SlideShare uma empresa Scribd logo

Jsfandsecurity

C
cagataycivici
1 de 35
JSF and Security Çağatay Çivici
About Me • Apache MyFaces PMC(Project Management Committee) member • Co-Author of “The Definitive Guide to Apache MyFaces and Facelets” from APRESS • Reference in “Core JavaServer Faces 2nd Edition” • Recognized speaker in international and local conferences • Oracle RCF(Rich Client Framework) member • Krank (CRUD Framework for JSF-Spring-JPA) member • Sourceforge jsf-comp member • Spring Security(Acegi) JSF Integration author • JSF Chart Creator project lead • FacesTrace project lead • YUI4JSF project lead • FC Barcelona Fan • Blog: http://www.prime.com.tr/cagataycivici • Prime Technology - 2008
Roadmap • JSF and Security • Non-JSF Based Approaches • JSF Based Approaches • Page authorization • Protect ViewState
JSF and Security • The mismatch! Security Support in JSF • JSF – MVC Framework – Component Oriented – Event Driven • Security – Authentication – Authorization
JSF API • FacesContext.getCurrentInstance().getExternalContext().getRemoteUser() • FacesContext.getCurrentInstance().getExternalContext().getAuthType() • FacesContext.getCurrentInstance().getExternalContext().isUserInRole(Strin g role) • FacesContext.getCurrentInstance().getExternalContext().getUserPrincipal()
Approaches • Non-JSF based – Container Managed Security – Security Filter – Spring Security • JSF based – ViewHandler – PhaseListener – Seam Security
Container Managed Security • <security-constraint> <web-resource-collection> <web-resource-name>secure pages</web-resource-name> <url-pattern>/secure.jsf<url-pattern> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>myrealm</realm-name> </login-config> <security-role> <description>Admin Role</description> <role-name>admin</role-name> </security-role>
Container Managed Security The Good • Based on Servlet API • Well known • Fine for URL Protection • JSF Component Security • JSF Login Page • Securing JSF Navigations
Container Managed Security • Case study DEMO with JSF Navigation Issue
Servlet Filter Security Filter Request Faces Servlet Response
Servlet Filter The Good • Based on Servlet API • Well known • Good for URL Protection • Non-Faces Resources The Bad • JSF Component Security • Faces APIs • Requires Maintenance
Spring Security <security:http auto-config='true'> <security:intercept-url pattern=quot;/login.jspquot; filters=quot;nonequot;/> <security:intercept-url pattern=quot;/admin/*quot; access=quot;ROLE_ADMINquot; /> <security:intercept-url pattern=quot;/**quot; access=quot;ROLE_USER,ROLE_ADMINquot; /> <security:concurrent-session-control max-sessions=quot;1quot;/> <security:logout logout-url=quot;/logoutquot; logout-success-url=quot;/quot;/> </security:http>
Spring Security • Securing JSF Beans public class MySecuredBackingBean { … … … @Secured({“ROLE_ADMIN,ROLE_ADMINS_GIRLFRIEN D”}) public String delete() { //delete something } … … … }
Spring Security The Good • Extendable • Easy configuration • Bean security • ACL • Securing methods The Bad • Complex for simple applications • Page authorization
ViewHandler • Decorate for Security • Integration point: createView public class SecurityViewHandler extends ViewHandler{ … … … public UIViewRoot createView(FacesContext facesContext, String viewId) { if(!userCanAccess(viewId)) return base.createView(facesContext, quot;/accessDenied.jspquot;); else return base.createView(facesContext, viewId); } … … … }
ViewHandler Demo
ViewHandler The Good • JSF Based The Bad • Non faces resources(images, styles) • Possibility to be supressed
PhaseListener Faces Servlet Restore View Security Check Request Apply Request Values Validations Update Model Response Invoke Application Security Check Render Response
