You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@myfaces.apache.org by Rudi Steiner <ru...@googlemail.com> on 2007/05/14 16:04:57 UTC
MyFaces and Security
Hello,
I'm in the final state of a project and thinking about, which is the
best way to make a myFaces-App secure (authentication, authorization,
...)
I'm thinking about the Tomcat build in mechanism or an alternative
like securityFilter. But thinking about it, I got some questions like,
how about to fake the view state on the client side.
Could It be, that for example a normal user who knows the
applicationcode, fakes the viewstate on the client for a page which
has for example some commandbuttons which are rendered for an admin
but are not rendered for a normal user? Has anyone made experiences in
this area?
thanks a lot,
Rudi
Re: MyFaces and Security
Posted by Cagatay Civici <ca...@gmail.com>.
Hi,
The way for this might be;
public class ActionListenerImpl
implements ActionListener
{
public void processAction(ActionEvent actionEvent) throws
AbortProcessingException
{
FacesContext facesContext = FacesContext.getCurrentInstance();
Application application = facesContext.getApplication();
ActionSource actionSource =
(ActionSource)actionEvent.getComponent();
MethodBinding methodBinding = actionSource.getAction();
Method method = methodBinding.getMethod();
if(method.isAnnotationPresent(Secure.class))
//more check and if user has the role call methodbinding.invoke
}
And use it like
@Secure(ifGranted="admin")
public String secureAction() {
..
}
Unfortunately, MethodBinding api does not reveal the method it's wrapping,
so maybe using the getExpressionString it'd be possible to reach the method
instance. But it'd be ugly.
Cagatay
On 5/16/07, Rudi Steiner <ru...@googlemail.com> wrote:
>
> Hi,
>
> I found out, that configuring an action-listener in the facesconfig,
> the action defined in the action-attribute of a commandButton is not
> called anymore. Does this mean, that configuring an action-listener in
> the facesconfig, this is the one and only actionlistener for all
> actions and the actions defined in the attributes in the tags in the
> jsp-page are ignored?
>
> Best regards,
> Rudi
>
> On 5/16/07, Rudi Steiner <ru...@googlemail.com> wrote:
> > Hi Petr, hi Martin,
> >
> > I think the right way is to register an action-listener in the
> > faces-config and to determine in the method processAction(ActionEvent
> > event), if the current user has the role to execute this action.
> >
> > Has anyone an idea, how to implement the role-check, maybe with
> > annotations on the method which is going to be called? How can I find
> > out from the event-param, which method in the backingbean is going to
> > be called by this action?
> >
> > thanks a lot,
> > Rudi
> >
> >
> > On 5/15/07, Martin Marinschek <ma...@gmail.com> wrote:
> > > You wouldn't register a phase-listener, you'd rather decorate the
> > > action-listener to find a solution to this.
> > >
> > > faces-config.xml:
> > > <application>
> > > <action-listener>your decorator goes here</action-listener>
> > > </applicaton>
> > >
> > > ... the default-action listener calls all actions!
> > >
> > > regards,
> > >
> > > Martin
> > >
> > > On 5/15/07, Petr Kotek <ko...@crcdata.cz> wrote:
> > > > Hi Rudi,
> > > >
> > > > I am only begginer in JSF and I don't now if exisist better way to
> > > > handle login but next code may help You.
> > > >
> > > > PhaseListener
> > > > -------------------------------------------
> > > > public class LoginPhaseListener implements PhaseListener {
> > > > private final String LOGIN_SOURCE = "loginButton";
> > > > private final String METHOD_GET = "GET";
> > > > private final String MAIN_PAGE = "main.jsp";
> > > > private final String LOGIN_PAGE = "index.jsp";
> > > >
> > > > public LoginPhaseListener() {
> > > > }
> > > >
> > > > public PhaseId getPhaseId() {
> > > > return PhaseId.RESTORE_VIEW;
> > > > }
> > > >
> > > > public void beforePhase(PhaseEvent phaseEvent) {
> > > > }
> > > >
> > > > public void afterPhase(PhaseEvent phaseEvent) {
> > > > FacesContext ctx;
> > > > ExternalContext ex;
> > > > JSFSession session;
> > > > HttpServletRequest hsrq;
> > > > String login;
> > > > String password;
> > > > HttpServletResponse hrsp;
> > > >
> > > > ctx = phaseEvent.getFacesContext();
> > > > session =
> > > >
> (JSFSession)ctx.getApplication().createValueBinding("#{JSFSession}").getValue(ctx);
> > > > if (!session.isLogged()) {
> > > > ex = ctx.getExternalContext();
> > > > try {
> > > > hsrq = (HttpServletRequest)ex.getRequest();
> > > > // If source is loginButton, then try doLogin
> > > > if (LOGIN_SOURCE.equalsIgnoreCase(hsrq.getParameter("source")))
> {
> > > > // Get ifo from login page
> > > > login = hsrq.getParameter("login");
> > > > password = hsrq.getParameter("password");
> > > > // Check it
> > > > if ((login == null) || (password == null) || (login.length
> ()
> > > > == 0) || (password.length() == 0)) {
> > > > ctx.addMessage(null, new
> > > > FacesMessage(FacesMessage.SEVERITY_ERROR, "Login or Password can't
> be
> > > > empty!", null));
> > > > } else if (session.doLogin(login, password)) {
> > > > if (METHOD_GET.equalsIgnoreCase(hsrq.getMethod())) {
