Hi, Security is more kinda metadata and handling it with a ui tag would be hard to maintain. You can still use container managed security with security constraints, another alternative would be to use a phaselistener or a filter. The best solution would be acegi in case you have complex security constraints.
You can also check out the MyFaces SecurityContext that provides builtin security features on EL level. Regards, Cagatay On 8/24/07, Thomas Fischer <[EMAIL PROTECTED]> wrote: > > > Hi all, > > We have a jsp tag which checks whether the user has the permission to > access a given page. The tag retrieves the user and the item displayed on > the page from the session, and checks the permissions of the user on the > item. If the user is not permitted to access the item, the tag adds a > faces > message to the context and redirects to the main page of the application. > This works all fine. > > Now this page permisson check tag would be the only tag in the > application > so far which is NOT a jsf component. Does it make sense to convert this > into a jsf component ? (Note it has no counterpart in the rendered html.) > > If yes, how can I hook the permission check logic into the jsf lifecycle ? > If I implement the permission check as a standard JSF component, my > understanding was that the logical place to do the check is the "invoke > application" phase ? But I did not find a place where a component can hook > itself into the "invoke application phase". Is there any ? Or should I do > this in the validation phase and hook into the processValidators() method > of UIComponent instead ? > > Alternatively, as one can regard permission checks as a sort of > validation, > I tried to implement the permission check as a validator. The logical > point > to put the validator tag is directly inside the f:view tag, as it is a > permission for the entire page. However, this does not work as the View > Root is no EditableValueHolder. Of course, one could put the validator > inside any EditableValueHolder on the page, but I'd consider this as a bad > hack (e.g. what if the EditableValueHolder is sometimes rendered and > sometimes not ?) > > Any hints towards the "jsf way" of doing page permission checks are > appreciated. > > Regards, > > Thomas > >
