Security In JSF
hello,
i had a problem to how to maintain security in my web application(i'm using JSF).
some one advice me to use Acegi,others simple filter ...
any idea please how to perform security to my JSF web site?
Hi,
I think your question is too broad for us to answer. There many aspects that you have to consider when you are thinking about security in your own application, such as:
- what do you want to secure? access to URL? access to bean? combination of both?'
- What about authentication. do you want to use LDAP, or do you want to use database-based user auth?
and many more..
So it is all depends on the requirements. In any case, have you consider other alternatives like jsecurity (www.jsecurity.org)?
Similar Messages
-
My question is pretty broad, so I'm just looking for a general answer.
What is the standard (or most common) approach to authentication and authorization in JSF?
1) At one instance, some time ago, I was utilizing a simple declarative, form-based, container-managed login mechanism in Tomcat (with DataSource/JDBCRealm), but that made me do some acrobatics with redirections because the container did all the checks and never gave me a chance to grab the details typed by the user... so, in the end, it turned out to be more of a hack than an actual way to do security.
2) I also keep reading that people turn to Spring security (Acegi). This seems like a good idea, but it's hard to believe that JSF does not have it's own security mechanism.
3) JAAS also comes to mind, especially after seeing the JAASRealm implementation on Tomcat, but this is Tomcat specific and requires a self-implemented LoginModule and Principal...
4) I also see some third-party libraries like jGuard that seem pretty decent (first-look impression), but still, that's hardly the norm.
So I am at loss now, how is security "supposed" to be done is JSF? Is it usually vendor specific? Any insight will be greatly appreciated!jadespirit wrote:
My question is pretty broad, so I'm just looking for a general answer.
What is the standard (or most common) approach to authentication and authorization in JSF?To start, authentication and authorization should not be tight coupled to JSF. JSF is just a component based MVC framework which can run on top of JSP/Servlet. Security is to be done at lower level, in the JSP/Servlet API.
1) At one instance, some time ago, I was utilizing a simple declarative, form-based, container-managed login mechanism in Tomcat (with DataSource/JDBCRealm), but that made me do some acrobatics with redirections because the container did all the checks and never gave me a chance to grab the details typed by the user... so, in the end, it turned out to be more of a hack than an actual way to do security.In JSF you can just get the underlying HttpServletRequest by ExternalContext#getRequest(), which on its turn provides methods to get details about the logged in user.
2) I also keep reading that people turn to Spring security (Acegi). This seems like a good idea, but it's hard to believe that JSF does not have it's own security mechanism.JSF is not comparable with Spring.
3) JAAS also comes to mind, especially after seeing the JAASRealm implementation on Tomcat, but this is Tomcat specific and requires a self-implemented LoginModule and Principal...Realm is not appserver specific.
4) I also see some third-party libraries like jGuard that seem pretty decent (first-look impression), but still, that's hardly the norm.No wording about this as I don't have experience with them.
So I am at loss now, how is security "supposed" to be done is JSF? Is it usually vendor specific? Any insight will be greatly appreciated!Realm is good. You can also decide to homegrow a simple one yourself. Have a database with users, have a loginbean which puts the logged in user in session, have a Filter which checks the logged in user. In JSF you can if necessary just use EL to access the logged in user in session. -
Using container managed form-based security in JSF
h1. Using container managed, form-based security in a JSF web app.
A Practical Solution
h2. {color:#993300}*But first, some background on the problem*{color}
The Form components available in JSF will not let you specify the target action, everything is a post-back. When using container security, however, you have to specifically submit to the magic action j_security_check to trigger authentication. This means that the only way to do this in a JSF page is to use an HTML form tag enclosed in verbatim tags. This has the side effect that the post is not handled by JSF at all meaning you can't take advantage of normal JSF functionality such as validators, plus you have a horrible chimera of a page containing both markup and components. This screws up things like skinning. ([credit to Duncan Mills in this 2 years old article|http://groundside.com/blog/DuncanMills.php?title=j2ee_security_a_jsf_based_login_form&more=1&c=1&tb=1&pb=1]).
