2. About Me
• Apache MyFaces PMC(Project Management Committee) member
• Co-Author of “The Definitive Guide to Apache MyFaces and Facelets” from
APRESS
• Reference in “Core JavaServer Faces 2nd Edition”
• Recognized speaker in international and local conferences
• Oracle RCF(Rich Client Framework) member
• Krank (CRUD Framework for JSF-Spring-JPA) member
• Sourceforge jsf-comp member
• Spring Security(Acegi) JSF Integration author
• JSF Chart Creator project lead
• FacesTrace project lead
• YUI4JSF project lead
• FC Barcelona Fan
• Blog: http://www.prime.com.tr/cagataycivici
• Prime Technology - 2008
3. Roadmap
• JSF and Security
• Non-JSF Based Approaches
• JSF Based Approaches
• Page authorization
• Protect ViewState
4. JSF and Security
• The mismatch! Security Support in
JSF
• JSF
– MVC Framework
– Component Oriented
– Event Driven
• Security
– Authentication
– Authorization
5. JSF API
• FacesContext.getCurrentInstance().getExternalContext().getRemoteUser()
• FacesContext.getCurrentInstance().getExternalContext().getAuthType()
• FacesContext.getCurrentInstance().getExternalContext().isUserInRole(Strin
g role)
• FacesContext.getCurrentInstance().getExternalContext().getUserPrincipal()
6. Approaches
• Non-JSF based
– Container Managed Security
– Security Filter
– Spring Security
• JSF based
– ViewHandler
– PhaseListener
– Seam Security
8. Container Managed Security
The Good
• Based on Servlet API
• Well known
• Fine for URL Protection
• JSF Component Security
• JSF Login Page
• Securing JSF Navigations
11. Servlet Filter
The Good
• Based on Servlet API
• Well known
• Good for URL Protection
• Non-Faces Resources
The Bad
• JSF Component Security
• Faces APIs
• Requires Maintenance
13. Spring Security
• Securing JSF Beans
public class MySecuredBackingBean {
…
…
…
@Secured({“ROLE_ADMIN,ROLE_ADMINS_GIRLFRIEN
D”})
public String delete() {
//delete something
}
…
…
…
}
14. Spring Security
The Good
• Extendable
• Easy configuration
• Bean security
• ACL
• Securing methods
The Bad
• Complex for simple applications
• Page authorization
15. ViewHandler
• Decorate for Security
• Integration point: createView
public class SecurityViewHandler extends ViewHandler{
…
…
…
public UIViewRoot createView(FacesContext facesContext, String viewId) {
if(!userCanAccess(viewId))
return base.createView(facesContext, quot;/accessDenied.jspquot;);
else
return base.createView(facesContext, viewId);
}
…
…
…
}
24. Seam Security
• Securing backing beans
@Name(“orderControllerquot;)
public class OrderController {
@Restrict(quot;#{s:hasRole(‘ROLE_ADMIN')}quot;)
public void deleteOrder() {
//blabla
}
}
25. Seam Security
The Good
• JSF Based
• URL Protection
• Controller security
• Entity security
• Page authorization
• JSF login form
The Bad
• Authenticate method
27. Acegi-JSF Components
• Page definition security
<authz:authorize ifAllGranted=”ROLE_SUPERVISOR,ROLE_ADMIN”>
Components that are only visible to the users that satisfy the requirements here…
<h:commandButton value=“Delete” …/>
</authz:authorize>
• ifAllGranted
• ifAnyGranted
• ifNotGranted
<authz:authentication operation=”username”/>
31. MyFaces SecurityContext
• EL extension
• Defaults to Container Managed Security
• Easy to plugin custom SecurityContextImpl
#{securityContext.authType}
#{securityContext.remoteUser}
#{securityContext.ifGranted['rolename']}
#{securityContext.ifAllGranted['rolename1,rolename2']}
#{securityContext.ifAnyGranted['rolename1,rolename2']}
#{securityContext.ifNotGranted['rolename1,rolename2']}
<h:commandButton action=“#{someBackingBean.deleteSomething}”
rendered=“#{securityContext.ifAllGranted['rolename1,rolename2']}”
32. Custom SecurityContext
public class MyAwesomeSecurityContextImpl extends SecurityContext{
public String getAuthType() {
//return my authtype as string
}
public String getRemoteUser() {
//return current logged in user
}
public boolean ifGranted(String role) {
//check if user in the given role
} }
<context-param>
<param-name>org.apache.myfaces.SECURITY_CONTEXT</param-
name>
<param-
value>com.my.company.MyAwesomeSecurityContextImpl</param-value>
</context-param>