I have a web application with JSF. For authentication we are switching to OAuth and for authorization we are switching to CASBIN. Having said that I did not see any TAGLIBS from CASBIN which can be used in the JSF pages directly. Any idea how to tackle this problem?
I have no experience with Spring security either, would that be a better option to go with JSF?
Thank you for your time.
Related
I am currently working on a project that uses WebLogic Portal and Apache Beehive Page Flow Controller.
The team would like to remove WebLogic Portal and the Page Flow Controllers with JSF. Currently we have not found a way to manage the workflow with JSF as with PFC.
With Spring MVC it would be easy because we only remove Beehive annotations using Spring MVC Annotations but we would like to go directly with JSF so later we can start using icefaces.
Any suggestions of where I can find information about what we want to do?
Thank you very much in advance.
I've been using Struts 1.x for more than 1 year now, and I've been learning about JSF recently. I know both JSF and Struts are different frameworks but I wanted to use Struts as Action framework and JSF as Component framework in my web application. I'm not sure if we can do that, and couldn't find any materials online regarding this.
Suggestions and links are welcome, Thanks in advance
Struts and JSF can be used in a web application, some(or no) changes might be required in the back end but as both the frameworks follow MVC, the "VIEW" tier would be much similar.
As JSF and Struts both have their own advantages, we can use the advantagesof of each combinedly, like ValidationFramework in Struts and JSF components (html components in Struts)
All this I would just only if you have an existing Struts application, can find more detailed information here
though the link talks about older versions, i hope it gives basic information
I've been asked by a freelancer friend of mine to join him on a JSF 2.0 project, and I'm slowly picking up speed and putting the pieces together. Coming from a Windows Forms .NET world, I have a lot to learn to say the least.
My major concern is with the lack of apparent consensus on how to protect a JSF application.
Some methods have been proposed here on SO, including using Spring security, Seam security, custom phase listeners, or simply using the rendered="#{...}" attribute to show/hide components based on user authentication.
I have tried to implement some of these methods, for example Spring security, only to find out that it gets easily defeated by the JSF navigation mechanism that forwards to views instead of redirecting. In other words, Spring security will work fine if the user types in the url of a secured page directly, but not if a h:commandButton's action takes him there.
In view of this, some have suggested to force a redirect by using "faces-redirect=true", but we feel that this could become a performance issue as this causes 2 requests from the browser each time.
On the other hand, I gave up trying to implement Seam security after getting so many missing dependencies errors.
The best solution I have found so far is a custom phase listener from Duncan Mills - Effective Page Authorization In JavaServer Faces, but I'm not 100% convinced this should be used on public facing JSF applications.
So finally, what does this leave us with ? I know this is a pretty wide open ended question, but I honestly have no clue where to go next. I'm pretty sure I have followed the different tutorials to the letter, for example Spring tutorials, but I'm still not satisfied with the way it works.
Could anyone at least confirm/infirm the fact that Spring security is supposed to work across JSF forwards, as I've seen many posts by others having the same issue ? That would at least give me a direction to keep going.
Thank you.
Combination of servlet filter for page validation (applied to the faces servlet), identity session bean (storing user attributes e.g. Role, login id) and a few methods for entitlement checks (e.g. isAdmin(), canViewRecord(recordID)) well ised throughout your page.
You see, when it comes to security I opt for not leaving it in anybody else's hand. also, I validate in several places (hiding a component won't keep folks from forging the right POST request to trigger specific bean methods so watch out).
When I work with JSF I use spring-security.
About the behavior that you comment that spring security allows redirections done with commands button, is weird you must have a wrong configuration because it seams working fine in my project (I just tested).
In any case you can also use the spring security tags to render or not components according to the user's role.
This is a project that can help you to implement the tags.
http://www.dominikdorn.com/facelets/
Hope this helps..
If I do a GWT application with a MVP. Can you confirm that I will not have to use JSF? I have understood that JSF is just for MVC application?
MVC and MVP are patterns so they are not aware of any technology such as GWT or JSF. MVP is a variation of MVC.
GWT and JSF are technologies used for browser-based client applications. They have completely separate origins and implementations. The only thing that may relate them is that both aim to offer AJAX-rich browser JavaScript code at the end.
You won't need JSF if you do GWT apps. You may encapsulate GWT application into JSF if you have large JSF application and you want to take advantage of GWT.
GWT is completly seperate from JSF. Thought you could build a site that uses JSF for some parts and GWT for others.
I want to write some new functionality in spring MVC, the problem is that the current site is written in JSF 1.2.
It does use spring 2.5 application context, but thats all.
I am thinking i can drop in spring MVC, write a single page in it, and then see what kind of hoops ill have to jump through to be able to have seamless sessions between spring mvc and jsf.
can someone offer some wise words to me about this venture?
The session will not be a problem. It will be the same session, because it's a lower-level concept than JSF and spring-mvc.
The URL mapping of the respective servlets (the dispatcher servlet and the faces servlet) might be a problem. Your faces servlet would be mapped to *.jsf, and then your dispatcher servlet should be mapped to something like /mvc/*
The question remains whether mixing frameworks like that is a good option. I'd rather suggest using JSF everywhere in this project.
If you need some RESTful services, you can use spring-mvc, or you can use some JAX-RS provider, like CXF or RESTEasy.