> > > > // Special login (for debug app - autologin) from
> request
> > > > parameters (?source=loginButton&login=name&password=psw) - redirect
> to
> > > > main.jsp
> > > > ex.redirect(MAIN_PAGE);
> > > > }
> > > > } else {
> > > > ctx.addMessage(null, new
> > > > FacesMessage(FacesMessage.SEVERITY_ERROR, "Bad Login or Password!",
> null));
> > > > }
> > > > } else if (hsrq.getRequestURI().indexOf(LOGIN_PAGE) < 0) {
> > > > ctx.addMessage(null, new
> > > > FacesMessage(FacesMessage.SEVERITY_ERROR, "Session Logged Out or
> > > > Expired!", null));
> > > > ex.redirect(LOGIN_PAGE);
> > > > }
> > > > } catch (Exception e) {
> > > > e.printStackTrace();
> > > > ctx.addMessage(null, new
> > > > FacesMessage(FacesMessage.SEVERITY_ERROR, "Unexpected login error!",
> > > > e.getMessage()));
> > > > try {
> > > > ex.redirect(LOGIN_PAGE);
> > > > } catch (IOException f) {;}
> > > > }
> > > > }
> > > > }
> > > > }
> > > > -------------------------------------------
> > > > Navigation Handler
> > > > -------------------------------------------
> > > > public class LoginNavigationHandler extends NavigationHandler {
> > > > private final NavigationHandler deflNavHandler; // Original
> handler
> > > >
> > > > public LoginNavigationHandler(NavigationHandler navHandler) {
> > > > super();
> > > > deflNavHandler = navHandler;
> > > > }
> > > >
> > > > public void handleNavigation(FacesContext facesContext, String
> > > > fromAction, String outcome) {
> > > > JSFSession session;
> > > > try {
> > > > session =
> > > >
> (JSFSession)facesContext.getApplication().createValueBinding("#{JSFSession}").getValue(facesContext);
> > > > if (!session.isLogged()) {
> > > > outcome = "logout";
> > > > }
> > > > } catch (Exception ex) {
> > > > ex.printStackTrace();
> > > > } finally {
> > > > deflNavHandler.handleNavigation(facesContext, fromAction,
> outcome);
> > > > }
> > > > }
> > > > }
> > > > -------------------------------------------
> > > >
> > > >
> > > > Where JSFSession is session bean with boolean .isLogged() and
> boolean
> > > > .doLogin(login, password) methods. Actually I checked login/password
> > > > against database table with valid users.
> > > >
> > > > Petr
> > > >
> > > >
> > > >
> > > > Rudi Steiner wrote:
> > > > > Hi Veit,
> > > > >
> > > > > I don't use spring, so I can't use this mechanism :(
> > > > >
> > > > > Is there a possibility to get the action to call over the
> facesContext?
> > > > >
> > > > > thanks,
> > > > > Rudi
> > > > >
> > > > > On 5/15/07, Walter Oliver (BR/ICI3) <oliver.walter@boschrexroth.de
> >
> > > > > wrote:
> > > > >> Frau Nolte wird heute abend 16:30 erste Testbestellungen
> absenden.
> > > > >>
> > > > >> Kunden können ebenso bereits bestellen.
> > > > >>
> > > > >> Gruss Oliver Walter
> > > > >>
> > > > >> > -----Ursprüngliche Nachricht-----
> > > > >> > Von: Veit Guna [mailto:Veit.Guna@gmx.de]
> > > > >> > Gesendet: Dienstag, 15. Mai 2007 12:11
> > > > >> > An: MyFaces Discussion
> > > > >> > Betreff: Re: MyFaces and Security
> > > > >> >
> > > > >> > I didn't follow the whole thread, but isn't acegi (if you use
> > > > >> > spring) a solution? I use it to protect specific url's as
> > > > >> > well es method invocations on backing beans. Works fine for
> > > > >> > me (but I'm using spring). I must also admit, that I'm using
> > > > >> > jsf-spring to let spring create the backing beans for me (and
> > > > >> > thus let acegi take over security).
> > > > >> >
> > > > >> > /Veit
> > > > >> >
> > > > >> >
> > > > >> > -------- Original-Nachricht --------
> > > > >> > Datum: Tue, 15 May 2007 12:03:21 +0200
> > > > >> > Von: "Rudi Steiner" <ru...@googlemail.com>
> > > > >> > An: "MyFaces Discussion" <us...@myfaces.apache.org>
> > > > >> > Betreff: Re: MyFaces and Security
> > > > >> >
> > > > >> > > Hi Cagatay,
> > > > >> > >
> > > > >> > > thanks for the hint. This is definitely one step in making
> > > > >> > an jsf-app
> > > > >> > > secure.
> > > > >> > >
> > > > >> > > I would like to increase the security of my app by writing a
> > > > >> > > phaselistener, which checks the action the current request
> > > > >> > is calling
> > > > >> > > and makes sure, that the current user has the right to call
> this
> > > > >> > > action (example calling the method deleteUser() in a
> backingbean).
> > > > >> > >
> > > > >> > > Could anyone please tell me, how I can determine in a
> phaselistener
> > > > >> > > which action is going to be called in the current request?
> > > > >> > >
> > > > >> > > best regards,
> > > > >> > > Rudi
> > > > >> > >
> > > > >> > > On 5/14/07, Cagatay Civici <ca...@gmail.com> wrote:
> > > > >> > > > Hi,
> > > > >> > > >
> > > > >> > > > Regarding your concerns about the viewstate at client;
> > > > >> > > >
> > > > >> > > > http://wiki.apache.org/myfaces/Secure_Your_Application
> > > > >> > > >
> > > > >> > > > Cagatay
> > > > >> > > >
> > > > >> > > >
> > > > >> > > > On 5/14/07, Rudi Steiner <ru...@googlemail.com>
> wrote:
> > > > >> > > > > Hello,
> > > > >> > > > >
> > > > >> > > > > I'm in the final state of a project and thinking about,
> > > > >> > which is the
> > > > >> > > > > best way to make a myFaces-App secure (authentication,
> > > > >> > authorization,
> > > > >> > > > > ...)
