I have my own realm classes extends AppservPasswordLoginModule and AppservRealm where I get user and roles from my own table in database. In web.xml I defined access to pages and it works.
I have some mechanism to read main menu from my menu.xml file in my bean with #SessionScoped annotation.
I want to use rules from web.xml to display only this items, which user has acces to (defined in web.xml), without repeating configuration in my menu.xml file.
I imagine that the solution might be to check the access to the page when I create menu item for this page in my SessionScoped bean, but I don't know how it could be checked easily.
What is the best solution for this situation?
I'm using glassfish 4.1 and jsf 2.2.
I solved this by the following method:
In my ServletListener
#WebListener
public class implements ServletListener ServletContextListener {...}
I read security-constraint from web.xml, parsing them and store it in my #ApplicationScoped bean.
In #SessionScoped bean, in #PostConstruct annotated method I get all roles stored in #ApplicationScoped bean and checked each individual by
FacesContext.getCurrentInstance().GetExternalContext().IsUserInRole(role);
method.
So I have all current user roles. Then, in my #SessionScoped bean, for each menu item I check whether the resource represented by the url of this menu item is available for roles that current user has.
EDIT: The bad side of this solution is that I analyzing the web.xml file only, without annotations
Related
In my application there are 5 portlets accessing same bean class which is in session scope. My problem is, whenever I open a portlet, managed bean initializes. Managed bean should be initialize once in a session. In my case bean initializing 5 times. Can anyone tell me what is the root cause of that problem?
Here is my bean :
#ManagedBean(name="userManagementBean")
#SessionScoped
public class UserManagementBean {
public UserManagementBean() {
System.out.println("In getter setter bean");
sName=userManagementHelper.findScreenName();
directReport=new DualListModel<String>();
addUserToGroupDual=new DualListModel<String>();
addUserToGroupDual.getSource().clear();
addUserToGroupDual.getTarget().clear();
............
When you annotate your beans with #SessionScoped in Portlet application it is mapped to something as "Portlet Instance Session". This means that this bean will live in session of that portlet, and each portlet has its own session. There is something called "Global Session" which is session shared across all portlets, but as far as I know there is not such annotation in JSF.
JSR286 has user session based scope but it would depend on your portal server if it has the implementation for this as a Custom Scope for JSF.
I know for sure that Websphere portal 8.x supports this.
In Websphere portal 8.x you can specify your managed bean like,
#ManagedBean(name="userManagementBean")
#CustomScoped("#{portletApplicationSessionScope}")
public class UserManagementBean {
...
}
Have a look into your portal server documentation to see if it supports that.
You can use Apache JSF portlet bridge as you have updated that you are using liferay ,
It will expose Application Session Scope as EL,
Add it to application scope in portlet A
PortletSession session = request.getPortletSession();
session.setAttribute("name",name.getValue().toString(),PortletSession.APPLICATION_SCOPE);
and use in portlet B
PortletSession session = request.getPortletSession();
String value = session.getAttribute("name", PortletSession.APPLICATION_SCOPE).toString();
Your xhtml ,
<h:inputText id="itName"
required="true"
value="#{httpSessionScope.name}"/>
I'm searching but I can't find the answer, I need secure resources based on permissions, I can't use a filter because FacesContext is not initialized before and I need load the permissions in my session bean. Some solution avoiding use a filter? PhaseListener, ViewHandler and ResourceHandler can't capture an URL resource request, for example I need denied this direct access: http://127.0.0.1:8080/test/resources/images/image.jpg
Thx in advance...
JSF stores session scoped managed beans as an attribute of the HttpSession, which in turn is just available in a Filter by HttpServletRequest#getSession().
HttpSession session = ((HttpServletRequest) request).getSession();
SessionBean sessionBean = session.getAttribute("sessionBean");
// ...
Update: as per the comment you seem to be actually using CDI:
my filter is triggered before than JSF, I always get a null value when I use getAttribute. I'm using CDI with 'Named' and 'SessionScoped' annotations on my Bean because I need use a interceptor to implement security
I understood that you were using JSF's own #ManagedBean and the initial answer only applies to that. If your bean is already managed by CDI's #Named, then just use CDI's own #Inject the usual way in the Filter.
#Inject
private SessionBean sessionBean;
In case of JSF #ManagedBean you should just add a if (sessionBean != null) check. It's irrelevant whether the filter is invoked before JSF servlet or not. Once the session bean has been created by JSF, it won't be null in the filter.
I'm developing a JSF 2.0 app that consumes a SOAP-based web service.
I want to use in the JSFs pages most of the generated client classes for the Web Service - but the client classes are not managed beans (nor CDI beans)... and as there are a lot of client classes I don't think is feasible to add #ManagedBean or #Named annotations to all classes...
Let me give you an example so things might get a bit clearer:
The User class is a generated client class - this class has only two attributes (login and password).
I want to be able to assign values to the attributes of a given user in the JSF page:
<h:inputText value="#{user.name}"/>
<h:inputText value="#{user.password}"/>
And then I want to call my UserService to authenticate the user:
<h:commandButton value="Login" action="#{userService.authenticate}"/>
The only way (AFAIK) to assign a value to the User object from the JSF page is by making the User object a managed bean (or a CDI bean).
As there are more than 100 client classes, I definitely don't want to add #ManagedBean or #Named annotations on all classes (I equally don't want to add message-bean element for each class in the faces-config.xml).
And even if annotating all classes were a feasible option, the solution would have a drawback: the service contract (WSDL) might change at any minute and I would be obligated to regenerate the client classes... I'd loose the annotated classes.
What is the best way to handle this (kind of) issue?
I've looked for a way to declare all classes of a package in the faces-config.xml (example below), but I could find neither a way to do that nor a feasible alternative.
<managed-beans>
<managed-beans-package>x.y.z.ws.client</managed-beans-package>
<managed-beans-scope>none</managed-beans-scope>
</managed-beans>
Just make the User a property of UserService. That's also more conform JSF's MVC ideology. The UserService is the controller and the User is the model.
Thus so,
#ManagedBean
#ViewScoped
public class UserService {
private User user;
// ... (don't forget to prepare user in (post)constructor if "new" user)
}
with
<h:inputText value="#{userService.user.name}" />
<h:inputText value="#{userService.user.password}" />
I use JSF 2 and EJB 3.1, all of them are deployed on Glassfish 3.1.
When i setup a class named MyInterceptor which is implemented PhaseListener, i can not revoke remote EJB interface inside it.
It notice "NullPointerException ..."
public class MyInterceptor implements PhaseListener {
#EJB(name="AuthorizationEJB",
beanInterface=AuthorizationService.class,
mappedName="corbaname:iiop:localhost:3700#ejb/AuthorizationEJB")
public AuthorizationService authorizationService;
....
}
When I call authorizationService.dosomestuff(), it raise error NullPointerException
How can i do to fix it?
Thank in advance
In JSF 2.1 and earlier, PhaseListeners are unfortunately no injection targets (meaning you can't use injection in them). You can do your lookup programmatically via JNDI instead though.
In JSF 2.2 all JSF artifacts (including PhaseListeners) will be injection targets, but this will probably not help you now.
Unrelated to your question, but I'm not sure what you're trying to achieve by specifying the beanInterface in your annotation. Most likely you'll also don't need the name attribute and if your bean is a local bean you'll also don't need mappedName.
Use a servlet filter instead of a JSF phase listener to do authorization. You can inject an #EJB in a #WebFilter.
Yeah in web filter you could have just used plain #EJB. Maximimum you needed to add beanName if you had two beans implement same AuthorizationService interface.
Servlet filter is per request, I don't think you need to do security stuff at a certain phase from JSF's lifecycle (which is a more granular level than the whole http request).
For normal lookup you can do:
AuthorizationService.class.cast(new InitialContext().lookup("corbaname:iiop:localhost:3700#ejb/AuthorizationEJB")).dosomestuff();
in a try catch javax.naming.NamingException
I have a JSF2 project (Mojarra on GlassFish 3.1).
I have a ViewScoped bean that references services through a utility class like so:
#ManagedBean
#ApplicationScoped
public static class ServicesUtil {
#EJB
UserService userService;
#EJB
EmailService emailService;
/** getters/setters **/
}
and
#ManagedBean
#ViewScoped
public class UserHandler {
public String method() {
ServicesUtil.getUserService().doUserStuff();
return "newPage";
}
}
My question is, since the ServicesUtil is ApplicationScoped, does that mean there is only one instance of each service for the entire application? And is this bad practice? If done correctly, would the CDI in GlassFish actually create new instances as they are needed?
Similarly, if the Services were injected into the UserHandler instead would the application be more scalable?
The reason we added the ServicesUtil layer is one of my coworkers said that he occasionally had problems getting the injection to work in the Handler when it is ViewScope. Should there be any difficulty using #EJB in a ViewScoped bean?
Any help is greatly appreciated!
Rob
The pattern you're using doesn't seem to make a lot of sense. There should be no problem with injecting EJBs into a view scoped bean.
Depending on the type of EJB you are using (stateless, stateful or singleton) different things hold.
If the userService and emailService are stateless (they most likely should be), you gain nothing by using a bean that's injected into an application scoped bean first. Namely, what's injected is not the bean itself but a proxy and every request to that is routed to a different real bean instance anyway (see http://en.wikipedia.org/wiki/Enterprise_JavaBean#Stateless_Session_Beans).
If the userService and emailService are stateful, you do get a single instance here, but I highly doubt you need to share actual between every user in your application. But even if you would want that, only a single user (thread) can access the stateful bean at a time.
If those services are singleton, you can just inject them right away into the view scoped bean. There is absolutely no reason to go via an application scoped bean.
Furthermore, ServicesUtil.getUserService() is a static method, so using this to get an injected service is brittle. If you want to use this (you shouldn't, but suppose) ServicesUtil should be injected into UserHandler.
Then, it seems you are confusing CDI and JSF managed beans. I agree this is confusing, but it's currently the way it is. #ViewScoped does not work in combination met CDI beans. From your code it's not clear if #ManagedBean is the JSF variant or the Java EE/CDI one. In this case it should be javax.faces.bean.ManagedBean if you want to use the view scope.