Win a copy of Murach's Python Programming this week in the Jython/Python forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

JSF access control  RSS feed

 
Pal andy
Greenhorn
Posts: 11
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

How is role based authorization done in JSF? I want to show/hide certain components based on the role.
Also,I cannot use isUserInRole() method as we are not using container managed roles.

Thanks.
 
Gregg Bolinger
Ranch Hand
Posts: 15304
6
Chrome IntelliJ IDE Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The way I do it is usually via a property in my User class.

rendered="#{user.role.manager}"

Which would map to user.getRole().isManager();

or something like that.
 
Pal andy
Greenhorn
Posts: 11
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for the response Gregg.
We have to use XML policy files for the mapping of roles to permissions.
So, If I were to map the roles and their permissions in an xml policy file, what kind of permission string/elements should I construct for each role to show/hide the component?

Thanks.
 
Gregg Bolinger
Ranch Hand
Posts: 15304
6
Chrome IntelliJ IDE Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Off hand, I would load the XML policy file into a POJO and have a property for that in my User class. Although, I may not be entirely clear on what you mean by using an XML policy file.
 
Christopher Watts
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Its been a while since the but have you checked out the tomahawk component library?
 
Tim Holloway
Bartender
Posts: 18531
61
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
"Pal Andy",

We don't have many rules here at the JavaRanch, but we do insist that you use your Real Name and not some sort of "handle" or obvious alias. If you're not sure about this, see
http://www.javaranch.com/name.jsp .

A lot of people won't bother to answer if you're using an obviously improper display name.

I think we have a bit of confusion here. Some people seem to be talking about "Do It Yourself" security systems, and others are talking about J2EE standard container-managed security. I've already gone on record about why DIY security is in invitation to disaster - if anyone really cares, I have a nice long list of reasons I can point them to.

JSF, unlike Struts and JSTL doesn't (presently) have built-in support for role-based access control via the container security system. However, as Christopher implied, container-base security support is available from the Tomahawk tagset.

I have no idea why you expected JSF or any other framework to provide you with any sort of security support if you're managing your own security. There are too many different ways that people can cobble together DIY systems, and the J2EE standard way is supposed to be complete enough that that no general API beyond itself was considered necessary.
 
Rajesh So
Ranch Hand
Posts: 149
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello,

Is it possible to render for roles that are either manager or admin?

rendered="#{user.role.manager} or #{user.role.admin}"

I am new to JSF. Please pardon my ignorance !

Regards,
Raj
 
Rajesh So
Ranch Hand
Posts: 149
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello,

I found the answer here.

rendered="#{user.role.manager or user.role.admin}"

The 'and' is also permitted if both are required to be true.
rendered="#{isYes and user.role.admin}"

Regards,
Raj
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!