> > > > >> > > > >
> > > > >> > > > > I'm thinking about the Tomcat build in mechanism or an
> > > > >> > alternative
> > > > >> > > > > like securityFilter. But thinking about it, I got some
> > > > >> > questions like,
> > > > >> > > > > how about to fake the view state on the client side.
> > > > >> > > > >
> > > > >> > > > > Could It be, that for example a normal user who knows the
> > > > >> > > > > applicationcode, fakes the viewstate on the client for
> > > > >> > a page which
> > > > >> > > > > has for example some commandbuttons which are rendered
> > > > >> > for an admin
> > > > >> > > > > but are not rendered for a normal user? Has anyone made
> > > > >> > experiences in
> > > > >> > > > > this area?
> > > > >> > > > >
> > > > >> > > > > thanks a lot,
> > > > >> > > > > Rudi
> > > > >> > > > >
> > > > >> > > >
> > > > >> > > >
> > > > >> >
> > > > >> > --
> > > > >> > GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS.
> > > > >> > Alle Infos und kostenlose Anmeldung:
> http://www.gmx.net/de/go/freemail
> > > > >> >
> > > > >>
> > > > >
> > > >
> > >
> > >
> > > --
> > >
> > > http://www.irian.at
> > >
> > > Your JSF powerhouse -
> > > JSF Consulting, Development and
> > > Courses in English and German
> > >
> > > Professional Support for Apache MyFaces
> > >
> >
>
Re: MyFaces and Security
Posted by Rudi Steiner <ru...@googlemail.com>.
Hi,
I found out, that configuring an action-listener in the facesconfig,
the action defined in the action-attribute of a commandButton is not
called anymore. Does this mean, that configuring an action-listener in
the facesconfig, this is the one and only actionlistener for all
actions and the actions defined in the attributes in the tags in the
jsp-page are ignored?
Best regards,
Rudi
On 5/16/07, Rudi Steiner <ru...@googlemail.com> wrote:
> Hi Petr, hi Martin,
>
> I think the right way is to register an action-listener in the
> faces-config and to determine in the method processAction(ActionEvent
> event), if the current user has the role to execute this action.
>
> Has anyone an idea, how to implement the role-check, maybe with
> annotations on the method which is going to be called? How can I find
> out from the event-param, which method in the backingbean is going to
> be called by this action?
>
> thanks a lot,
> Rudi
>
>
> On 5/15/07, Martin Marinschek <ma...@gmail.com> wrote:
> > You wouldn't register a phase-listener, you'd rather decorate the
> > action-listener to find a solution to this.
> >
> > faces-config.xml:
> > <application>
> > <action-listener>your decorator goes here</action-listener>
> > </applicaton>
> >
> > ... the default-action listener calls all actions!
> >
> > regards,
> >
> > Martin
> >
> > On 5/15/07, Petr Kotek <ko...@crcdata.cz> wrote:
> > > Hi Rudi,
> > >
> > > I am only begginer in JSF and I don't now if exisist better way to
> > > handle login but next code may help You.
> > >
> > > PhaseListener
> > > -------------------------------------------
> > > public class LoginPhaseListener implements PhaseListener {
> > > private final String LOGIN_SOURCE = "loginButton";
> > > private final String METHOD_GET = "GET";
> > > private final String MAIN_PAGE = "main.jsp";
> > > private final String LOGIN_PAGE = "index.jsp";
> > >
> > > public LoginPhaseListener() {
> > > }
> > >
> > > public PhaseId getPhaseId() {
> > > return PhaseId.RESTORE_VIEW;
> > > }
> > >
> > > public void beforePhase(PhaseEvent phaseEvent) {
> > > }
> > >
> > > public void afterPhase(PhaseEvent phaseEvent) {
> > > FacesContext ctx;
> > > ExternalContext ex;
> > > JSFSession session;
> > > HttpServletRequest hsrq;
> > > String login;
> > > String password;
> > > HttpServletResponse hrsp;
> > >
> > > ctx = phaseEvent.getFacesContext();
> > > session =
> > > (JSFSession)ctx.getApplication().createValueBinding("#{JSFSession}").getValue(ctx);
> > > if (!session.isLogged()) {
> > > ex = ctx.getExternalContext();
> > > try {
> > > hsrq = (HttpServletRequest)ex.getRequest();
> > > // If source is loginButton, then try doLogin
> > > if (LOGIN_SOURCE.equalsIgnoreCase(hsrq.getParameter("source"))) {
> > > // Get ifo from login page
> > > login = hsrq.getParameter("login");
> > > password = hsrq.getParameter("password");
> > > // Check it
> > > if ((login == null) || (password == null) || (login.length()
> > > == 0) || (password.length() == 0)) {
> > > ctx.addMessage(null, new
> > > FacesMessage(FacesMessage.SEVERITY_ERROR, "Login or Password can't be
> > > empty!", null));
> > > } else if (session.doLogin(login, password)) {
> > > if (METHOD_GET.equalsIgnoreCase(hsrq.getMethod())) {
> > > // Special login (for debug app - autologin) from request
> > > parameters (?source=loginButton&login=name&password=psw) - redirect to
> > > main.jsp
> > > ex.redirect(MAIN_PAGE);
> > > }
> > > } else {
> > > ctx.addMessage(null, new
> > > FacesMessage(FacesMessage.SEVERITY_ERROR, "Bad Login or Password!", null));