PhaseListener public class SecurityPhaseListener implements PhaseListener{ … public void afterPhase(PhaseEvent phaseEvent) { PhaseId phaseId = phaseEvent.getPhaseId(); if(phaseId.equals(PhaseId.RESTORE_VIEW) || phaseId.equals(PhaseId.INVOKE_APPLICATION)) { String viewId = phaseEvent.getFacesContext().getViewRoot().getViewId(); if(!canUserAccess(viewId)) { HttpServletResponse response = (HttpServletResponse)phaseEvent.getFacesContext().getExternalContext().getRespo nse(); try { response.sendRedirect(quot;/jsfcalistay/accessDeniedPhaseListener.jsfquot;); phaseEvent.getFacesContext().responseComplete(); } catch (IOException e) { //send a 404 } } } } …
PhaseListener Demo
PhaseListener The Good • JSF Based The Bad • Non faces resources(images, styles)
Seam Security Components.xml <security:identity authenticate-method=quot;#{authenticator.authenticate}quot;/> Authenticate Method boolean () authenticate; <h:form> <h:outputLabel for=quot;namequot; value=quot;Usernamequot;/> <h:inputText id=quot;namequot; value=quot;#{identity.username}quot;/> <h:outputLabel for=quot;passwordquot; value=quot;Passwordquot;/> <h:inputSecret id=quot;passwordquot; value=quot;#{identity.password}quot;/> <h:commandButton value=quot;Loginquot; action=quot;#{identity.login}quot;/> </h:form>
Seam Security • URL Protection • pages.xml <page view-id=quot;/controlPanel.xhtmlquot;> <restrict>#{s:hasRole(‘ROLE_ADMIN’)}</restrict> </page>
Seam Security • Securing backing beans @Name(“orderControllerquot;) public class OrderController { @Restrict(quot;#{s:hasRole(‘ROLE_ADMIN')}quot;) public void deleteOrder() { //blabla } }
Seam Security The Good • JSF Based • URL Protection • Controller security • Entity security • Page authorization • JSF login form The Bad • Authenticate method
Page Authorization • Acegi-JSF Components • Facelets Functions • Seam • MyFaces SecurityContext
Acegi-JSF Components • Page definition security <authz:authorize ifAllGranted=”ROLE_SUPERVISOR,ROLE_ADMIN”> Components that are only visible to the users that satisfy the requirements here… <h:commandButton value=“Delete” …/> </authz:authorize> • ifAllGranted • ifAnyGranted • ifNotGranted <authz:authentication operation=”username”/>
Facelets Function public static boolean isUserInRole(String rolName) { boolean inRole = false; Authentication authentication = SecurityContextHolder. getContext().getAuthentication(); GrantedAuthority[] roles = authentication.getAuthorities(); for(GrantedAuthority role : roles) { if(role.getAuthority().equals(roleName)) { inRole = true; break; } } return inRole;} <h:commandButton value=“Delete” action=“#{bean.delete}” rendered=“#{barca:isUserInRole(‘ROLE_ADMIN’)}” />
Seam Security <h:commandButton action=“#{someBackingBean.deleteSomething}” rendered=quot;#{s:hasRole(ROLE_ADMIN')}quot; ” />
Seam Security <h:dataTable value=quot;#{orders}quot; var=“ordquot;> … <h:column> <f:facet name=quot;headerquot;>Delete</f:facet> <s:link value=quot;Delete Orderquot; action=quot;#{orderController.delete}quot; rendered=quot;#{s:hasPermission('order','delete',ord)}quot;/> </h:column> … </h:dataTable>
MyFaces SecurityContext • EL extension • Defaults to Container Managed Security • Easy to plugin custom SecurityContextImpl #{securityContext.authType} #{securityContext.remoteUser} #{securityContext.ifGranted['rolename']} #{securityContext.ifAllGranted['rolename1,rolename2']} #{securityContext.ifAnyGranted['rolename1,rolename2']} #{securityContext.ifNotGranted['rolename1,rolename2']} <h:commandButton action=“#{someBackingBean.deleteSomething}” rendered=“#{securityContext.ifAllGranted['rolename1,rolename2']}”
Custom SecurityContext public class MyAwesomeSecurityContextImpl extends SecurityContext{ public String getAuthType() { //return my authtype as string } public String getRemoteUser() { //return current logged in user } public boolean ifGranted(String role) { //check if user in the given role } } <context-param> <param-name>org.apache.myfaces.SECURITY_CONTEXT</param- name> <param- value>com.my.company.MyAwesomeSecurityContextImpl</param-value> </context-param>
