4 Replies Latest reply on Feb 12, 2013 1:37 PM by Carlos Herrera

    Security in JSF / Richfaces 4

    Carlos Herrera Newbie

      Hello Community...

       

      Im working on a sales / invoicing application and all the functionallity has been delivered except the application security.

       

      The requirement specify the next features:

       

      1. The authentication process must be against LDAP (MS Active Directory).
      2. The authorization process must be implemented using a user / role model and the information about this configuration must be stored in a RDBMS.

       

      Does actually exist any project in jboss community to handle this application feature?, something like spring security (but simpler)?

       

      Thanks for your support.

       

      Regards.

        • 1. Re: Security in JSF / Richfaces 4
          Juraj Húska Master

          Hey Carlos,

           

          I do know much about security, just once I came across these projects:

          https://github.com/jboss-jdf/jboss-as-quickstart/tree/master/servlet-security

          https://github.com/jboss-jdf/jboss-as-quickstart/tree/master/ejb-security

           

          Check them out whether they can help you somehow. In other case hopefully someone more experienced will reply you.

          1 of 1 people found this helpful
          • 2. Re: Security in JSF / Richfaces 4
            Carlos Herrera Newbie

            Thanks Juraj...

             

            Actually, i was implement declarative security (with security contraints, roles, login configuration) in the web.xml deployment descriptor, but i cant evaluate dinamically the roles configured in the descriptor against roles persisted in some directory (in RDBMS or LDAP). This kind of security is the same depicted in the documents that you gave me.

             

            Do you know another techniques for secure this kind of applications?

             

            Thanks again for your support.

             

            Regards.

            • 3. Re: Security in JSF / Richfaces 4
              iabughosh Master

              Hello Carlos,

              you need to look for your application server security documentations to achieve this, for example JBoss 7.1 documentation :

              https://docs.jboss.org/author/display/AS71/Security+subsystem+configuration

               

              regards.

              1 of 1 people found this helpful
              • 4. Re: Security in JSF / Richfaces 4
                Carlos Herrera Newbie

                Thanks guys...

                 

                I can archieve this goal following the next process:

                 

                1. Create roles mapped to LDAP groups of users that will use the application (in web.xml file).
                2. Create security constraints for collections of secured resources provided by declarative container security module (in web.xml).
                3. Create login configuration specifying the realm name previously defined in the container and the auth method (in web.xml).
                4. In my case, im using glassfish 3.1.2 as application server, so i was forced to map the security roles in glassfish-web.xml.

                 

                My deployment descriptors looks something like:

                 

                glassfish-web.xml

                 

                <?xml version="1.0" encoding="UTF-8"?>

                <!DOCTYPE glassfish-web-app PUBLIC "-//GlassFish.org//DTD GlassFish Application Server 3.1 Servlet 3.0//EN" "http://glassfish.org/dtds/glassfish-web-app_3_0-1.dtd">

                <glassfish-web-app error-url="">

                  <security-role-mapping>

                    <role-name>AdminApps</role-name>

                    <group-name>AdminApps</group-name>

                  </security-role-mapping>

                  <security-role-mapping>

                    <role-name>OperacionesApp</role-name>

                    <group-name>OperacionesApp</group-name>

                  </security-role-mapping>

                  <class-loader delegate="true"/>

                  <jsp-config>

                    <property name="keepgenerated" value="true">

                      <description>Keep a copy of the generated servlet class' java code.</description>

                    </property>

                  </jsp-config>

                </glassfish-web-app>

                 

                web.xml

                 

                <?xml version="1.0" encoding="UTF-8"?>

                <web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">

                    <context-param>

                        <param-name>javax.faces.PROJECT_STAGE</param-name>

                        <param-value>Production</param-value>

                    </context-param>

                    <context-param>

                        <param-name>org.richfaces.skin</param-name>

                        <param-value>DEFAULT</param-value>

                    </context-param>

                    <servlet>

                        <servlet-name>Faces Servlet</servlet-name>

                        <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>

                        <load-on-startup>1</load-on-startup>

                    </servlet>

                    <servlet-mapping>

                        <servlet-name>Faces Servlet</servlet-name>

                        <url-pattern>*.jsf</url-pattern>

                    </servlet-mapping>

                    <session-config>

                        <session-timeout>

                            30

                        </session-timeout>

                    </session-config>

                    <welcome-file-list>

                        <welcome-file>secure/index.jsf</welcome-file>

                    </welcome-file-list>

                    <error-page>

                        <error-code>403</error-code>

                        <location>/AccessDenied.html</location>

                    </error-page>

                    <security-constraint>

                        <display-name>Secure</display-name>

                        <web-resource-collection>

                            <web-resource-name>Secure</web-resource-name>

                            <description/>

                            <url-pattern>/secure/*</url-pattern>

                        </web-resource-collection>

                        <auth-constraint>

                            <description/>

                            <role-name>AdminApps</role-name>

                            <role-name>OperacionesApp</role-name>

                        </auth-constraint>

                    </security-constraint>

                    <login-config>

                        <auth-method>FORM</auth-method>

                        <realm-name>ldap-realm</realm-name>

                        <form-login-config>

                            <form-login-page>/Login.jsf</form-login-page>

                            <form-error-page>/Login.jsf</form-error-page>

                        </form-login-config>

                    </login-config>

                    <security-role>

                        <description/>

                        <role-name>AdminApps</role-name>

                    </security-role>

                    <security-role>

                        <description/>

                        <role-name>OperacionesApp</role-name>

                    </security-role>

                </web-app>

                 

                All navigation can be natural because de authorization is handled by the container.

                 

                The project runs perfect now.

                 

                Thanks.