I Would like to know if we can directly extend javax.faces.render.Renderer in such a way that all the components in our application should go through this component (filter) - so that we can modify some components based on some condition.
Ex: we want to apply the Security to existing application - where some of the buttons/links/tables for some users should be enabled/disabled based on some condition (data comes from other service).
So instead of changing all the backing beans .. to render the componnets - I would like to extend the Renderer and make sure all components rendering will happen through this.
We don't have many rules here at the JavaRanch, but we do insist that you use your Real Name and not some sort of "handle" or obvious alias. If you're not sure about this, see
Customer surveys are for companies who didn't pay proper attention to begin with.
Joined: Oct 07, 2013
That's what my name is - I don't know what is the problem with my name.
I honestly don't know if that would be worth the effort. You are unlikely to be doing more that just setting rendered attribute to may of them.
Also, given a component on a page, how would you know which role to check the access against? So what I'm asking is are you going to have a catalogue of which pages to check which security role against so the custom renderer knows what to check?
Better is to refactor the application pages to use use composites for the components that need protection. You then apply the security on the composite because you know what compiste it is so you know which roles to check againts and you then reuse that composite in various places in your application.
Of all the places to enforce security, render modules are one of the most questionable. Aside from everything else, one of the most effective ways to hack into a system is to ignore the UI stuff and brute-force jam in your own evil data.
Just as an aside, I can be heard frequently exhorting people NOT to invent their own security systems. Unless they are full-time security professionals, the results are typically very, very flimsy (as in my computer-illiterate kid sister can break in in 10 minutes or less). And the more elaborate the framework being implemented, the more security holes there will be.
The J2EE standard security framework is a very simple pre-designed, pre-debugged, industry-documentated basis that is quite sufficient for most web applications and can be easily augmented without violating its basic security operations.