Protect the ViewState • <input type=quot;hiddenquot; name=quot;javax.faces.ViewStatequot; id=quot;javax.faces.ViewStatequot; value=quot;cjnoN2li7kqi8Z2WbOa811eyyZ3UHh2K56Gg6gQszNDFicizAEsfAahhbsLly/n77sA5+Qfp3HR/nuDxQ62wnmwBjJ4RAKf4R++/cXW /6+iBp3BCjEJEyaYamWpbwrEaff4JIBH95NBpeV+NxAA/ajo21eqj2HB6LsUfA/jOjGVoNhvb/wEbUdAhW7q64qj0QUFLKoKLxmP1y4ZE2O ffr5SFQZBOOJDgQ219TiC2mMmOGpYJkyda5gf8fSBzHIjTJtMpkoPyBhuBp3BCjEJEyXJRPvnqCGSDcCbEtYQi9lx7B74ivhUaCnn2c0Jf3 3AWzMZafd4RNF495qXRBsegWA0ZGpQWr/pe/hNJf2fEUOCwfNk/xPZNlKz8QmN0iarCTQTGXQUZh8aZKX3uFxSPynZ5nz1be+hzqZ5 HcMBKR6zG++byQ1lmXPvJOwLEzGZ2gJBkPY95iKWXqkldrEj87AtO0GvWKkE+V46kbWZ2hpmETVQZzkdqLi0j6nW5LnDfXfT9GCUNs wqgMEhjknsobneBwGULiZ7ix43qkMIXlJ0YYESCRkdc57DY5lYzQY/W26Dxt8JGgGwkj9LAbJs03bMPAahnWEpxeeseC4TvtW809acOZj XJ/3O3at/Mdqyu14mxtt2t5e5DSNLmAqgXXSHmUGEYznwQOS9KyLsBTpFUYDQe0MDREW1NzChacqWBkD10DopxLJ+HDAEuD85bV /iYHJz3NQlzSPJwaGEbp8PlbVVn/YdMtV/elpZmX34kj/rC1o0CiAc68+VrTHIPwhs4q8DYvcQTEgB+6hgWx5G6TkwrRhb9m0B98DSaU3Lx du7UJaXOafbaEjXSEyWiD8ZW0PywLECX1UtWwQ3lxKXXibG23a3l7kNI0uYCqBddi6ETJipf4L/lvDjBDcQHeUBdU2Kl/sQnpJU+kqlHNe+ 0j0ilVnF04Q5OFWpmZIp1dso7ZLgQbkpUG/7K5RR0CtfzUc+sJzIQZmV4/1DwdqXjG2z3+VQNWgP0yz9PbwB2YzeJki6CbMuNWrW5Yo8 MwLtBaF2HGEB7MR6SP0wx4IoA28lSdx2HsSThYKP/O8kW3qyokVzYupYWNcHddqlK6Nu2bzFICQ2DtbnzrTFOD/MPRsM45Xce4hXQ7 D23T9BaBsIhHCyErpSfr+veeLLUqr6AqodKRwOCiyWPOPLoenvrsH388cbZqcv3W1RIgOM5YAqfgzrbNbZcxtA9fFGskT+VNArlJp7MY2Zt ORGP/z4apxqvV+IJXwOdOtK6xuHH3e+QjOSqc/GOxadVsmET+jLv72lP+tN9Du3Rn9EkkRUgl/bNuabOAZaDtacU2qTh/fKtiHZe6gEyqz2 XwH2dIdSbemJc0889xiBEZqBgOESYQ22cVFOOxNTwHxlat63brvaxQdx0wSYsFlYHTMwo/qVs49VhOu2DHokq5xNbrZ//rpVt3XMqe+X5 yD30S2vur+xawTZjTYlmSorxONvTwvjFLiftnMe9ieA2XcRf2Qbws+smPawkBKEtAOXiiLAp3hIb33FrYxDYVoEChnmQc+DMzxNlOw3zaJ MykZRn6oy0AomUxUdxI2kGlCVOHejxQnBDvmj6XAsYSzlrbJN+FidIfTYpkV3e0cDIW8rHsiTatBZWL3zmu0YI1JyLAVQw8+a0n/+1yAVCT 6J+NhfDo6UdiC9Ilyws7TtDXQhssR3qoh9x17Nxlif/LOBU817V6Ip/Y+eyLjYgs/fnEaxgdeW8OMENxAd5cqlB1zDTb+dUn6Vk/yis6RGMAX1 UAVou7uRDmYV0TtZKFttVdlyTjfp5Q5F0Tsj4qzw+vDTlYWbf7hrD1TosZGsbT6Mc9obUgkSsULRUr/eCRKxQtFSv94JErFC0VK/3prA0Mc Ldt5A0fhuQAXRbLOB+tk5wheoIGO390JZB08jJAso9qbBLvdfzUc+sJzIQZmV4/1DwdqU5XLWwZnjkhp82k0VBRHmxnoTdDbCj4eWbUK6 PiWsmY45zzkmNPnEkcj6dL1XByNR++RYWIXMIHvQULVqI+6gSQrrgKnOqESqFDaWpLPzgKORF9t+3+sQzXpj6O42fVIYewkG+d/LfFV C6IQuOrZIA/HSrCzJcAUhuNAc6UCH/zvVkucTURgX/mJGk1QFJZCDR3dQvrdm0gkhCZKzNWfEYpoGjAhKICqbugdxmuLZQbqW0qYiPn CeOPTHL3QbIpfoZ/GHI/z4himtRXVRLML+5NyB2zY5gCFkLE1ndMjTdMGDpmu9tJOqUsmfHADUrVXiF58GlBNEiwUL8hxxTB30vWPCS mt5ZNuML57GU98tciku9zMr9RZF042UTURw0RNvg5d3FpSVK6iuF5MRKSfkQs6zPN1m1JXj6tq4jBjWZ4l10TKWvM45qwYwB1/9Uk6wb gDeawD1AXpX/lFLKOgPz2bRzp62oQJknhKfANxS8NX6FbUoeEbq8UCvndmMVg1mRBD8AAeZ+aejfKFoACLDXlY0hy1RisbE/kMDSpxP /D+j7V/RdhJO+0eszWvJJtNPs2swsZzoK4hjt/dCWQdPI/71KpGQim5xlqjHjHY4mDGZleP9Q8Hal88oxKykFUQYDEQ3KRz675N28vIu+Rt 7AybDcnlzTi+YbOKvA2L3EExIAfuoYFseRCQzwdnhDhIoZ8NDazCdYM8p2H3t46MR2rMsR+B0Q6Izbtm8xSAkNgzlihd3SqMtOVuj07dMZ FhXIWaExKordOT96wcyFY3hLqImCn+z/U0SFUFoQZvLd+NN5nRpZ306hMq+VDqbwXh4IBAOYAzwHZo8jCDrfGHs7DYKb34rSHlMnPT Yk1MTgY2274j9ci5o1CAQDmAM8B2ZX62EUfdC6sJpjOWqdcwBfPofXChsPp82sx//RPwgu6y9nXdc4RLxtAo64SXmcdzKJXAMTvWO3xs b75vJDWWZcbbviP1yLmjUIBAOYAzwHZrrqBsyYPolmbjgXhK2KMvrWFOtn0nQne/O3AKPReE70WiloiJgp0WZCcEO+aPpcC1eyyZ3UHh 2KV/gOQ+q4Q7PBdBhadxtM+pWXQJfDPX9K3T/QjJykD7a4vEyF0rrpfH681LoX50+YgkSsULRUr/eCRKxQtFSv9589YNTYpEoSmmChJ1 cujHKbQDA6ApqouhzFPZN1RXmspR2IL0iXLCxwBmf6k7hYMeqiH3HXs3GW+yfPXMCEGAHoin9j57IuNum608SbPOCr9c/wJwAXAev7x k/N7Gn0FfWRhlVfpdYSGzirwNi9xBMSAH7qGBbHkdQFKnbYQ80DjnPOSY0+cSRyPp0vVcHI1MwwOB6mohdlzFJnDPSn3W9hJzQXrQy OiVVQOut45pL+PULx/inIPznHECBqgvm5ECbe6WdfeFnfxIW5JaekPaEUbGwU6i3uqLKDHYb58r/IxlDcqoIvU7KUTRSh3NKV7m0wAtPa HaYoPIWJOpZof+SCRKxQtFSv93H9+08c8xaRmmChJ1cujHKM6oQT0D3hjZxxwQB7wM7MtSxrTlWiv+ocs46hAgrz4w==quot; />
ViewState Encryption • Turned on by default • Several algorithms, default: DES <context-param> <param-name>org.apache.myfaces.secret</param- name> <param-value>NzY1NDMyMTA=</param-value> </context-param> <context-param> <param-name>org.apache.myfaces.algorithm</param-name> <param-value>Blowfish</param-value> </context-param>
The End • cagatay@apache.org • http://www.prime.com.tr/cagataycivici • PlayStation3 online id: facescontext