> > > }
> > > } else if (hsrq.getRequestURI().indexOf(LOGIN_PAGE) < 0) {
> > > ctx.addMessage(null, new
> > > FacesMessage(FacesMessage.SEVERITY_ERROR, "Session Logged Out or
> > > Expired!", null));
> > > ex.redirect(LOGIN_PAGE);
> > > }
> > > } catch (Exception e) {
> > > e.printStackTrace();
> > > ctx.addMessage(null, new
> > > FacesMessage(FacesMessage.SEVERITY_ERROR, "Unexpected login error!",
> > > e.getMessage()));
> > > try {
> > > ex.redirect(LOGIN_PAGE);
> > > } catch (IOException f) {;}
> > > }
> > > }
> > > }
> > > }
> > > -------------------------------------------
> > > Navigation Handler
> > > -------------------------------------------
> > > public class LoginNavigationHandler extends NavigationHandler {
> > > private final NavigationHandler deflNavHandler; // Original handler
> > >
> > > public LoginNavigationHandler(NavigationHandler navHandler) {
> > > super();
> > > deflNavHandler = navHandler;
> > > }
> > >
> > > public void handleNavigation(FacesContext facesContext, String
> > > fromAction, String outcome) {
> > > JSFSession session;
> > > try {
> > > session =
> > > (JSFSession)facesContext.getApplication().createValueBinding("#{JSFSession}").getValue(facesContext);
> > > if (!session.isLogged()) {
> > > outcome = "logout";
> > > }
> > > } catch (Exception ex) {
> > > ex.printStackTrace();
> > > } finally {
> > > deflNavHandler.handleNavigation(facesContext, fromAction, outcome);
> > > }
> > > }
> > > }
> > > -------------------------------------------
> > >
> > >
> > > Where JSFSession is session bean with boolean .isLogged() and boolean
> > > .doLogin(login, password) methods. Actually I checked login/password
> > > against database table with valid users.
> > >
> > > Petr
> > >
> > >
> > >
> > > Rudi Steiner wrote:
> > > > Hi Veit,
> > > >
> > > > I don't use spring, so I can't use this mechanism :(
> > > >
> > > > Is there a possibility to get the action to call over the facesContext?
> > > >
> > > > thanks,
> > > > Rudi
> > > >
> > > > On 5/15/07, Walter Oliver (BR/ICI3) <ol...@boschrexroth.de>
> > > > wrote:
> > > >> Frau Nolte wird heute abend 16:30 erste Testbestellungen absenden.
> > > >>
> > > >> Kunden können ebenso bereits bestellen.
> > > >>
> > > >> Gruss Oliver Walter
> > > >>
> > > >> > -----Ursprüngliche Nachricht-----
> > > >> > Von: Veit Guna [mailto:Veit.Guna@gmx.de]
> > > >> > Gesendet: Dienstag, 15. Mai 2007 12:11
> > > >> > An: MyFaces Discussion
> > > >> > Betreff: Re: MyFaces and Security
> > > >> >
> > > >> > I didn't follow the whole thread, but isn't acegi (if you use
> > > >> > spring) a solution? I use it to protect specific url's as
> > > >> > well es method invocations on backing beans. Works fine for
> > > >> > me (but I'm using spring). I must also admit, that I'm using
> > > >> > jsf-spring to let spring create the backing beans for me (and
> > > >> > thus let acegi take over security).
> > > >> >
> > > >> > /Veit
> > > >> >
> > > >> >
> > > >> > -------- Original-Nachricht --------
> > > >> > Datum: Tue, 15 May 2007 12:03:21 +0200
> > > >> > Von: "Rudi Steiner" <ru...@googlemail.com>
> > > >> > An: "MyFaces Discussion" <us...@myfaces.apache.org>
> > > >> > Betreff: Re: MyFaces and Security
> > > >> >
> > > >> > > Hi Cagatay,
> > > >> > >
> > > >> > > thanks for the hint. This is definitely one step in making
> > > >> > an jsf-app
> > > >> > > secure.
> > > >> > >
> > > >> > > I would like to increase the security of my app by writing a
> > > >> > > phaselistener, which checks the action the current request
> > > >> > is calling
> > > >> > > and makes sure, that the current user has the right to call this
> > > >> > > action (example calling the method deleteUser() in a backingbean).
> > > >> > >
> > > >> > > Could anyone please tell me, how I can determine in a phaselistener
> > > >> > > which action is going to be called in the current request?
> > > >> > >
> > > >> > > best regards,
> > > >> > > Rudi
> > > >> > >
> > > >> > > On 5/14/07, Cagatay Civici <ca...@gmail.com> wrote:
> > > >> > > > Hi,
> > > >> > > >
> > > >> > > > Regarding your concerns about the viewstate at client;
> > > >> > > >
> > > >> > > > http://wiki.apache.org/myfaces/Secure_Your_Application
> > > >> > > >
> > > >> > > > Cagatay
> > > >> > > >
> > > >> > > >
> > > >> > > > On 5/14/07, Rudi Steiner <ru...@googlemail.com> wrote:
> > > >> > > > > Hello,
> > > >> > > > >
> > > >> > > > > I'm in the final state of a project and thinking about,
> > > >> > which is the
> > > >> > > > > best way to make a myFaces-App secure (authentication,
> > > >> > authorization,
> > > >> > > > > ...)
> > > >> > > > >
> > > >> > > > > I'm thinking about the Tomcat build in mechanism or an
> > > >> > alternative
> > > >> > > > > like securityFilter. But thinking about it, I got some
> > > >> > questions like,
> > > >> > > > > how about to fake the view state on the client side.
