Is there some ready-to-use ACL mechanism for JSF? I know JBoss Seam comes with something like that, but switching to JBoss Seam is not an option in my case.
What I need is to easily define which pages given user is allowed to see and which actions to invoke.
If I understand correctly, you can check spring security
Related
I'm working a JSF projects with beans and xhtml pages and now I've implemented a import javax.servlet.Filter; with username and password to secure the pages, except, of course, the login.xhtml. Since I want to upgrade the security mechanism, I want to insert the Oauth2 mechanism. How Can I do? I've read some spring implementations, but seems only for REST service.
You don't implement it in JSF, you implement it in a security layer which, at most, gets the username/password or token from the jsf based userinterface. Best is to not implement this from scratch but use a real good existing security framework for this. Something like Apache Shiro, JBoss Picketlink or the likes, one that can do oauth for you.
This question might be naive but I would like to know what are the advantages of using Spring security (or any other security framework) versus custom filters (#WebFilter) to restrict pages in a web-app. In a custom filter I can check the session of an user, see if an user bean has been mapped within the session and then check if the user bean has the appropriate role to gain access to my restricted area. So what do I gain by using Spring security, surely it's more secure, if so then how? I'm asking because I find it harder to use than using custom filters. Thanks in advance.
Security Principle: Don't roll your own security unless you're an expert.
See https://security.stackexchange.com/questions/18197/why-shouldnt-we-roll-our-own
The Spring guys aren't sitting around making work up for themselves. They are solving real problems. You could implement all of Spring Security's features with your filters, but then you'd have Spring Security, wouldn't you?
Are you handling CSRF and making it convenient?
Are you handling session fixation?
Do your filters handle path traversal?
Are you handling RunAs functionality?
Read the docs and decide if you should use it or not.
I'm trying to decide how to secure a modern web application. I am relatively new to the Java EE 6 technology stack, but I've done some pet projects that didn't utilize security, so I'm looking for some general guidance on what's even possible using out of the box Java EE 6 security.
I understand that declarative security allows you to protect resources based on what role(s) have been assigned to a user attempting to access that resource. So, for example, a user requests a page at a particular URL, the Java EE server checks the user's credentials to see if they're authorized to access that page. This makes perfect sense for resources that only to be accessed by authenticated users. Good examples include administration pages, user account setting pages, restricted content areas.
So as long as I divide a website into secure and unsecured areas, that works fine and I have no questions. But how do I deal with the situation where I have a resource that I want to behave differently based on the authentication level of the user for declarative security.
For example, I may have a home page on a website that displays one view with a login prompt if the user is an unauthenticated user, but if an authenticated user visits that same resource should display some sort of control panel with account management links, etc instead of the login prompt.
How is this achieved in modern Java EE 6 applications? Declarative security doesn't seem expressive enough to allow this to happen as it's very "all or nothing". I've read a little about programmatic security, but all the guides talk about servlets and in a modern web application I would assume that JSFs would be the way to go, not raw servlets. I want to ensure that when I secure a web application with this mixed content that depends on the authentication status of the user that I don't end up spamming security code all throughout the web app because that's extremely error prone, and very messy.
Given the above requirements what solutions would you recommend? I'm not looking for a step by step, just some helpful pointers to get me started in the right direction. Both "Here's what you can use" and "here's how it's going to fulfill your goals" would be helpful!
One last thing, I'd like to avoid loading the Spring suite onto this webapp. I like using the Java EE 6 container technologies as much as possible, and I've heard there are issues making Spring managed beans and Java EE container managed beans available to each others' contexts.
Well, you should read: the Security chapter of the Java ee tutorial.
In a nutshell, either in servlets or EJBs you should:
Declare the security roles involved: #DeclareRoles("javaee6user")
In your servlets either
use #ServletSecurity(#HttpConstraint(rolesAllowed = {"javaee6user"})) for the whole servlet (declarative security)
in the servlet's methods check with request.isUserInRole("javaee6user") just as you did in 'old' servlets (programmatic security)
In your EJBs either
declare the role(s) allowed for a whole method with #RolesAllowed("javaee6user") (declarative security)
inject with #Resource SessionContext ctx; the bean context, and invoke ctx.isCallerInRole("javaee6user") inside your method, just as you did in 'old' EJBs (programmatic security)
I am about developing a web application using jsf 2.0 and netbeans 7.1
so I want to authenticate users before they can access the application
My question know is how can I be sure of that user along his "session"?
I searched and found that I have to use session beans but I didn't get
the "remedy" of my problem
thanks for help
the answer really depends on your requirements. the simplest solution would be to use container managed authentication (via JAAS). all j2ee/servlet containers support this, but some implement it "their own way", so you have to check the docs. i know for tomcat and jboss, it's very simple to turn on and (assuming you configure your web.xml properly) just trust that if they are loading your pages, the session is authorized. you might want to bulk up the question with some of your requirements. that will really spur people to give you a much more concrete answer than i'm providing.
TIA
I'm working on a JSF 1.2 project which has AJAX functionality on it's pages (using RichFaces).
My bean builds a list of objects to be edited and then has methods to support the editing and the bean is session-scoped. I will be using a a4j:queue so that only one AJAX call can happen at a time.
I'm curious if it is wise to use synchronization (locks on objects, or perhaps collections from java.util.concurrent) in the managed bean. Is the extra work needed to implement synchronization/thread safety really needed? The site I am working on has many users and needs to be reliable but it has a LOT of managed beans, and I'm curious how concerned I should be about the thread safety of managed beans overall.
Do you take extra steps in backing beans for thread-safety?
Thanks in advance.
a4j:queue won't prevent the user from reloading the page / clicking another link while the AJAX call is in progress.
Yes, we can probably trust the user not to click many different links right after each other, but what about requests not triggered by the user, for instance by a4j:poll?
Note that replacing all collections with their thread-safe equivalent might not be enough to make your application thread safe.
That said, depending on the degree of reliability your application needs to meet, this problem might or might not deserve your attention.
You need to keep scope in mind.
Request scope - thread safe, session scope - not thread safe
If you need to be able to open multiple browser windows or tabs, then you can use something like a Seam conversation to protect from editing the same object from two windows/tabs.
If it is SessionScoped you must take care to use some thread-safety mechanisms. If it is RequestScoped or ViewScope'd, then it is safe to share class variables between methods.