Recomendados

FIWARE Training: API Umbrella
FIWARE Training: API UmbrellaFIWARE Training: API Umbrella
FIWARE Training: API UmbrellaFIWARE
 
RDFS : une introduction
RDFS : une introductionRDFS : une introduction
RDFS : une introductionThomas Francart
 
Os documentos da Zelotes
Os documentos da ZelotesOs documentos da Zelotes
Os documentos da ZelotesMiguel Rosario
 
Session 3 - i4Trust components for Identity Management and Access Control i4T...
Session 3 - i4Trust components for Identity Management and Access Control i4T...Session 3 - i4Trust components for Identity Management and Access Control i4T...
Session 3 - i4Trust components for Identity Management and Access Control i4T...FIWARE
 
1.1. treinamentos instalação fluig
1.1. treinamentos instalação fluig1.1. treinamentos instalação fluig
1.1. treinamentos instalação fluigpinheirorocha
 
Fake News and Their Detection
Fake News and Their DetectionFake News and Their Detection
Fake News and Their DetectionKourosh Sajjadi
 
FHIR API for .Net programmers by Mirjam Baltus
FHIR API for .Net programmers by Mirjam BaltusFHIR API for .Net programmers by Mirjam Baltus
FHIR API for .Net programmers by Mirjam BaltusFHIR Developer Days
 
Session 8 - Creating Data Processing Services | Train the Trainers Program
Session 8 - Creating Data Processing Services | Train the Trainers ProgramSession 8 - Creating Data Processing Services | Train the Trainers Program
Session 8 - Creating Data Processing Services | Train the Trainers ProgramFIWARE
 

Recomendados

FIWARE Training: API Umbrella
FIWARE Training: API UmbrellaFIWARE Training: API Umbrella
FIWARE Training: API UmbrellaFIWARE
 
RDFS : une introduction
RDFS : une introductionRDFS : une introduction
RDFS : une introductionThomas Francart
 
Os documentos da Zelotes
Os documentos da ZelotesOs documentos da Zelotes
Os documentos da ZelotesMiguel Rosario
 
Session 3 - i4Trust components for Identity Management and Access Control i4T...
Session 3 - i4Trust components for Identity Management and Access Control i4T...Session 3 - i4Trust components for Identity Management and Access Control i4T...
Session 3 - i4Trust components for Identity Management and Access Control i4T...FIWARE
 
1.1. treinamentos instalação fluig
1.1. treinamentos instalação fluig1.1. treinamentos instalação fluig
1.1. treinamentos instalação fluigpinheirorocha
 
Fake News and Their Detection
Fake News and Their DetectionFake News and Their Detection
Fake News and Their DetectionKourosh Sajjadi
 
FHIR API for .Net programmers by Mirjam Baltus
FHIR API for .Net programmers by Mirjam BaltusFHIR API for .Net programmers by Mirjam Baltus
FHIR API for .Net programmers by Mirjam BaltusFHIR Developer Days
 
Session 8 - Creating Data Processing Services | Train the Trainers Program
Session 8 - Creating Data Processing Services | Train the Trainers ProgramSession 8 - Creating Data Processing Services | Train the Trainers Program
Session 8 - Creating Data Processing Services | Train the Trainers ProgramFIWARE
 
Jsf Ajax
Jsf AjaxJsf Ajax
Jsf Ajaxrajivmordani
 
Jsfsunum
JsfsunumJsfsunum
Jsfsunumcagataycivici
 
And the Greatest of These Is ... Rack Support
And the Greatest of These Is ... Rack SupportAnd the Greatest of These Is ... Rack Support
And the Greatest of These Is ... Rack SupportBen Scofield
 
Myfacesplanet
MyfacesplanetMyfacesplanet
Myfacesplanetcagataycivici
 
Apache Roller, Acegi Security and Single Sign-on
Apache Roller, Acegi Security and Single Sign-onApache Roller, Acegi Security and Single Sign-on
Apache Roller, Acegi Security and Single Sign-onMatt Raible
 
JavaEE Security
JavaEE SecurityJavaEE Security
JavaEE SecurityAlex Kim
 
Custom Action Framework
Custom Action FrameworkCustom Action Framework
Custom Action FrameworkAlfresco Software
 
[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (3/3)
[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (3/3)[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (3/3)
[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (3/3)Carles Farré
 
Android the Agile way
Android the Agile wayAndroid the Agile way
Android the Agile wayAshwin Raghav
 
Seam Glassfish Slidecast
Seam Glassfish SlidecastSeam Glassfish Slidecast
Seam Glassfish SlidecastEduardo Pelegri-Llopart
 
Plone Interactivity
Plone InteractivityPlone Interactivity
Plone InteractivityEric Steele
 
Jarv.us Showcase — SenchaCon 2011
Jarv.us Showcase — SenchaCon 2011Jarv.us Showcase — SenchaCon 2011
Jarv.us Showcase — SenchaCon 2011Chris Alfano
 
Migrating from Struts 1 to Struts 2
Migrating from Struts 1 to Struts 2Migrating from Struts 1 to Struts 2
Migrating from Struts 1 to Struts 2Matt Raible
 
Developing and testing ajax components
Developing and testing ajax componentsDeveloping and testing ajax components
Developing and testing ajax componentsIgnacio Coloma
 
Migration testing framework
Migration testing frameworkMigration testing framework
Migration testing frameworkIndicThreads
 
Merb jQuery
Merb jQueryMerb jQuery
Merb jQueryYehuda Katz
 
Uma introdução ao framework Spring
Uma introdução ao framework SpringUma introdução ao framework Spring
Uma introdução ao framework Springelliando dias
 
Intro To Mvc Development In Php
Intro To Mvc Development In PhpIntro To Mvc Development In Php
Intro To Mvc Development In Phpfunkatron
 
Solr and symfony in Harmony with SolrJs
Solr and symfony in Harmony with SolrJsSolr and symfony in Harmony with SolrJs
Solr and symfony in Harmony with SolrJsWildan Maulana
 
YUI 3
YUI 3YUI 3
YUI 3Dav Glass
 
PrimeNG - Components para la Vida Real
PrimeNG - Components para la Vida RealPrimeNG - Components para la Vida Real
PrimeNG - Components para la Vida Realcagataycivici
 
How to Mess Up Your Angular UI Components
How to Mess Up Your Angular UI ComponentsHow to Mess Up Your Angular UI Components
How to Mess Up Your Angular UI Componentscagataycivici
 

Mais conteúdo relacionado

Semelhante a Jsfandsecurity

And the Greatest of These Is ... Rack Support
And the Greatest of These Is ... Rack SupportAnd the Greatest of These Is ... Rack Support
And the Greatest of These Is ... Rack SupportBen Scofield
 
Apache Roller, Acegi Security and Single Sign-on
Apache Roller, Acegi Security and Single Sign-onApache Roller, Acegi Security and Single Sign-on
Apache Roller, Acegi Security and Single Sign-onMatt Raible
 