> > > >> > > > >
> > > >> > > > > Could It be, that for example a normal user who knows the
> > > >> > > > > applicationcode, fakes the viewstate on the client for
> > > >> > a page which
> > > >> > > > > has for example some commandbuttons which are rendered
> > > >> > for an admin
> > > >> > > > > but are not rendered for a normal user? Has anyone made
> > > >> > experiences in
> > > >> > > > > this area?
> > > >> > > > >
> > > >> > > > > thanks a lot,
> > > >> > > > > Rudi
> > > >> > > > >
> > > >> > > >
> > > >> > > >
> > > >> >
> > > >> > --
> > > >> > GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS.
> > > >> > Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail
> > > >> >
> > > >>
> > > >
> > >
> >
> >
> > --
> >
> > http://www.irian.at
> >
> > Your JSF powerhouse -
> > JSF Consulting, Development and
> > Courses in English and German
> >
> > Professional Support for Apache MyFaces
> >
>
Re: MyFaces and Security
Posted by Rudi Steiner <ru...@googlemail.com>.
Hi,
thank you for your examples and links. I think this is exactly the way
I will resolve the problem.
Best regards,
Rudi
On 5/16/07, Bernd Bohmann <be...@atanion.com> wrote:
> Hello Rudi,
>
> take a look at
>
> http://svn.apache.org/repos/asf/myfaces/tobago/trunk/contrib/security/
>
> This example use a different ApplicationFactory that returns a
> MethodBindingImpl that check the role of the user.
>
> The security package is used in the
>
> http://svn.apache.org/repos/asf/myfaces/tobago/trunk/example/addressbook
>
> Regards
>
> Bernd
>
> Rudi Steiner wrote:
> > Hi Petr, hi Martin,
> >
> > I think the right way is to register an action-listener in the
> > faces-config and to determine in the method processAction(ActionEvent
> > event), if the current user has the role to execute this action.
> >
> > Has anyone an idea, how to implement the role-check, maybe with
> > annotations on the method which is going to be called? How can I find
> > out from the event-param, which method in the backingbean is going to
> > be called by this action?
> >
> > thanks a lot,
> > Rudi
> >
> >
> > On 5/15/07, Martin Marinschek <ma...@gmail.com> wrote:
> >> You wouldn't register a phase-listener, you'd rather decorate the
> >> action-listener to find a solution to this.
> >>
> >> faces-config.xml:
> >> <application>
> >> <action-listener>your decorator goes here</action-listener>
> >> </applicaton>
> >>
> >> ... the default-action listener calls all actions!
> >>
> >> regards,
> >>
> >> Martin
> >>
> >> On 5/15/07, Petr Kotek <ko...@crcdata.cz> wrote:
> >> > Hi Rudi,
> >> >
> >> > I am only begginer in JSF and I don't now if exisist better way to
> >> > handle login but next code may help You.
> >> >
> >> > PhaseListener
> >> > -------------------------------------------
> >> > public class LoginPhaseListener implements PhaseListener {
> >> > private final String LOGIN_SOURCE = "loginButton";
> >> > private final String METHOD_GET = "GET";
> >> > private final String MAIN_PAGE = "main.jsp";
> >> > private final String LOGIN_PAGE = "index.jsp";
> >> >
> >> > public LoginPhaseListener() {
> >> > }
> >> >
> >> > public PhaseId getPhaseId() {
> >> > return PhaseId.RESTORE_VIEW;
> >> > }
> >> >
> >> > public void beforePhase(PhaseEvent phaseEvent) {
> >> > }
> >> >
> >> > public void afterPhase(PhaseEvent phaseEvent) {
> >> > FacesContext ctx;
> >> > ExternalContext ex;
> >> > JSFSession session;
> >> > HttpServletRequest hsrq;
> >> > String login;
> >> > String password;
> >> > HttpServletResponse hrsp;
> >> >
> >> > ctx = phaseEvent.getFacesContext();
> >> > session =
> >> >
> >> (JSFSession)ctx.getApplication().createValueBinding("#{JSFSession}").getValue(ctx);
> >>
> >> > if (!session.isLogged()) {
> >> > ex = ctx.getExternalContext();
> >> > try {
> >> > hsrq = (HttpServletRequest)ex.getRequest();
> >> > // If source is loginButton, then try doLogin
> >> > if
> >> (LOGIN_SOURCE.equalsIgnoreCase(hsrq.getParameter("source"))) {
> >> > // Get ifo from login page
> >> > login = hsrq.getParameter("login");
> >> > password = hsrq.getParameter("password");
> >> > // Check it
> >> > if ((login == null) || (password == null) || (login.length()
> >> > == 0) || (password.length() == 0)) {
> >> > ctx.addMessage(null, new
> >> > FacesMessage(FacesMessage.SEVERITY_ERROR, "Login or Password can't be
> >> > empty!", null));
> >> > } else if (session.doLogin(login, password)) {
> >> > if (METHOD_GET.equalsIgnoreCase(hsrq.getMethod())) {
> >> > // Special login (for debug app - autologin) from request
> >> > parameters (?source=loginButton&login=name&password=psw) - redirect to
> >> > main.jsp
> >> > ex.redirect(MAIN_PAGE);
> >> > }
> >> > } else {
> >> > ctx.addMessage(null, new
> >> > FacesMessage(FacesMessage.SEVERITY_ERROR, "Bad Login or Password!",
> >> null));
> >> > }
> >> > } else if (hsrq.getRequestURI().indexOf(LOGIN_PAGE) < 0) {
> >> > ctx.addMessage(null, new
> >> > FacesMessage(FacesMessage.SEVERITY_ERROR, "Session Logged Out or
> >> > Expired!", null));
> >> > ex.redirect(LOGIN_PAGE);
> >> > }
> >> > } catch (Exception e) {
> >> > e.printStackTrace();
> >> > ctx.addMessage(null, new
> >> > FacesMessage(FacesMessage.SEVERITY_ERROR, "Unexpected login error!",
> >> > e.getMessage()));
> >> > try {
> >> > ex.redirect(LOGIN_PAGE);
> >> > } catch (IOException f) {;}
> >> > }
> >> > }
> >> > }
> >> > }
> >> > -------------------------------------------
> >> > Navigation Handler
> >> > -------------------------------------------
> >> > public class LoginNavigationHandler extends NavigationHandler {
> >> > private final NavigationHandler deflNavHandler; // Original handler
> >> >
> >> > public LoginNavigationHandler(NavigationHandler navHandler) {
> >> > super();
> >> > deflNavHandler = navHandler;
> >> > }
> >> >
> >> > public void handleNavigation(FacesContext facesContext, String
> >> > fromAction, String outcome) {
> >> > JSFSession session;
> >> > try {
> >> > session =
> >> >
> >> (JSFSession)facesContext.getApplication().createValueBinding("#{JSFSession}").getValue(facesContext);
> >>
> >> > if (!session.isLogged()) {
> >> > outcome = "logout";
> >> > }
> >> > } catch (Exception ex) {
> >> > ex.printStackTrace();
> >> > } finally {
> >> > deflNavHandler.handleNavigation(facesContext, fromAction,
> >> outcome);
> >> > }
> >> > }
> >> > }
> >> > -------------------------------------------
> >> >
> >> >
> >> > Where JSFSession is session bean with boolean .isLogged() and boolean
> >> > .doLogin(login, password) methods. Actually I checked login/password
> >> > against database table with valid users.