In this solution, I will use a pure JSF page as the login page that the end user interacts with. This page will simply gather the input for the username and password and pass that on to a plain old jsp proxy to do the actual submit. This will avoid the whole problem of having to use verbatim tags or a mixture of JSF and JSP in the user view.
h2. {color:#993300}*Step 1: Configure the Security Realm in the Web App Container*{color}
What is a container? A container is basically a security framework that is implemented directly by whatever app server you are running, in my case Glassfish v2ur2 that comes with Netbeans 6.1. Your container can have multiple security realms. Each realm manages a definition of the security "*principles*" that are defined to interact with your application. A security principle is basically just a user of the system that is defined by three fields:
- Username
- Group
- Password
The security realm can be set up to authenticate using a simple file, or through JDBC, or LDAP, and more. In my case, I am using a "file" based realm. The users are statically defined directly through the app server interface. Here's how to do it (on Glassfish):
1. Start up your app server and log into the admin interface (http://localhost:4848)
2. Drill down into Configuration > Security > Realms.
3. Here you will see the default realms defined on the server. Drill down into the file realm.
4. There is no need to change any of the default settings. Click the Manage Users button.
5. Create a new user by entering username/password.
Note: If you enter a group name then you will be able to define permissions based on group in your app, which is much more usefull in a real app.
I entered a group named "Users" since my app will only have one set of permissions and all users should be authenticated and treated the same.
That way I will be able to set permissions to resources for the "Users" group that will apply to all users that have this group assigned.
TIP: After you get everything working, you can hook it all up to JDBC instead of "file" so that you can manage your users in a database.
h2. {color:#993300}*Step 2: Create the project*{color}
Since I'm a newbie to JSF, I am using Netbeans 6.1 so that I can play around with all of the fancy Visual Web JavaServer Faces components and the visual designer.
1. Start by creating a new Visual Web JSF project.
2. Next, create a new subfolder under your web root called "secure". This is the folder that we will define a Security Constraint for in a later step, so that any user trying to access any page in this folder will be redirected to a login page to sign in, if they haven't already.
h2. {color:#993300}*Step 3: Create the JSF and JSP files*{color}
In my very simple project I have 3 pages set up. Create the following files using the default templates in Netbeans 6.1:
1. login.jsp (A Visual Web JSF file)
2. loginproxy.jspx (A plain JSPX file)
3. secure/securepage.jsp (A Visual Web JSF file... Note that it is in the sub-folder named secure)
Code follows for each of the files:
h3. {color:#ff6600}*First we need to add a navigation rule to faces-config.xml:*{color}
<navigation-rule>
<from-view-id>/login.jsp</from-view-id>
<navigation-case>
<from-outcome>loginproxy</from-outcome>
<to-view-id>/loginproxy.jspx</to-view-id>
</navigation-case>
</navigation-rule>
NOTE: This navigation rule simply forwards the request to loginproxy.jspx whenever the user clicks the submit button. The button1_action() method below returns the "loginproxy" case to make this happen.
h3. {color:#ff6600}*login.jsp -- A very simple Visual Web JSF file with two input fields and a button:*{color}
<?xml version="1.0" encoding="UTF-8"?>
<jsp:root version="2.1"
xmlns:f="http://java.sun.com/jsf/core"
xmlns:h="http://java.sun.com/jsf/html"
xmlns:jsp="http://java.sun.com/JSP/Page"
xmlns:webuijsf="http://www.sun.com/webui/webuijsf">
<jsp:directive.page
contentType="text/html;charset=UTF-8"
pageEncoding="UTF-8"/>
<f:view>
<webuijsf:page
id="page1">
<webuijsf:html id="html1">
<webuijsf:head id="head1">
<webuijsf:link id="link1"
url="/resources/stylesheet.css"/>
</webuijsf:head>
<webuijsf:body id="body1" style="-rave-layout: grid">
<webuijsf:form id="form1">
<webuijsf:textField binding="#{login.username}"
id="username" style="position: absolute; left: 216px; top:
96px"/>
<webuijsf:passwordField binding="#{login.password}" id="password"
style="left: 216px; top: 144px; position: absolute"/>
<webuijsf:button actionExpression="#{login.button1_action}"
id="button1" style="position: absolute; left: 216px; top:
216px" text="GO"/>
</webuijsf:form>
</webuijsf:body>
</webuijsf:html>
</webuijsf:page>
</f:view>
</jsp:root>h3. *login.java -- implent the
button1_action() method in the login.java backing bean*
public String button1_action() {