JavaEE Security
JavaEE SecurityJavaEE Security
JavaEE SecurityAlex Kim
 
[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (3/3)
[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (3/3)[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (3/3)
[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (3/3)Carles Farré
 
Android the Agile way
Android the Agile wayAndroid the Agile way
Android the Agile wayAshwin Raghav
 
Plone Interactivity
Plone InteractivityPlone Interactivity
Plone InteractivityEric Steele
 
Jarv.us Showcase — SenchaCon 2011
Jarv.us Showcase — SenchaCon 2011Jarv.us Showcase — SenchaCon 2011
Jarv.us Showcase — SenchaCon 2011Chris Alfano
 
Migrating from Struts 1 to Struts 2
Migrating from Struts 1 to Struts 2Migrating from Struts 1 to Struts 2
Migrating from Struts 1 to Struts 2Matt Raible
 
Developing and testing ajax components
Developing and testing ajax componentsDeveloping and testing ajax components
Developing and testing ajax componentsIgnacio Coloma
 
Migration testing framework
Migration testing frameworkMigration testing framework
Migration testing frameworkIndicThreads
 
Uma introdução ao framework Spring
Uma introdução ao framework SpringUma introdução ao framework Spring
Uma introdução ao framework Springelliando dias
 
Intro To Mvc Development In Php
Intro To Mvc Development In PhpIntro To Mvc Development In Php
Intro To Mvc Development In Phpfunkatron
 
Solr and symfony in Harmony with SolrJs
Solr and symfony in Harmony with SolrJsSolr and symfony in Harmony with SolrJs
Solr and symfony in Harmony with SolrJsWildan Maulana
 

Semelhante a Jsfandsecurity (20)

Jsf Ajax
Jsf AjaxJsf Ajax
Jsf Ajax
 
Jsfsunum
JsfsunumJsfsunum
Jsfsunum
 
And the Greatest of These Is ... Rack Support
And the Greatest of These Is ... Rack SupportAnd the Greatest of These Is ... Rack Support
And the Greatest of These Is ... Rack Support
 
Myfacesplanet
MyfacesplanetMyfacesplanet
Myfacesplanet
 
Apache Roller, Acegi Security and Single Sign-on
Apache Roller, Acegi Security and Single Sign-onApache Roller, Acegi Security and Single Sign-on
Apache Roller, Acegi Security and Single Sign-on
 
JavaEE Security
JavaEE SecurityJavaEE Security
JavaEE Security
 
Custom Action Framework
Custom Action FrameworkCustom Action Framework
Custom Action Framework
 
[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (3/3)
[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (3/3)[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (3/3)
[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (3/3)
 
Android the Agile way
Android the Agile wayAndroid the Agile way
Android the Agile way
 
Seam Glassfish Slidecast
Seam Glassfish SlidecastSeam Glassfish Slidecast
Seam Glassfish Slidecast
 
Plone Interactivity
Plone InteractivityPlone Interactivity
Plone Interactivity
 
Jarv.us Showcase — SenchaCon 2011
Jarv.us Showcase — SenchaCon 2011Jarv.us Showcase — SenchaCon 2011
Jarv.us Showcase — SenchaCon 2011
 
Migrating from Struts 1 to Struts 2
Migrating from Struts 1 to Struts 2Migrating from Struts 1 to Struts 2
Migrating from Struts 1 to Struts 2
 
Developing and testing ajax components
Developing and testing ajax componentsDeveloping and testing ajax components
Developing and testing ajax components
 
Migration testing framework
Migration testing frameworkMigration testing framework
Migration testing framework
 
Merb jQuery
Merb jQueryMerb jQuery
Merb jQuery
 
Uma introdução ao framework Spring
Uma introdução ao framework SpringUma introdução ao framework Spring
Uma introdução ao framework Spring
 
Intro To Mvc Development In Php
Intro To Mvc Development In PhpIntro To Mvc Development In Php
Intro To Mvc Development In Php
 
Solr and symfony in Harmony with SolrJs
Solr and symfony in Harmony with SolrJsSolr and symfony in Harmony with SolrJs
Solr and symfony in Harmony with SolrJs
 
YUI 3
YUI 3YUI 3
YUI 3
 

Mais de cagataycivici

PrimeNG - Components para la Vida Real
PrimeNG - Components para la Vida RealPrimeNG - Components para la Vida Real
PrimeNG - Components para la Vida Realcagataycivici
 
How to Mess Up Your Angular UI Components
How to Mess Up Your Angular UI ComponentsHow to Mess Up Your Angular UI Components
How to Mess Up Your Angular UI Componentscagataycivici
 
PrimeTime JSF with PrimeFaces - Dec 2014
PrimeTime JSF with PrimeFaces - Dec 2014PrimeTime JSF with PrimeFaces - Dec 2014
PrimeTime JSF with PrimeFaces - Dec 2014cagataycivici
 
PrimeFaces User Guide 5.0
PrimeFaces User Guide 5.0PrimeFaces User Guide 5.0
PrimeFaces User Guide 5.0cagataycivici
 
Primefaces Confess 2012
Primefaces Confess 2012Primefaces Confess 2012
Primefaces Confess 2012cagataycivici
 
14 Fr 13 Civici Component Library Showdown
14 Fr 13 Civici Component Library Showdown14 Fr 13 Civici Component Library Showdown
14 Fr 13 Civici Component Library Showdowncagataycivici
 

Mais de cagataycivici (9)

PrimeNG - Components para la Vida Real
PrimeNG - Components para la Vida RealPrimeNG - Components para la Vida Real
PrimeNG - Components para la Vida Real
 
How to Mess Up Your Angular UI Components
How to Mess Up Your Angular UI ComponentsHow to Mess Up Your Angular UI Components
How to Mess Up Your Angular UI Components
 
Itsjustangular
ItsjustangularItsjustangular
Itsjustangular
 
PrimeTime JSF with PrimeFaces - Dec 2014
PrimeTime JSF with PrimeFaces - Dec 2014PrimeTime JSF with PrimeFaces - Dec 2014
PrimeTime JSF with PrimeFaces - Dec 2014
 
