came across these projects:
https://github.com/jboss-jdf/jboss-as-quickstart/tree/master/servlet-security
https://github.com/jboss-jdf/jboss-as-quickstart/tree/master/ejb-security

Check them out whether they can help you somehow. In other case hopefully someone more experienced will reply you.
1 of 1 people found this helpful
Actions
2. Re: Security in JSF / Richfaces 4

cherrera28 Nov 23, 2012 2:47 PM (in response to jhuska)

Thanks Juraj...

Actually, i was implement declarative security (with security contraints, roles, login configuration) in the web.xml deployment descriptor, but i cant evaluate dinamically the roles configured in the descriptor against roles persisted in some directory (in RDBMS or LDAP). This kind of security is the same depicted in the documents that you gave me.

Do you know another techniques for secure this kind of applications?

Thanks again for your support.

Regards.
Actions
3. Re: Security in JSF / Richfaces 4

iabughosh Nov 24, 2012 1:20 AM (in response to cherrera28)

Hello Carlos,
you need to look for your application server security documentations to achieve this, for example JBoss 7.1 documentation :
https://docs.jboss.org/author/display/AS71/Security+subsystem+configuration

regards.
1 of 1 people found this helpful
Actions
4. Re: Security in JSF / Richfaces 4

cherrera28 Feb 12, 2013 1:37 PM (in response to cherrera28)
Thanks guys...

I can archieve this goal following the next process:

Create roles mapped to LDAP groups of users that will use the application (in web.xml file).
Create security constraints for collections of secured resources provided by declarative container security module (in web.xml).
Create login configuration specifying the realm name previously defined in the container and the auth method (in web.xml).
In my case, im using glassfish 3.1.2 as application server, so i was forced to map the security roles in glassfish-web.xml.

My deployment descriptors looks something like:

glassfish-web.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glassfish-web-app PUBLIC "-//GlassFish.org//DTD GlassFish Application Server 3.1 Servlet 3.0//EN" "http://glassfish.org/dtds/glassfish-web-app_3_0-1.dtd">
<glassfish-web-app error-url="">
<security-role-mapping>
    <role-name>AdminApps</role-name>
    <group-name>AdminApps</group-name>
</security-role-mapping>
<security-role-mapping>
    <role-name>OperacionesApp</role-name>
    <group-name>OperacionesApp</group-name>
</security-role-mapping>
<class-loader delegate="true"/>
<jsp-config>
    <property name="keepgenerated" value="true">
      <description>Keep a copy of the generated servlet class' java code.</description>
    </property>
</jsp-config>
</glassfish-web-app>

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
    <context-param>
        <param-name>javax.faces.PROJECT_STAGE</param-name>
        <param-value>Production</param-value>
    </context-param>
    <context-param>
        <param-name>org.richfaces.skin</param-name>
        <param-value>DEFAULT</param-value>
    </context-param>
    <servlet>
        <servlet-name>Faces Servlet</servlet-name>
        <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>Faces Servlet</servlet-name>
        <url-pattern>*.jsf</url-pattern>
    </servlet-mapping>
    <session-config>
        <session-timeout>
            30
        </session-timeout>
    </session-config>
    <welcome-file-list>
        <welcome-file>secure/index.jsf</welcome-file>
    </welcome-file-list>
    <error-page>
        <error-code>403</error-code>
        <location>/AccessDenied.html</location>
    </error-page>
    <security-constraint>
        <display-name>Secure</display-name>
        <web-resource-collection>
            <web-resource-name>Secure</web-resource-name>
            <description/>
            <url-pattern>/secure/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <description/>
            <role-name>AdminApps</role-name>
            <role-name>OperacionesApp</role-name>
        </auth-constraint>
    </security-constraint>
    <login-config>
        <auth-method>FORM</auth-method>
        <realm-name>ldap-realm</realm-name>
        <form-login-config>
            <form-login-page>/Login.jsf</form-login-page>
            <form-error-page>/Login.jsf</form-error-page>
        </form-login-config>
    </login-config>
    <security-role>
        <description/>
        <role-name>AdminApps</role-name>
    </security-role>
    <security-role>
        <description/>
        <role-name>OperacionesApp</role-name>
    </security-role>
</web-app>

All navigation can be natural because de authorization is handled by the container.

The project runs perfect now.

Thanks.
Actions

Go to original post