> >> >
> >> > Petr
> >> >
> >> >
> >> >
> >> > Rudi Steiner wrote:
> >> > > Hi Veit,
> >> > >
> >> > > I don't use spring, so I can't use this mechanism :(
> >> > >
> >> > > Is there a possibility to get the action to call over the
> >> facesContext?
> >> > >
> >> > > thanks,
> >> > > Rudi
> >> > >
> >> > > On 5/15/07, Walter Oliver (BR/ICI3) <ol...@boschrexroth.de>
> >> > > wrote:
> >> > >> Frau Nolte wird heute abend 16:30 erste Testbestellungen absenden.
> >> > >>
> >> > >> Kunden können ebenso bereits bestellen.
> >> > >>
> >> > >> Gruss Oliver Walter
> >> > >>
> >> > >> > -----Ursprüngliche Nachricht-----
> >> > >> > Von: Veit Guna [mailto:Veit.Guna@gmx.de]
> >> > >> > Gesendet: Dienstag, 15. Mai 2007 12:11
> >> > >> > An: MyFaces Discussion
> >> > >> > Betreff: Re: MyFaces and Security
> >> > >> >
> >> > >> > I didn't follow the whole thread, but isn't acegi (if you use
> >> > >> > spring) a solution? I use it to protect specific url's as
> >> > >> > well es method invocations on backing beans. Works fine for
> >> > >> > me (but I'm using spring). I must also admit, that I'm using
> >> > >> > jsf-spring to let spring create the backing beans for me (and
> >> > >> > thus let acegi take over security).
> >> > >> >
> >> > >> > /Veit
> >> > >> >
> >> > >> >
> >> > >> > -------- Original-Nachricht --------
> >> > >> > Datum: Tue, 15 May 2007 12:03:21 +0200
> >> > >> > Von: "Rudi Steiner" <ru...@googlemail.com>
> >> > >> > An: "MyFaces Discussion" <us...@myfaces.apache.org>
> >> > >> > Betreff: Re: MyFaces and Security
> >> > >> >
> >> > >> > > Hi Cagatay,
> >> > >> > >
> >> > >> > > thanks for the hint. This is definitely one step in making
> >> > >> > an jsf-app
> >> > >> > > secure.
> >> > >> > >
> >> > >> > > I would like to increase the security of my app by writing a
> >> > >> > > phaselistener, which checks the action the current request
> >> > >> > is calling
> >> > >> > > and makes sure, that the current user has the right to call this
> >> > >> > > action (example calling the method deleteUser() in a
> >> backingbean).
> >> > >> > >
> >> > >> > > Could anyone please tell me, how I can determine in a
> >> phaselistener
> >> > >> > > which action is going to be called in the current request?
> >> > >> > >
> >> > >> > > best regards,
> >> > >> > > Rudi
> >> > >> > >
> >> > >> > > On 5/14/07, Cagatay Civici <ca...@gmail.com> wrote:
> >> > >> > > > Hi,
> >> > >> > > >
> >> > >> > > > Regarding your concerns about the viewstate at client;
> >> > >> > > >
> >> > >> > > > http://wiki.apache.org/myfaces/Secure_Your_Application
> >> > >> > > >
> >> > >> > > > Cagatay
> >> > >> > > >
> >> > >> > > >
> >> > >> > > > On 5/14/07, Rudi Steiner <ru...@googlemail.com> wrote:
> >> > >> > > > > Hello,
> >> > >> > > > >
> >> > >> > > > > I'm in the final state of a project and thinking about,
> >> > >> > which is the
> >> > >> > > > > best way to make a myFaces-App secure (authentication,
> >> > >> > authorization,
> >> > >> > > > > ...)
> >> > >> > > > >
> >> > >> > > > > I'm thinking about the Tomcat build in mechanism or an
> >> > >> > alternative
> >> > >> > > > > like securityFilter. But thinking about it, I got some
> >> > >> > questions like,
> >> > >> > > > > how about to fake the view state on the client side.
> >> > >> > > > >
> >> > >> > > > > Could It be, that for example a normal user who knows the
> >> > >> > > > > applicationcode, fakes the viewstate on the client for
> >> > >> > a page which
> >> > >> > > > > has for example some commandbuttons which are rendered
> >> > >> > for an admin
> >> > >> > > > > but are not rendered for a normal user? Has anyone made
> >> > >> > experiences in
> >> > >> > > > > this area?
> >> > >> > > > >
> >> > >> > > > > thanks a lot,
> >> > >> > > > > Rudi
> >> > >> > > > >
> >> > >> > > >
> >> > >> > > >
> >> > >> >
> >> > >> > --
> >> > >> > GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS.
> >> > >> > Alle Infos und kostenlose Anmeldung:
> >> http://www.gmx.net/de/go/freemail
> >> > >> >
> >> > >>
> >> > >
> >> >
> >>
> >>
> >> --
> >>
> >> http://www.irian.at
> >>
> >> Your JSF powerhouse -
> >> JSF Consulting, Development and
> >> Courses in English and German
> >>
> >> Professional Support for Apache MyFaces
> >>
> >
>
Re: MyFaces and Security
Posted by Bernd Bohmann <be...@atanion.com>.
Hello Rudi,
take a look at
http://svn.apache.org/repos/asf/myfaces/tobago/trunk/contrib/security/
This example use a different ApplicationFactory that returns a
MethodBindingImpl that check the role of the user.
The security package is used in the
http://svn.apache.org/repos/asf/myfaces/tobago/trunk/example/addressbook
Regards
Bernd
Rudi Steiner wrote:
> Hi Petr, hi Martin,
>
> I think the right way is to register an action-listener in the
> faces-config and to determine in the method processAction(ActionEvent
> event), if the current user has the role to execute this action.
>
> Has anyone an idea, how to implement the role-check, maybe with
> annotations on the method which is going to be called? How can I find
> out from the event-param, which method in the backingbean is going to
> be called by this action?
>
> thanks a lot,
> Rudi
>
>
> On 5/15/07, Martin Marinschek <ma...@gmail.com> wrote:
>> You wouldn't register a phase-listener, you'd rather decorate the
>> action-listener to find a solution to this.
>>
>> faces-config.xml:
>> <application>
>> <action-listener>your decorator goes here</action-listener>
>> </applicaton>
>>
>> ... the default-action listener calls all actions!
>>
>> regards,
>>
>> Martin
>>
>> On 5/15/07, Petr Kotek <ko...@crcdata.cz> wrote:
>> > Hi Rudi,
>> >
>> > I am only begginer in JSF and I don't now if exisist better way to
>> > handle login but next code may help You.
>> >
>> > PhaseListener
>> > -------------------------------------------
>> > public class LoginPhaseListener implements PhaseListener {
>> > private final String LOGIN_SOURCE = "loginButton";
>> > private final String METHOD_GET = "GET";
>> > private final String MAIN_PAGE = "main.jsp";
>> > private final String LOGIN_PAGE = "index.jsp";
>> >
>> > public LoginPhaseListener() {
>> > }
>> >
>> > public PhaseId getPhaseId() {
>> > return PhaseId.RESTORE_VIEW;
>> > }
>> >
>> > public void beforePhase(PhaseEvent phaseEvent) {
>> > }
>> >
>> > public void afterPhase(PhaseEvent phaseEvent) {
>> > FacesContext ctx;
>> > ExternalContext ex;
>> > JSFSession session;
>> > HttpServletRequest hsrq;
>> > String login;
>> > String password;
>> > HttpServletResponse hrsp;
>> >
>> > ctx = phaseEvent.getFacesContext();
>> > session =
>> >
>> (JSFSession)ctx.getApplication().createValueBinding("#{JSFSession}").getValue(ctx);
>>
>> > if (!session.isLogged()) {
>> > ex = ctx.getExternalContext();
>> > try {
>> > hsrq = (HttpServletRequest)ex.getRequest();
>> > // If source is loginButton, then try doLogin
>> > if
>> (LOGIN_SOURCE.equalsIgnoreCase(hsrq.getParameter("source"))) {
>> > // Get ifo from login page
>> > login = hsrq.getParameter("login");
>> > password = hsrq.getParameter("password");
>> > // Check it
>> > if ((login == null) || (password == null) || (login.length()
>> > == 0) || (password.length() == 0)) {
>> > ctx.addMessage(null, new
>> > FacesMessage(FacesMessage.SEVERITY_ERROR, "Login or Password can't be
>> > empty!", null));
>> > } else if (session.doLogin(login, password)) {
>> > if (METHOD_GET.equalsIgnoreCase(hsrq.getMethod())) {
>> > // Special login (for debug app - autologin) from request
>> > parameters (?source=loginButton&login=name&password=psw) - redirect to
>> > main.jsp
>> > ex.redirect(MAIN_PAGE);
>> > }
>> > } else {
>> > ctx.addMessage(null, new
>> > FacesMessage(FacesMessage.SEVERITY_ERROR, "Bad Login or Password!",
>> null));
>> > }
>> > } else if (hsrq.getRequestURI().indexOf(LOGIN_PAGE) < 0) {
>> > ctx.addMessage(null, new
>> > FacesMessage(FacesMessage.SEVERITY_ERROR, "Session Logged Out or
>> > Expired!", null));
>> > ex.redirect(LOGIN_PAGE);
>> > }
>> > } catch (Exception e) {
>> > e.printStackTrace();
>> > ctx.addMessage(null, new
>> > FacesMessage(FacesMessage.SEVERITY_ERROR, "Unexpected login error!",
>> > e.getMessage()));
>> > try {
>> > ex.redirect(LOGIN_PAGE);
>> > } catch (IOException f) {;}
>> > }
>> > }
>> > }
>> > }
>> > -------------------------------------------
>> > Navigation Handler
>> > -------------------------------------------
>> > public class LoginNavigationHandler extends NavigationHandler {
>> > private final NavigationHandler deflNavHandler; // Original handler
>> >
>> > public LoginNavigationHandler(NavigationHandler navHandler) {
>> > super();
>> > deflNavHandler = navHandler;
>> > }
>> >
>> > public void handleNavigation(FacesContext facesContext, String
>> > fromAction, String outcome) {
>> > JSFSession session;
>> > try {
>> > session =
>> >
>> (JSFSession)facesContext.getApplication().createValueBinding("#{JSFSession}").getValue(facesContext);
>>
>> > if (!session.isLogged()) {
>> > outcome = "logout";
>> > }
>> > } catch (Exception ex) {
>> > ex.printStackTrace();
>> > } finally {
>> > deflNavHandler.handleNavigation(facesContext, fromAction,
>> outcome);
>> > }
>> > }
>> > }
>> > -------------------------------------------
>> >
>> >
>> > Where JSFSession is session bean with boolean .isLogged() and boolean
>> > .doLogin(login, password) methods. Actually I checked login/password
>> > against database table with valid users.