PrimeFaces User Guide 5.0
PrimeFaces User Guide 5.0PrimeFaces User Guide 5.0
PrimeFaces User Guide 5.0
 
Primefaces Confess 2012
Primefaces Confess 2012Primefaces Confess 2012
Primefaces Confess 2012
 
14 Fr 13 Civici Component Library Showdown
14 Fr 13 Civici Component Library Showdown14 Fr 13 Civici Component Library Showdown
14 Fr 13 Civici Component Library Showdown
 
Open Your Source
Open Your SourceOpen Your Source
Open Your Source
 
Facelets
FaceletsFacelets
Facelets
 

Jsfandsecurity

  • 1. JSF and Security Çağatay Çivici
  • 2. About Me • Apache MyFaces PMC(Project Management Committee) member • Co-Author of “The Definitive Guide to Apache MyFaces and Facelets” from APRESS • Reference in “Core JavaServer Faces 2nd Edition” • Recognized speaker in international and local conferences • Oracle RCF(Rich Client Framework) member • Krank (CRUD Framework for JSF-Spring-JPA) member • Sourceforge jsf-comp member • Spring Security(Acegi) JSF Integration author • JSF Chart Creator project lead • FacesTrace project lead • YUI4JSF project lead • FC Barcelona Fan • Blog: http://www.prime.com.tr/cagataycivici • Prime Technology - 2008
  • 3. Roadmap • JSF and Security • Non-JSF Based Approaches • JSF Based Approaches • Page authorization • Protect ViewState
  • 4. JSF and Security • The mismatch! Security Support in JSF • JSF – MVC Framework – Component Oriented – Event Driven • Security – Authentication – Authorization
  • 5. JSF API • FacesContext.getCurrentInstance().getExternalContext().getRemoteUser() • FacesContext.getCurrentInstance().getExternalContext().getAuthType() • FacesContext.getCurrentInstance().getExternalContext().isUserInRole(Strin g role) • FacesContext.getCurrentInstance().getExternalContext().getUserPrincipal()
  • 6. Approaches • Non-JSF based – Container Managed Security – Security Filter – Spring Security • JSF based – ViewHandler – PhaseListener – Seam Security
  • 7. Container Managed Security • <security-constraint> <web-resource-collection> <web-resource-name>secure pages</web-resource-name> <url-pattern>/secure.jsf<url-pattern> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>myrealm</realm-name> </login-config> <security-role> <description>Admin Role</description> <role-name>admin</role-name> </security-role>
  • 8. Container Managed Security The Good • Based on Servlet API • Well known • Fine for URL Protection • JSF Component Security • JSF Login Page • Securing JSF Navigations
  • 9. Container Managed Security • Case study DEMO with JSF Navigation Issue
  • 10. Servlet Filter Security Filter Request Faces Servlet Response
  • 11. Servlet Filter The Good • Based on Servlet API • Well known • Good for URL Protection • Non-Faces Resources The Bad • JSF Component Security • Faces APIs • Requires Maintenance
  • 12. Spring Security <security:http auto-config='true'> <security:intercept-url pattern=quot;/login.jspquot; filters=quot;nonequot;/> <security:intercept-url pattern=quot;/admin/*quot; access=quot;ROLE_ADMINquot; /> <security:intercept-url pattern=quot;/**quot; access=quot;ROLE_USER,ROLE_ADMINquot; /> <security:concurrent-session-control max-sessions=quot;1quot;/> <security:logout logout-url=quot;/logoutquot; logout-success-url=quot;/quot;/> </security:http>
  • 13. Spring Security • Securing JSF Beans public class MySecuredBackingBean { … … … @Secured({“ROLE_ADMIN,ROLE_ADMINS_GIRLFRIEN D”}) public String delete() { //delete something } … … … }
  • 14. Spring Security The Good • Extendable • Easy configuration • Bean security • ACL • Securing methods The Bad • Complex for simple applications • Page authorization
  • 15. ViewHandler • Decorate for Security • Integration point: createView public class SecurityViewHandler extends ViewHandler{ … … … public UIViewRoot createView(FacesContext facesContext, String viewId) { if(!userCanAccess(viewId)) return base.createView(facesContext, quot;/accessDenied.jspquot;); else return base.createView(facesContext, viewId); } … … … }
  • 17. ViewHandler The Good • JSF Based The Bad • Non faces resources(images, styles) • Possibility to be supressed
  • 18. PhaseListener Faces Servlet Restore View Security Check Request Apply Request Values Validations Update Model Response Invoke Application Security Check Render Response