setValue("#{requestScope.username}",
(String)username.getValue());
setValue("#{requestScope.password}", (String)password.getValue());
return "loginproxy";
}h3. {color:#ff6600}*loginproxy.jspx -- a login proxy that the user never sees. The onload="document.forms[0].submit()" automatically submits the form as soon as it is rendered in the browser.*{color}
{code}
<?xml version="1.0" encoding="UTF-8"?>
<jsp:root xmlns:jsp="http://java.sun.com/JSP/Page"
version="2.0">
<jsp:output omit-xml-declaration="true" doctype-root-element="HTML"
doctype-system="http://www.w3.org/TR/html4/loose.dtd"
doctype-public="-W3CDTD HTML 4.01 Transitional//EN"/>
<jsp:directive.page contentType="text/html"
pageEncoding="UTF-8"/>
<html>
<head> <meta
http-equiv="Content-Type" content="text/html;
charset=UTF-8"/>
<title>Logging in...</title>
</head>
<body
onload="document.forms[0].submit()">
<form
action="j_security_check" method="POST">
<input type="hidden" name="j_username"
value="${requestScope.username}" />
<input type="hidden" name="j_password"
value="${requestScope.password}" />
</form>
</body>
</html>
</jsp:root>
{code}
h3. {color:#ff6600}*secure/securepage.jsp -- A simple JSF{color}
target page, placed in the secure folder to test access*
{code}
<?xml version="1.0" encoding="UTF-8"?>
<jsp:root version="2.1"
xmlns:f="http://java.sun.com/jsf/core"
xmlns:h="http://java.sun.com/jsf/html"
xmlns:jsp="http://java.sun.com/JSP/Page" xmlns:webuijsf="http://www.sun.com/webui/webuijsf">
<jsp:directive.page
contentType="text/html;charset=UTF-8"
pageEncoding="UTF-8"/>
<f:view>
<webuijsf:page
id="page1">
<webuijsf:html id="html1">
<webuijsf:head id="head1">
<webuijsf:link id="link1"
url="/resources/stylesheet.css"/>
</webuijsf:head>
<webuijsf:body id="body1" style="-rave-layout: grid">
<webuijsf:form id="form1">
<webuijsf:staticText id="staticText1" style="position:
absolute; left: 168px; top: 144px" text="A Secure Page"/>
</webuijsf:form>
</webuijsf:body>
</webuijsf:html>
</webuijsf:page>
</f:view>
</jsp:root>
{code}
h2. {color:#993300}*_Step 4: Configure Declarative Security_*{color}
This type of security is called +declarative+ because it is not configured programatically. It is configured by declaring all of the relevant parameters in the configuration files: *web.xml* and *sun-web.xml*. Once you have it configured, the container (application server and java framework) already have the implementation to make everything work for you.
*web.xml will be used to define:*
- Type of security - We will be using "form based". The loginpage.jsp we created will be set as both the login and error page.
- Security Roles - The security role defined here will be mapped (in sun-web.xml) to users or groups.
- Security Constraints - A security constraint defines the resource(s) that is being secured, and which Roles are able to authenticate to them.
*sun-web.xml will be used to define:*
- This is where you map a Role to the Users or Groups that are allowed to use it.
+I know this is confusing the first time, but basically it works like this:+
*Security Constraint for a URL* -> mapped to -> *Role* -> mapped to -> *Users & Groups*
h3. {color:#ff6600}*web.xml -- here's the relevant section:*{color}
{code}
<security-constraint>
<display-name>SecurityConstraint</display-name>
<web-resource-collection>
<web-resource-name>SecurePages</web-resource-name>
<description/>
<url-pattern>/faces/secure/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>User</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name/>
<form-login-config>
<form-login-page>/faces/login.jsp</form-login-page>
<form-error-page>/faces/login.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description/>
<role-name>User</role-name>
</security-role>
{code}
h3. {color:#ff6600}*sun-web.xml -- here's the relevant section:*{color}
{code}
<security-role-mapping>
<role-name>User</role-name>
<group-name>Users</group-name>
</security-role-mapping>
{code}
h3. {color:#ff6600}*Almost done!!!*{color}
h2. {color:#993300}*_Step 5: A couple of minor "Gotcha's"_ *{color}
h3. {color:#ff6600}*_Gotcha #1_*{color}
You need to configure the "welcome page" in web.xml to point to faces/secure/securepage.jsp ... Note that there is *_no_* leading / ... If you put a / in there it will barf all over itself .
h3. {color:#ff6600}*_Gotcha #2_*{color}
Note that we set the <form-login-page> in web.xml to /faces/login.jsp ... Note the leading / ... This time, you NEED the leading slash, or the server will gag.
*DONE!!!*
h2. {color:#993300}*_Here's how it works:_*{color}
1. The user requests the a page from your context (http://localhost/MyLogin/)
2. The servlet forwards the request to the welcome page: faces/secure/securepage.jsp
3. faces/secure/securepage.jsp has a security constraint defined, so the servlet checks to see if the user is authenticated for the session.
