Right - the nice thing about the jsf-security EL extensions is that
they don't have to be driven from Container Security you can plug in
pretty much any home grown concept of a login page to authenticate and
then your own auth mechanism as well. For instance if you take the
approach of using a "userInfo" bean on the session which is generated
by your own login process then it's trivial to hook that up into the EL
interface
I guess the next phase of js-security where we're going to start
protecting navigation targets based on role will be of interest to you
was well
Duncan
Dave wrote:
This is great!
I posted a message before about how to login without any
protected page. I looked at authenticator package where there is
FormAuthenticator. I like to do similar, but without a protected page.
User can click a login link and register all necessary info with
session after successful authentication, and stay in the same page. The
page will render differently depending on roles.
It was suggested to have a dummy protected page that will
redirect to current page. The problem is that the current page is
stateful using <saveState>, and the data will not be available by
redirecting from the dummy protected page.
I looked the source code of servlet authenticator package. But
have not figured out how to the realm object to call
authenticate(....). Any help is appreciated.
Thanks. Dave
Several Points here
1) Using Security Attributes within your pages.
I'm about to release 1.0 of the jsf-security project on
SourceForge (www.sourceforge.net/projects/jsf-security)
this provides extensions to EL which will give you a new scope
#{securityScope} and a bunch of attributes and pseudo functions such as
#{securityScope.isUserInRole['manager,admin']} which allow you to use
expressions to control rendering and read-only states of components -
even if they are not "role" enabled in the way that the myfaces
components are. jsf-security is fully pluggable and so if you use Acegi
or a home grown Authorization / Authentication mechanism you can plug
it in underneath the same consistent EL.
The current version hooks into Container Security, and we've j ust
started a JAAS adapter as well.
If anyone wants to get involved - particularly of you use Acegi today
get in touch.
For more info on this see this
blog entry: and the project on SF. You can pull the source from CVS
today and build - it all works I just need to write the doc and the
localize the message strings...
2) Using the database to Authenticate / Authorize
Your mileage will vary from container to container, but with OC4J
(& Oracle App server) you can plus in your own custom login modules
that can do just this - Frank and I who work on the jsf-security
project just posted a paper on that process a few weeks back:
Declarative
J2EE authentication and authorization with JAAS
Duncan
Dave wrote:
hi Andrew,
How to get a Realm object so that I can call authenticate()?
I am using Database to store username and password. Thanks.
Andrew robinson <[EMAIL PROTECTED]>
wrote:
I am using the built in Tomcat DataSourceRealm so
that single sign-on is possible. My login is still using a normal JSP
instead of JSF, so I can't use JSF components to build my login page.
Has anyone integrated the form-base web.xml authentication with a JSF
login page?
On 10/4/05, Mike Kienenberger <[EMAIL PROTECTED] > wrote:
I've switch from a login page to a filter that
authenticates and sets
the User database record in the session. (Actually, I fetch this
record every request, and store it in the request, but that may be too
excessive for your situation).
I then have additional filters that work on that data to provide
coarse-grain security (ie, if you don't pass the filter, you can't
access any of the application).
I also have a SecurityRoleManager bean that provides fine-grain
control by operating on the record stored in the session. Ie,
"securityRoleManager.canEditDate()"
On 10/4/05, Eurig Jones <[EMAIL PROTECTED]>
wrote:
> I'm trying to decide on a Login/Logout system to protect my files
using
> JSF.. I've played about with extending NavigationHandler, but the
> problem is, it doesn't protect the files which aren't JSF, a nd
you can
> still run the JSP files if you wanted to...
>
> How have you people gone about a database driven login/logout
system
> using Faces?
>
Yahoo! for Good
Click here to
donate to the Hurricane Katrina relief effort.
--
Regards
Duncan Mills
Senior Principal Product Manager
Oracle Application Development Tools
[EMAIL PROTECTED]
Yahoo! for Good
Click here to
donate to the Hurricane Katrina relief effort.
--
Regards
Duncan Mills
Senior Principal Product Manager
Oracle Application Development Tools
[EMAIL PROTECTED]
|
- Re: Login system security Duncan Mills
-