  • 19. PhaseListener public class SecurityPhaseListener implements PhaseListener{ … public void afterPhase(PhaseEvent phaseEvent) { PhaseId phaseId = phaseEvent.getPhaseId(); if(phaseId.equals(PhaseId.RESTORE_VIEW) || phaseId.equals(PhaseId.INVOKE_APPLICATION)) { String viewId = phaseEvent.getFacesContext().getViewRoot().getViewId(); if(!canUserAccess(viewId)) { HttpServletResponse response = (HttpServletResponse)phaseEvent.getFacesContext().getExternalContext().getRespo nse(); try { response.sendRedirect(quot;/jsfcalistay/accessDeniedPhaseListener.jsfquot;); phaseEvent.getFacesContext().responseComplete(); } catch (IOException e) { //send a 404 } } } } …
  • 21. PhaseListener The Good • JSF Based The Bad • Non faces resources(images, styles)
  • 22. Seam Security Components.xml <security:identity authenticate-method=quot;#{authenticator.authenticate}quot;/> Authenticate Method boolean () authenticate; <h:form> <h:outputLabel for=quot;namequot; value=quot;Usernamequot;/> <h:inputText id=quot;namequot; value=quot;#{identity.username}quot;/> <h:outputLabel for=quot;passwordquot; value=quot;Passwordquot;/> <h:inputSecret id=quot;passwordquot; value=quot;#{identity.password}quot;/> <h:commandButton value=quot;Loginquot; action=quot;#{identity.login}quot;/> </h:form>
  • 23. Seam Security • URL Protection • pages.xml <page view-id=quot;/controlPanel.xhtmlquot;> <restrict>#{s:hasRole(‘ROLE_ADMIN’)}</restrict> </page>
  • 24. Seam Security • Securing backing beans @Name(“orderControllerquot;) public class OrderController { @Restrict(quot;#{s:hasRole(‘ROLE_ADMIN')}quot;) public void deleteOrder() { //blabla } }
  • 25. Seam Security The Good • JSF Based • URL Protection • Controller security • Entity security • Page authorization • JSF login form The Bad • Authenticate method
  • 26. Page Authorization • Acegi-JSF Components • Facelets Functions • Seam • MyFaces SecurityContext
  • 27. Acegi-JSF Components • Page definition security <authz:authorize ifAllGranted=”ROLE_SUPERVISOR,ROLE_ADMIN”> Components that are only visible to the users that satisfy the requirements here… <h:commandButton value=“Delete” …/> </authz:authorize> • ifAllGranted • ifAnyGranted • ifNotGranted <authz:authentication operation=”username”/>
  • 28. Facelets Function public static boolean isUserInRole(String rolName) { boolean inRole = false; Authentication authentication = SecurityContextHolder. getContext().getAuthentication(); GrantedAuthority[] roles = authentication.getAuthorities(); for(GrantedAuthority role : roles) { if(role.getAuthority().equals(roleName)) { inRole = true; break; } } return inRole;} <h:commandButton value=“Delete” action=“#{bean.delete}” rendered=“#{barca:isUserInRole(‘ROLE_ADMIN’)}” />
  • 29. Seam Security <h:commandButton action=“#{someBackingBean.deleteSomething}” rendered=quot;#{s:hasRole(ROLE_ADMIN')}quot; ” />
  • 30. Seam Security <h:dataTable value=quot;#{orders}quot; var=“ordquot;> … <h:column> <f:facet name=quot;headerquot;>Delete</f:facet> <s:link value=quot;Delete Orderquot; action=quot;#{orderController.delete}quot; rendered=quot;#{s:hasPermission('order','delete',ord)}quot;/> </h:column> … </h:dataTable>
  • 31. MyFaces SecurityContext • EL extension • Defaults to Container Managed Security • Easy to plugin custom SecurityContextImpl #{securityContext.authType} #{securityContext.remoteUser} #{securityContext.ifGranted['rolename']} #{securityContext.ifAllGranted['rolename1,rolename2']} #{securityContext.ifAnyGranted['rolename1,rolename2']} #{securityContext.ifNotGranted['rolename1,rolename2']} <h:commandButton action=“#{someBackingBean.deleteSomething}” rendered=“#{securityContext.ifAllGranted['rolename1,rolename2']}”
  • 32. Custom SecurityContext public class MyAwesomeSecurityContextImpl extends SecurityContext{ public String getAuthType() { //return my authtype as string } public String getRemoteUser() { //return current logged in user } public boolean ifGranted(String role) { //check if user in the given role } } <context-param> <param-name>org.apache.myfaces.SECURITY_CONTEXT</param- name> <param- value>com.my.company.MyAwesomeSecurityContextImpl</param-value> </context-param>