4. Of course the user is not authenticated since this is the first request, so the servlet forwards the request to the login page we configured in web.xml (/faces/login.jsp).
5. The user enters username and password and clicks a button to submit.
6. The button's action method stores away the username and password in the request scope.
7. The button returns "loginproxy" navigation case which tells the navigation handler to forward the request to loginproxy.jspx
8. loginproxy.jspx renders a blank page to the user which has hidden username and password fields.
9. The hidden username and password fields grab the username and password variables from the request scope.
10. The loginproxy page is automatically submitted with the magic action "j_security_check"
11. j_security_check notifies the container that authentication needs to be intercepted and handled.
12. The container authenticates the user credentials.
13. If the credentials fail, the container forwards the request to the login.jsp page.
14. If the credentials pass, the container forwards the request to *+the last protected resource that was attempted.+*
+Note the last point! I don't know how, but no matter how many times you fail authentication, the container remembers the last page that triggered authentication and once you finally succeed the container forwards your request there!!!!+
+The user is now at the secure welcome page.+
If you have read this far, I thank you for your time, and I seriously question your ability to ration your time pragmatically.
Kerry RandolphIf you want login security on your web app, this is one way to do it. (the easiest way i have seen).
This method allows you to create a custom login form and error page using JSF.
The container handles the actual authentication and protection of the resources based on what you declare in web.xml and sun-web.xml.
This example uses a statically defined user/password, stored in a file, but you can also configure JDBC realm in Glassfish, so that that users can register for access and your program can store the username/passwrod in a database.
I'm new to programming, so none of this may be a good practice, or may not be secure at all.
I really don't know what I'm doing, but I'm learning, and this has been the easiest way that I have found to add authentication to a web app, without having to write the login modules yourself.
Another benefit, and I think this is key ***You don't have to include any extra code in the pages that you want to protect*** The container manages this for you, based on the constraints you declare in web.xml.
So basically you set it up to protect certain folders, then when any user tries to access pages in that folder, they are required to authenticate.
--Kerry -
Hello,
my website has 5 roles groups and each one can access to differents pages.
How can i forbid the access to pages of the role group 1 to the others?
In fact, a bean has a "level" variable which contain the role group of the user.
I would like to test this value and if it is the good one, give access.
Otherwise, i would like to redirect the user to the login page
Thx u in advance !
PS: All is made with JSFHi
Put this in Ur web.xml
<filter>
<filter-name>SecurityFilter</filter-name>
<filter-class>adjuvant.poa.util.SecurityFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>SecurityFilter</filter-name>
<url-pattern>*.jsf</url-pattern>
</filter-mapping>
here is ur security class
adjuvant.poa.util.SecurityFilter
* [email protected]
package adjuvant.poa.util;
import javax.servlet.Filter;
import javax.servlet.FilterConfig;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
import java.util.Iterator;
import java.util.Set;
import java.util.HashSet;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import adjuvant.poa.jsf.backingbeans.UserBean;
* This Filter class handle the security of the application.
* <p>
* It should be configured inside the web.xml.
public class SecurityFilter implements Filter {
//the login page uri
private static final String LOGIN_PAGE_URI = "login.jsf";
private static final String ADMIN_LOGIN_PAGE_URI = "../login.jsf";
private static final String USER_BEAN = "nurse";
//the logger object
private Log logger = LogFactory.getLog(this.getClass());
//a set of restricted resources
private Set restrictedResources;
* Initializes the Filter.
public void init(FilterConfig filterConfig) throws ServletException {
this.restrictedResources = new HashSet();
this.restrictedResources.add("/assessment.jsf");
this.restrictedResources.add("/patients.jsf");
this.restrictedResources.add("/anesthetic.jsf");
this.restrictedResources.add("/baseline.jsf");
this.restrictedResources.add("/drugs.jsf");
this.restrictedResources.add("/endocrine.jsf");
this.restrictedResources.add("/haematological.jsf");
this.restrictedResources.add("/labwork.jsf");
this.restrictedResources.add("/medication.jsf");
this.restrictedResources.add("/neurologocal.jsf");
this.restrictedResources.add("/newpatient.jsf");
this.restrictedResources.add("/patientdetails.jsf");
this.restrictedResources.add("/renal.jsf");
this.restrictedResources.add("/respiratory.jsf");
this.restrictedResources.add("/riskassessment.jsf");
this.restrictedResources.add("/summary.jsf");
this.restrictedResources.add("/minimalquestions.jsf");
//admin Pages
this.restrictedResources.add("/admin/admin.jsf");
this.restrictedResources.add("/admin/drugs.jsf");
this.restrictedResources.add("/admin/drugs.jsf");
this.restrictedResources.add("/admin/editdrugs.jsf");
this.restrictedResources.add("/admin/nurses.jsf");
this.restrictedResources.add("/admin/newnurse.jsf");
this.restrictedResources.add("/admin/transaction.jsf");
* Standard doFilter object.
