JSF Security is a set of security extensions for JavaServer Faces to solve common access control problems. JSF Security acts like a security layer by extending the JSF EL (Expression Language). Basically, it works in a separate scope, named securityScope, and accesses the security artifacts through EL language. In this recipe, you will see how to use the EL extensions provided by the JSF Security project.
We have developed this recipe with NetBeans 6.8, JSF 2.0, and GlassFish v3. The JSF 2.0 classes were obtained from the NetBeans JSF 2.0 bundled library. In addition, we have used JSF Security 1.0, which provides support for JSF 2.0. You can download this distribution from http://sourceforge.net/projects/jsf-security/files/jsf-security/. The jsf-security libraries (including necessary dependencies) are in the book code bundle, under the /JSF_libs/jsf-security JSF 2.0 folder. The JSF Security project is available in ZIP format. All you have to do is to add the jsf-security.jar archive to your JSF projects.
Before developing an effective application let's see the available EL expressions:
|
Expression |
Effect |
|---|---|
|
|
The authentication type being used; with container security this will be |
|
|
The user name of the authenticated user. |
|
|
If security is currently enabled this EL returns |
|
|
This returns |
|
|
This returns |
Next, we will write a JSF page that will put the previous expressions in a single example. Assuming that we already have a role named, JSP-ROLE, our page looks as shown next:
<%@page contentType="text/html" pageEncoding="UTF-8"%>
<%@taglib prefix="f" uri="http://java.sun.com/jsf/core"%>
<%@taglib prefix="h" uri="http://java.sun.com/jsf/html"%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<f:view>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8"/>
<title>JSF-SECURITY</title>
</head>
<body>
<h:form>
<h:panelGroup rendered="#{!securityScope.securityEnabled}">
<h:outputText value="Security is not enabled..."/>
</h:panelGroup>
<h:panelGrid columns="2"
rendered="#{securityScope.securityEnabled}">
<h:outputText value="Remote User"/>
<h:outputText value="#{securityScope.remoteUser}"/>
<h:outputText value="Auth Type"/>
<h:outputText value="#{securityScope.authType}"/>
<h:outputText value="User in JSP-ROLE "/>
<h:outputText value="#{securityScope.userInRole['JSP-ROLE']}"/>
<h:outputText value="User in all of JSP-ROLE "/>
<h:outputText value="#{securityScope.userInAllRoles['JSP
-ROLE']}"/>
</h:panelGrid>
</h:form>
</body>
</html>
</f:view>
The jsf_security.jar contains a faces-config.xml file in its META-INF directory. This defines custom <variable-resolver> and <property-resolver> values, as shown next:
<application> <property-resolver> com.groundside.jsf.securityresolver.SecurityPropertyResolver </property-resolver> <variable-resolver> com.groundside.jsf.securityresolver.SecurityVariableResolver </variable-resolver> </application>
The JSP-ROLE was configured under Sun GlassFish Enterprise Server V3 Prelude container, but you can set it on any other container using the right knowledge. For more details of how to configure the JSP-ROLE under GlassFish you can try http://www.informit.com/authors/bio.aspx?a=3064cf95-43af-48f6-9303-8d2fdd7f3706.
The output of this example is in the following screenshot (we set the BASIC authentication type in the web.xml descriptor):
The JSF Security layer interacts with the default security layers and provides EL extensions for managing common access control problems. The extensions are completely pluggable and can adapt to more or less any mechanism that is used for authentication and authorization that the programmer can reach from the FacesContext/Request/Session.
Notice that, by default JSF Security hooks into J2EE container-managed security using the J2EEContainerSecurityAttributeResolver. It is possible to plug in an alternative implementation here by a simple configuration change.