Hi Veit, I don't use spring, so I can't use this mechanism :(
Is there a possibility to get the action to call over the facesContext? thanks, Rudi On 5/15/07, Walter Oliver (BR/ICI3) <[EMAIL PROTECTED]> wrote:
Frau Nolte wird heute abend 16:30 erste Testbestellungen absenden. Kunden können ebenso bereits bestellen. Gruss Oliver Walter > -----Ursprüngliche Nachricht----- > Von: Veit Guna [mailto:[EMAIL PROTECTED] > Gesendet: Dienstag, 15. Mai 2007 12:11 > An: MyFaces Discussion > Betreff: Re: MyFaces and Security > > I didn't follow the whole thread, but isn't acegi (if you use > spring) a solution? I use it to protect specific url's as > well es method invocations on backing beans. Works fine for > me (but I'm using spring). I must also admit, that I'm using > jsf-spring to let spring create the backing beans for me (and > thus let acegi take over security). > > /Veit > > > -------- Original-Nachricht -------- > Datum: Tue, 15 May 2007 12:03:21 +0200 > Von: "Rudi Steiner" <[EMAIL PROTECTED]> > An: "MyFaces Discussion" <users@myfaces.apache.org> > Betreff: Re: MyFaces and Security > > > Hi Cagatay, > > > > thanks for the hint. This is definitely one step in making > an jsf-app > > secure. > > > > I would like to increase the security of my app by writing a > > phaselistener, which checks the action the current request > is calling > > and makes sure, that the current user has the right to call this > > action (example calling the method deleteUser() in a backingbean). > > > > Could anyone please tell me, how I can determine in a phaselistener > > which action is going to be called in the current request? > > > > best regards, > > Rudi > > > > On 5/14/07, Cagatay Civici <[EMAIL PROTECTED]> wrote: > > > Hi, > > > > > > Regarding your concerns about the viewstate at client; > > > > > > http://wiki.apache.org/myfaces/Secure_Your_Application > > > > > > Cagatay > > > > > > > > > On 5/14/07, Rudi Steiner <[EMAIL PROTECTED]> wrote: > > > > Hello, > > > > > > > > I'm in the final state of a project and thinking about, > which is the > > > > best way to make a myFaces-App secure (authentication, > authorization, > > > > ...) > > > > > > > > I'm thinking about the Tomcat build in mechanism or an > alternative > > > > like securityFilter. But thinking about it, I got some > questions like, > > > > how about to fake the view state on the client side. > > > > > > > > Could It be, that for example a normal user who knows the > > > > applicationcode, fakes the viewstate on the client for > a page which > > > > has for example some commandbuttons which are rendered > for an admin > > > > but are not rendered for a normal user? Has anyone made > experiences in > > > > this area? > > > > > > > > thanks a lot, > > > > Rudi > > > > > > > > > > > > -- > GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS. > Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail >