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException {
this.logger.debug("doFilter");
String contextPath = ((HttpServletRequest)req).getContextPath();
String requestUri = ((HttpServletRequest)req).getRequestURI();
this.logger.debug("contextPath = " + contextPath);
this.logger.debug("requestUri = " + requestUri);
if (this.contains(requestUri, contextPath) && !(requestUri.contains("admin") ? this.authorizeAdmin((HttpServletRequest)req) : this.authorize((HttpServletRequest)req))) {
this.logger.debug("authorization failed");
((HttpServletRequest)req).getRequestDispatcher(LOGIN_PAGE_URI).forward(req, res);
else {
this.logger.debug("authorization succeeded");
chain.doFilter(req, res);
public void destroy() {}
private boolean contains(String value, String contextPath) {
Iterator ite = this.restrictedResources.iterator();
while (ite.hasNext()) {
String restrictedResource = (String)ite.next();
if ((contextPath + restrictedResource).equalsIgnoreCase(value)) {
return true;
return false;
private boolean authorize(HttpServletRequest req) {
UserBean user = (UserBean)req.getSession().getAttribute(USER_BEAN);
if (user != null ) {
//user logged in
return true;
else {
return false;
private boolean authorizeAdmin(HttpServletRequest request) {
UserBean user = (UserBean)request.getSession().getAttribute(USER_BEAN);
if (user != null && user.getUserId() != null && user.getUserId().equals("admin") ) {
//user logged in
return true;
else {
return false;
} -
How to configure simple project JSF 2.1 with any Spring Security?
Hi guys,
I need something for beginning, very basic configuration for JSF 2.1 + Spring Security?
Or may by do you know nice and simple security for JSF projects?
ThxHi,
I rode Spring manual ;-)
It doesn't help me to integrate JFS+SpringSecurity.
Propably because I pretty new in security apps.
Already, I don't know Maven :-( I've never use it.
+"You'd have to explain what your requirements are. If it is basic user authentication only then you can just use the authentication services built into the JEE specification, which you should research."+
I mean: User can log into service and has rights only for specific files (jsf).
I would be grateful for any help.
Thx
ps.
I can set at list basic Spring+Spring Security.
I've tried "JDBC security realm with glassfish", it works, but setting it is nightmare for me.
Edited by: val75 on Jan 24, 2013 1:46 PM -
Some security question, sorry because i am new to security and jsf so please correct me.
1. I am going to design a login page using JSF that allow user to enter username and password and submit.Is it secure enough if using Message Digest to hash the password after the user click submit and compared to database (assume that i stored the hashsed password in databse) ? Or any other sugestion to secure the login page?
2. If i choose to using SSL to secure the username and password do I still need to encrypt or hash the password when user click submit?
3. If the web site provide the user a 'Remember Me' function and store the value to cookies. The cookies side is it secure ? Do i need to encrypt the cookies?
4. I read some forum, somebody using HTTPS, can someone explainn me how Https secure then http?Is it secure enough if using Message Digest to hash the password after the user click submit and compared to databaseYes. That's what is normally done.
2. If i choose to using SSL to secure the username and password do I still need to encrypt or hash the password when user click submit? You should never send the password anywhere, just its digest. This is standard security practice.
3. If the web site provide the user a 'Remember Me' function and store the value to cookies. The cookies side is it secure ? Do i need to encrypt the cookies? Depends on what's in them, doesn't it?
4. I read some forum, somebody using HTTPS, can someone explain me how Https secure then http?Because it runs over SSL, where HTTP just runs over plaintext TCP. -
Session creation with container managed security
I implemented container managed security, first question does the container creates session automatically when login is successful ?
second is there a way to do some processing when a user is authenticated like some event gets fired and listeners are called ?You have to enclose input component into an <h:form></h:form>.
Note that the various Form components available in JSF will not let you specify the target action, everything is a post-back.
I suggest you this article: [J2EE Security - A JSF based Login Form|http://groundside.com/blog/DuncanMills.php?title=j2ee_security_a_jsf_based_login_form&more=1&c=1&tb=1&pb=1]
[Is This User Logged In?|http://mowyourlawn.com/blog/?p=6] -
Navigation handlers and user authentication
I've implemented a system to force user logins based on the code demonstrated here: http://www.jsftutorials.net/jsfNavigation/jsf-login-navigation-redirect.html but I've come across a problem.
It seems the navigation handler is called only when JSF needs to resolve the outcome of an action and this means that in certain cases a user can view a secure page without having to log in. For example, using the example app from the above link, if a user goes to the start page of the project and clicks on the command buttons to access the protected pages, they are re-directed to the login page as expected. However, if they go to the url of the protected page directly (eg http://localhost:8080/jsf-loginRedirect/secure/editUserProfile.jsf ) it still displays the page.
Currently I've got a filter in place that re-directs the user to the login page of the web app if there isn't a valid user logged in, but as this runs outside a Faces context I can't track the user's requests.
Is there some way I can force JSF to call the navigation handler for normal get requests?Chops,
There are 2 things related to this issue,
1. When the user goes out of the application, you must invalidate the session. So that the userid will not be present in the session.
2. You can have a phase listener that checks for User Id in session, if the user id is empty, you can re-direct the user to login page. If user id is present automatically the control will go to the navigation rule page.
Phase Listener will enforce the user authentication.
Hope this logic helps you to solve the issue.
Thanks
Prakash -
How to get security roles in a JSF portlet
I need to get the LDAP user-roles available in the Sun Portal Server 7 in my JSF-168 portlet.
I've added the mapping file, updated the portlet.xml and web.xml, deployed the portlet (psconsole). But the portlet shows the "content not available" error with javax....title title.
I've probably messed up the descriptors, but I don't see what is wrong. Here they are:
roleMaps.properties
cn\=VSM.Administrator,dc\=neco,dc\=cz=Administrator
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.4">
<context-param>
<param-name>javax.faces.STATE_SAVING_METHOD</param-name>
<param-value>server</param-value>
</context-param>
<context-param>
<param-name>javax.faces.CONFIG_FILES</param-name>
<param-value>/WEB-INF/navigation.xml,/WEB-INF/managed-beans.xml</param-value>
</context-param>
<context-param>
<param-name>com.sun.faces.validateXml</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>com.sun.faces.verifyObjects</param-name>
<param-value>false</param-value>
</context-param>
<filter>
<filter-name>UploadFilter</filter-name>
<filter-class>com.sun.rave.web.ui.util.UploadFilter</filter-class>
<init-param>
<description>
The maximum allowed upload size in bytes. If this is set
to a negative value, there is no maximum. The default
value is 1000000.
</description>
<param-name>maxSize</param-name>
<param-value>1000000</param-value>
</init-param>
<init-param>
<description>
The size (in bytes) of an uploaded file which, if it is
exceeded, will cause the file to be written directly to
disk instead of stored in memory. Files smaller than or
equal to this size will be stored in memory. The default
value is 4096.
</description>
<param-name>sizeThreshold</param-name>
<param-value>4096</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>UploadFilter</filter-name>
<servlet-name>Faces Servlet</servlet-name>
</filter-mapping>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>ExceptionHandlerServlet</servlet-name>
<servlet-class>com.sun.errorhandler.ExceptionHandler</servlet-class>
<init-param>
<param-name>errorHost</param-name>
<param-value>localhost</param-value>
</init-param>
<init-param>
<param-name>errorPort</param-name>
<param-value>25444</param-value>
</init-param>
</servlet>
<servlet>
<servlet-name>ThemeServlet</servlet-name>
<servlet-class>com.sun.rave.web.ui.theme.ThemeServlet</servlet-class>
</servlet>
<servlet>
<description>Generated By Sun Java Studio Creator</description>
<display-name>CreatorPortlet Wrapper</display-name>
<servlet-name>VSMPortal</servlet-name>
<servlet-class>org.apache.pluto.core.PortletServlet</servlet-class>
<init-param>
<param-name>portlet-class</param-name>
<param-value>com.sun.faces.portlet.FacesPortlet</param-value>
</init-param>
<init-param>
<param-name>portlet-guid</param-name>
<param-value>VSMPortal.VSMPortal</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>ExceptionHandlerServlet</servlet-name>
<url-pattern>/error/ExceptionHandler</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>ThemeServlet</servlet-name>
<url-pattern>/theme/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>VSMPortal</servlet-name>
<url-pattern>/VSMPortal/*</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>faces/null</welcome-file>
