4 Replies Latest reply on Dec 8, 2005 4:01 AM by Louis Coetzee

    JSF/Seam/EJB3 security best-practices

    Patrick Angeles Novice

      I want to start a discussion on security implementation.

      The final stumbling block for me in the entire JSF/Facelets/SEAM/EJB3/JBoss stack is the security aspect. JAAS is a big hairy beast and is probably overkill for most web applications, and JSF doesn't seem to play well out-of-the-box with web-container managed security (Realms and Roles).

      There are some pertinent JSF security discussions in the java forums:.
      - An article by Ed Burns: http://forum.java.sun.com/thread.jspa?threadID=675281&tstart=0
      - Another discussion can be found here: http://forum.java.sun.com/thread.jspa?threadID=502322&start=0&tstart=0

      I like the @LoggedIn example used by the HotelBooking demo. Perhaps it can be generalized to work with multiple role-types. I think the key is to have a User entity (which can be polymorphic: CustomerUser, AdminUser, etc.) that lives in the Session context...

        • 1. Re: JSF/Seam/EJB3 security best-practices
          Gavin King Master

          IANASE (I Am Not A Security Expert) but, IMO, EJB3 interceptors give you the potential to define a declarative security model on top of any underlying security infrastructure you like.

          But it was my impression that JBoss security is so pluggable that there are other places you can customize the container managed security used by EJB3.

          • 2. Re: JSF/Seam/EJB3 security best-practices
            Patrick Angeles Novice

             

            EJB3 interceptors give you the potential to define a declarative security model on top of any underlying security infrastructure you like.


            Yep. Which is why I thought SEAM (which uses servlet filters and ejb3 interceptors) might be an ideal place to provide an easy to use security model. I think 80% of web applications probably have the same basic security needs.

            • 3. Re: JSF/Seam/EJB3 security best-practices
              Gavin King Master

              I guess it might be interesting (and easy) to integrate Acegi into Seam. Christian says it is good, and better than JAAS.

              • 4. Re: JSF/Seam/EJB3 security best-practices
                Louis Coetzee Apprentice

                One benefit of using the JBoss container security (JAAS) is that one can easily control the rendering of Tomahawk components through the JAAS roles (e.g. enableOnUserRole):


                <t:commandLink action="#{nestedSetAction.loadAllTopicals}"
                enabledOnUserRole="TopicalManager" id="nestedSet">Nested Set</t:commandLink>


                However, I still have to verify if access to all secure JSF resources are really controlled (don't know how much the fact that the URL in the browser does not get updated will impact on the defined-url pattern in a security-constraint in the web.xml).

                L