4 Replies Latest reply on Dec 8, 2005 4:01 AM by Louis Coetzee

    JSF/Seam/EJB3 security best-practices

    Patrick Angeles Novice

      I want to start a discussion on security implementation.

      The final stumbling block for me in the entire JSF/Facelets/SEAM/EJB3/JBoss stack is the security aspect. JAAS is a big hairy beast and is probably overkill for most web applications, and JSF doesn't seem to play well out-of-the-box with web-container managed security (Realms and Roles).

      There are some pertinent JSF security discussions in the java forums:.
      - An article by Ed Burns: http://forum.java.sun.com/thread.jspa?threadID=675281&tstart=0
      - Another discussion can be found here: http://forum.java.sun.com/thread.jspa?threadID=502322&start=0&tstart=0

      I like the @LoggedIn example used by the HotelBooking demo. Perhaps it can be generalized to work with multiple role-types. I think the key is to have a User entity (which can be polymorphic: CustomerUser, AdminUser, etc.) that lives in the Session context...