</welcome-file-list>
<error-page>
<exception-type>javax.servlet.ServletException</exception-type>
<location>/error/ExceptionHandler</location>
</error-page>
<error-page>
<exception-type>java.io.IOException</exception-type>
<location>/error/ExceptionHandler</location>
</error-page>
<error-page>
<exception-type>javax.faces.FacesException</exception-type>
<location>/error/ExceptionHandler</location>
</error-page>
<error-page>
<exception-type>com.sun.rave.web.ui.appbase.ApplicationException</exception-type>
<location>/error/ExceptionHandler</location>
</error-page>
<jsp-config>
<jsp-property-group>
<url-pattern>*.jspf</url-pattern>
<is-xml>true</is-xml>
</jsp-property-group>
</jsp-config>
<security-role>
<role-name>Administrator</role-name>
</security-role>
</web-app>
portlet.xml
<?xml version='1.0' encoding='UTF-8' ?>
<portlet-app xmlns='http://java.sun.com/xml/ns/portlet/portlet-app_1_0.xsd' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xsi:schemaLocation='http://java.sun.com/xml/ns/portlet/portlet-app_1_0.xsd http://java.sun.com/xml/ns/portlet/portlet-app_1_0.xsd' version='1.0'>
<portlet>
<description>Created By Java Studio Creator</description>
<portlet-name>VSMPortal</portlet-name>
<display-name>VSMPortal Portlet</display-name>
<portlet-class>com.sun.faces.portlet.FacesPortlet</portlet-class>
<init-param>
<name>com.sun.faces.portlet.INIT_VIEW</name>
<value>/Uctarna.jsp</value>
</init-param>
<expiration-cache>0</expiration-cache>
<supports>
<mime-type>text/html</mime-type>
<portlet-mode>VIEW</portlet-mode>
</supports>
<supported-locale>en</supported-locale>
<portlet-info>
<title>VSMPortal</title>
<short-title>VSMPortal</short-title>
<keywords>Creator</keywords>
</portlet-info>
<security-role-ref>
<role-name>Administrator</role-name>
<role-link>Administrator</role-link>
</security-role-ref>
</portlet>
</portlet-app>If I don't use the security-role and security-role-ref tags, the portlet works, and the isUserInRole method obviously doesn't.Nobody uses the LDAP roles in a portlet? Anybody knows other thread discussing similar issue (I can't find anything)?
-
We are migrating a JSF 1.2 application to JSF 2.0. Earlier we have developed a custom security by extending BodyTagSupport. In JSF 2.0 I have replaced BodyTagSupport with TagSupport and no compilation issues. In my taglib.xml if I configure this Tag with a handler-class[Which is how it was earlier] While running I am getting a class cast exception of not able to cast to TagHandler and If I configure this tag as component[I extended UIComponentELTag] I am getting error message as not able to cast to UIComponent.
Has any one developed a custom security tag, for examle check user role and if allowed dynamically display set of buttons or skip the particualr body part completely. By doStartTag()[EVAL_BODY_INCLUDE/SKIP_BODY]?
Edited by: user11864278 on Apr 14, 2011 1:07 PMWe are not extending TagHandler, I am trying to develop a custom EL Body tag that was earlier done with BodyTagSupport in JSF 1.2. In JSF 2.0 I believe I need to do this by extedning FacetTag in JSF 2.0, when I extend FacetTag and register it as a <handler-class> in taglib.xml I get a TagHandler class cast exception, as by default any Tag configured as Handler-class get cast into TAGHANDLER in JSF 2.0.
To make my question better, How can I develop a custom tag extending FacetTag? -
LDAP Security Integration to JSF
I would like to integrate a security system that we use to the JSF project I'm developing. The setting is as follows:
We have a centralized single signon authentication system (OBLIX) that present the user with a login screen. Once the user logs in successfully, the system will direct the user to a url of my choice. The login information, such as user id, will be stored in the request as parameters.
I'm new to JSF. So far I have not have to use any servlets in jsf. All I have done in my application with JSF are backing beans and control beans. The business logic resides in the control beans which invoke the backend model programs (which deals with database etc.).
The question is how to integrate this OBLIX security nicely into my application. Can I have OBLIX direct a successful login to a jsp that triggers a control bean automatically? I need to read off the request parameters to find out who the login user is.
Is this something that should be done with JSF listeners?
Thanks in advance. I hope to hear from you experts soon.Hi Gary,
maybe get in contact with Scott Spendolini from Sumner Technologies (http://sumnertechnologies.com/), I think these guys have some experience integrating APEX with eBusiness Suite.