  • 33. Protect the ViewState • <input type=quot;hiddenquot; name=quot;javax.faces.ViewStatequot; id=quot;javax.faces.ViewStatequot; value=quot;cjnoN2li7kqi8Z2WbOa811eyyZ3UHh2K56Gg6gQszNDFicizAEsfAahhbsLly/n77sA5+Qfp3HR/nuDxQ62wnmwBjJ4RAKf4R++/cXW /6+iBp3BCjEJEyaYamWpbwrEaff4JIBH95NBpeV+NxAA/ajo21eqj2HB6LsUfA/jOjGVoNhvb/wEbUdAhW7q64qj0QUFLKoKLxmP1y4ZE2O ffr5SFQZBOOJDgQ219TiC2mMmOGpYJkyda5gf8fSBzHIjTJtMpkoPyBhuBp3BCjEJEyXJRPvnqCGSDcCbEtYQi9lx7B74ivhUaCnn2c0Jf3 3AWzMZafd4RNF495qXRBsegWA0ZGpQWr/pe/hNJf2fEUOCwfNk/xPZNlKz8QmN0iarCTQTGXQUZh8aZKX3uFxSPynZ5nz1be+hzqZ5 HcMBKR6zG++byQ1lmXPvJOwLEzGZ2gJBkPY95iKWXqkldrEj87AtO0GvWKkE+V46kbWZ2hpmETVQZzkdqLi0j6nW5LnDfXfT9GCUNs wqgMEhjknsobneBwGULiZ7ix43qkMIXlJ0YYESCRkdc57DY5lYzQY/W26Dxt8JGgGwkj9LAbJs03bMPAahnWEpxeeseC4TvtW809acOZj XJ/3O3at/Mdqyu14mxtt2t5e5DSNLmAqgXXSHmUGEYznwQOS9KyLsBTpFUYDQe0MDREW1NzChacqWBkD10DopxLJ+HDAEuD85bV /iYHJz3NQlzSPJwaGEbp8PlbVVn/YdMtV/elpZmX34kj/rC1o0CiAc68+VrTHIPwhs4q8DYvcQTEgB+6hgWx5G6TkwrRhb9m0B98DSaU3Lx du7UJaXOafbaEjXSEyWiD8ZW0PywLECX1UtWwQ3lxKXXibG23a3l7kNI0uYCqBddi6ETJipf4L/lvDjBDcQHeUBdU2Kl/sQnpJU+kqlHNe+ 0j0ilVnF04Q5OFWpmZIp1dso7ZLgQbkpUG/7K5RR0CtfzUc+sJzIQZmV4/1DwdqXjG2z3+VQNWgP0yz9PbwB2YzeJki6CbMuNWrW5Yo8 MwLtBaF2HGEB7MR6SP0wx4IoA28lSdx2HsSThYKP/O8kW3qyokVzYupYWNcHddqlK6Nu2bzFICQ2DtbnzrTFOD/MPRsM45Xce4hXQ7 D23T9BaBsIhHCyErpSfr+veeLLUqr6AqodKRwOCiyWPOPLoenvrsH388cbZqcv3W1RIgOM5YAqfgzrbNbZcxtA9fFGskT+VNArlJp7MY2Zt ORGP/z4apxqvV+IJXwOdOtK6xuHH3e+QjOSqc/GOxadVsmET+jLv72lP+tN9Du3Rn9EkkRUgl/bNuabOAZaDtacU2qTh/fKtiHZe6gEyqz2 XwH2dIdSbemJc0889xiBEZqBgOESYQ22cVFOOxNTwHxlat63brvaxQdx0wSYsFlYHTMwo/qVs49VhOu2DHokq5xNbrZ//rpVt3XMqe+X5 yD30S2vur+xawTZjTYlmSorxONvTwvjFLiftnMe9ieA2XcRf2Qbws+smPawkBKEtAOXiiLAp3hIb33FrYxDYVoEChnmQc+DMzxNlOw3zaJ MykZRn6oy0AomUxUdxI2kGlCVOHejxQnBDvmj6XAsYSzlrbJN+FidIfTYpkV3e0cDIW8rHsiTatBZWL3zmu0YI1JyLAVQw8+a0n/+1yAVCT 6J+NhfDo6UdiC9Ilyws7TtDXQhssR3qoh9x17Nxlif/LOBU817V6Ip/Y+eyLjYgs/fnEaxgdeW8OMENxAd5cqlB1zDTb+dUn6Vk/yis6RGMAX1 UAVou7uRDmYV0TtZKFttVdlyTjfp5Q5F0Tsj4qzw+vDTlYWbf7hrD1TosZGsbT6Mc9obUgkSsULRUr/eCRKxQtFSv94JErFC0VK/3prA0Mc Ldt5A0fhuQAXRbLOB+tk5wheoIGO390JZB08jJAso9qbBLvdfzUc+sJzIQZmV4/1DwdqU5XLWwZnjkhp82k0VBRHmxnoTdDbCj4eWbUK6 PiWsmY45zzkmNPnEkcj6dL1XByNR++RYWIXMIHvQULVqI+6gSQrrgKnOqESqFDaWpLPzgKORF9t+3+sQzXpj6O42fVIYewkG+d/LfFV C6IQuOrZIA/HSrCzJcAUhuNAc6UCH/zvVkucTURgX/mJGk1QFJZCDR3dQvrdm0gkhCZKzNWfEYpoGjAhKICqbugdxmuLZQbqW0qYiPn CeOPTHL3QbIpfoZ/GHI/z4himtRXVRLML+5NyB2zY5gCFkLE1ndMjTdMGDpmu9tJOqUsmfHADUrVXiF58GlBNEiwUL8hxxTB30vWPCS mt5ZNuML57GU98tciku9zMr9RZF042UTURw0RNvg5d3FpSVK6iuF5MRKSfkQs6zPN1m1JXj6tq4jBjWZ4l10TKWvM45qwYwB1/9Uk6wb gDeawD1AXpX/lFLKOgPz2bRzp62oQJknhKfANxS8NX6FbUoeEbq8UCvndmMVg1mRBD8AAeZ+aejfKFoACLDXlY0hy1RisbE/kMDSpxP /D+j7V/RdhJO+0eszWvJJtNPs2swsZzoK4hjt/dCWQdPI/71KpGQim5xlqjHjHY4mDGZleP9Q8Hal88oxKykFUQYDEQ3KRz675N28vIu+Rt 7AybDcnlzTi+YbOKvA2L3EExIAfuoYFseRCQzwdnhDhIoZ8NDazCdYM8p2H3t46MR2rMsR+B0Q6Izbtm8xSAkNgzlihd3SqMtOVuj07dMZ FhXIWaExKordOT96wcyFY3hLqImCn+z/U0SFUFoQZvLd+NN5nRpZ306hMq+VDqbwXh4IBAOYAzwHZo8jCDrfGHs7DYKb34rSHlMnPT Yk1MTgY2274j9ci5o1CAQDmAM8B2ZX62EUfdC6sJpjOWqdcwBfPofXChsPp82sx//RPwgu6y9nXdc4RLxtAo64SXmcdzKJXAMTvWO3xs b75vJDWWZcbbviP1yLmjUIBAOYAzwHZrrqBsyYPolmbjgXhK2KMvrWFOtn0nQne/O3AKPReE70WiloiJgp0WZCcEO+aPpcC1eyyZ3UHh 2KV/gOQ+q4Q7PBdBhadxtM+pWXQJfDPX9K3T/QjJykD7a4vEyF0rrpfH681LoX50+YgkSsULRUr/eCRKxQtFSv9589YNTYpEoSmmChJ1 cujHKbQDA6ApqouhzFPZN1RXmspR2IL0iXLCxwBmf6k7hYMeqiH3HXs3GW+yfPXMCEGAHoin9j57IuNum608SbPOCr9c/wJwAXAev7x k/N7Gn0FfWRhlVfpdYSGzirwNi9xBMSAH7qGBbHkdQFKnbYQ80DjnPOSY0+cSRyPp0vVcHI1MwwOB6mohdlzFJnDPSn3W9hJzQXrQy OiVVQOut45pL+PULx/inIPznHECBqgvm5ECbe6WdfeFnfxIW5JaekPaEUbGwU6i3uqLKDHYb58r/IxlDcqoIvU7KUTRSh3NKV7m0wAtPa HaYoPIWJOpZof+SCRKxQtFSv93H9+08c8xaRmmChJ1cujHKM6oQT0D3hjZxxwQB7wM7MtSxrTlWiv+ocs46hAgrz4w==quot; />
  • 34. ViewState Encryption • Turned on by default • Several algorithms, default: DES <context-param> <param-name>org.apache.myfaces.secret</param- name> <param-value>NzY1NDMyMTA=</param-value> </context-param> <context-param> <param-name>org.apache.myfaces.algorithm</param-name> <param-value>Blowfish</param-value> </context-param>
  • 35. The End • cagatay@apache.org • http://www.prime.com.tr/cagataycivici • PlayStation3 online id: facescontext