Patrick
My APEX Blog: http://inside-apex.blogspot.com
The ApexLib Framework: http://apexlib.sourceforge.net
The APEX Builder Plugin: http://sourceforge.net/projects/apexplugin/ -
Web.xml: security-constraint [un]usable in JSF?
<security-constraint> in web.xml is a simple, effective and portable method of declaring a web application�s security policies.
It's been noted, however, in an earlier topic (http://forum.java.sun.com/thread.jspa?threadID=747919&messageID=4279347) that it has it�s limitations in the context of jsf.
A reasonable solution would be to consult <security-constraint> elements in one�s own web.xml when rendering <h:commandLink>'s on a page according to the security policy.
Unfortunately, there is no standard method of reading web.xml, other than what�s available from the ServletContext.
I found some container specific-implementations in the Cargo project from the http://cargo.codehaus.org,
but I�m looking for a portable solution. Any thoughts?
Thanks, y�all!Use the <security-role-ref> for the Faces Servlet to map the LDAP roles to the logical role names used by the managed bean to determine if links may be rendered.
Bean code:
this.isAdmin = context.getExternalContext().isUserInRole("admin");web.xml:
<security-role>
<role-name>Local Admin Group</role-name>
</security-role>
<security-role>
<role-name>DBA Group</role-name>
</security-role>
<!-- Faces Servlet -->
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<security-role-ref>
<role-name>admin</role-name>
<role-link>DBA Group</role-link>
</security-role-ref>
<security-role-ref>
<role-name>admin</role-name>
<role-link>Local Admin Group</role-link>
</security-role-ref>
</servlet> -
Invoke secured WS from ADF JSF Page
Hello,
How can I invoke secured Web Service from simple adf jsf page?? Service is secured by wss_username_token_service_policy.
I'll be glad if somebody could give me some tutorial how to build this page. I mean inputs for username and password.
Best regards,
MKHi,
I've read your article: http://www.oracle.com/technology/products/jdev/howtos/1013/protectedws/access_protected_web_services_from_adf.htm I added to the Model - Web Service Data control and as a service give a link to my composite application deployed on soa_server (http://localhost:8001/soa-infra/services/default/registerMyPassComposite/registerMyPassWebService?WSDL). When i click on Define Web Service security I only have a window to add policies and there is no wizard steps as you shown i your article Figure 9. I cannot chose Authentication type but I can only define policies for my dataControl.
How to resolve it? -
Is it possible to bind to J2ee Security methods in JSF pages, like request.getUserPrincipal() or request.isUserInRole("rolename)?
Hi,
actually you can use EL if you create a method in a managed bean to check for a specific role membership. Reference the method - which returns true or false - from EL. Note that EL cannot have arguments and for this reason you cannot directly pass in role names as argumens
Frank -
JSF-Security Sourceforge project
JDev team (especially Duncan Mills)
The JSF-Security library is a great little extension for JSF:
http://jsf-security.sourceforge.net/
What's the future of this in respect to JDeveloper? Will it be included in JDeveloper as per the default install? Is it going to remain out there in the Sourceforge domain? Will it be included as a JDev extension at some stage?
Cheers,
CM.I'd rather see this kind of thing rolled into Core JSF. For the moment it will live on it's own on SF and I'll try and get back and do some more work on it in december probably.
I don't see it being shipped with JDev - but it would be trivial to create an extension to make it simple to pull down from the extensions exchange
Maybe you are looking for
-
Installed iweb as part of ilife06, application iWeb quit unexpectedly
Hi all, I hope you can throw some helpful advice at me! I have just purchased iLife06 to use iWeb, installed it, patched it, and launched it. 10 seconds in I get a application iWeb quit unexpectedly box, the report box contains this load of geektalk:
-
Why use symbol "!" here? if (!contactOld.getWorkAddress().equals( public void entryUpdated(MapEvent event) Contact contactOld = (Contact)event.getOldValue(); Contact contactNew = (Contact)event.getNewValue(); StringBuffer sb = new StringBuffer(); if
-
HI All, What are the cost components for the WIP process. I understand this is been defined in the Overhead key for the Materials in the Production order. I would like to know the Cost components which are added as the factors of production in the WI
-
Java Export error during System Copy
Dear Friends, We are using EP 6.0. (ABAP + JAVA) Netweaver 04 We need to transfer our EP Portal from existing server to new Server. For this we are trying to export Java but it terminates, saying that User is Locked (after analysis we came to knew th
-
Problems with "old" AppleID and iCloud
I changed my AppleID from a username to my primary email, but iCloud refused to verify it, or send an additional verification email so I had to change the primary email on that account and create a new account with the email I wanted (the one used on