>> >
>> > Petr
>> >
>> >
>> >
>> > Rudi Steiner wrote:
>> > > Hi Veit,
>> > >
>> > > I don't use spring, so I can't use this mechanism :(
>> > >
>> > > Is there a possibility to get the action to call over the
>> facesContext?
>> > >
>> > > thanks,
>> > > Rudi
>> > >
>> > > On 5/15/07, Walter Oliver (BR/ICI3) <ol...@boschrexroth.de>
>> > > wrote:
>> > >> Frau Nolte wird heute abend 16:30 erste Testbestellungen absenden.
>> > >>
>> > >> Kunden können ebenso bereits bestellen.
>> > >>
>> > >> Gruss Oliver Walter
>> > >>
>> > >> > -----Ursprüngliche Nachricht-----
>> > >> > Von: Veit Guna [mailto:Veit.Guna@gmx.de]
>> > >> > Gesendet: Dienstag, 15. Mai 2007 12:11
>> > >> > An: MyFaces Discussion
>> > >> > Betreff: Re: MyFaces and Security
>> > >> >
>> > >> > I didn't follow the whole thread, but isn't acegi (if you use
>> > >> > spring) a solution? I use it to protect specific url's as
>> > >> > well es method invocations on backing beans. Works fine for
>> > >> > me (but I'm using spring). I must also admit, that I'm using
>> > >> > jsf-spring to let spring create the backing beans for me (and
>> > >> > thus let acegi take over security).
>> > >> >
>> > >> > /Veit
>> > >> >
>> > >> >
>> > >> > -------- Original-Nachricht --------
>> > >> > Datum: Tue, 15 May 2007 12:03:21 +0200
>> > >> > Von: "Rudi Steiner" <ru...@googlemail.com>
>> > >> > An: "MyFaces Discussion" <us...@myfaces.apache.org>
>> > >> > Betreff: Re: MyFaces and Security
>> > >> >
>> > >> > > Hi Cagatay,
>> > >> > >
>> > >> > > thanks for the hint. This is definitely one step in making
>> > >> > an jsf-app
>> > >> > > secure.
>> > >> > >
>> > >> > > I would like to increase the security of my app by writing a
>> > >> > > phaselistener, which checks the action the current request
>> > >> > is calling
>> > >> > > and makes sure, that the current user has the right to call this
>> > >> > > action (example calling the method deleteUser() in a
>> backingbean).
>> > >> > >
>> > >> > > Could anyone please tell me, how I can determine in a
>> phaselistener
>> > >> > > which action is going to be called in the current request?
>> > >> > >
>> > >> > > best regards,
>> > >> > > Rudi
>> > >> > >
>> > >> > > On 5/14/07, Cagatay Civici <ca...@gmail.com> wrote:
>> > >> > > > Hi,
>> > >> > > >
>> > >> > > > Regarding your concerns about the viewstate at client;
>> > >> > > >
>> > >> > > > http://wiki.apache.org/myfaces/Secure_Your_Application
>> > >> > > >
>> > >> > > > Cagatay
>> > >> > > >
>> > >> > > >
>> > >> > > > On 5/14/07, Rudi Steiner <ru...@googlemail.com> wrote:
>> > >> > > > > Hello,
>> > >> > > > >
>> > >> > > > > I'm in the final state of a project and thinking about,
>> > >> > which is the
>> > >> > > > > best way to make a myFaces-App secure (authentication,
>> > >> > authorization,
>> > >> > > > > ...)
>> > >> > > > >
>> > >> > > > > I'm thinking about the Tomcat build in mechanism or an
>> > >> > alternative
>> > >> > > > > like securityFilter. But thinking about it, I got some
>> > >> > questions like,
>> > >> > > > > how about to fake the view state on the client side.
>> > >> > > > >
>> > >> > > > > Could It be, that for example a normal user who knows the
>> > >> > > > > applicationcode, fakes the viewstate on the client for
>> > >> > a page which
>> > >> > > > > has for example some commandbuttons which are rendered
>> > >> > for an admin
>> > >> > > > > but are not rendered for a normal user? Has anyone made
>> > >> > experiences in
>> > >> > > > > this area?
>> > >> > > > >
>> > >> > > > > thanks a lot,
>> > >> > > > > Rudi
>> > >> > > > >
>> > >> > > >
>> > >> > > >
>> > >> >
>> > >> > --
>> > >> > GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS.
>> > >> > Alle Infos und kostenlose Anmeldung:
>> http://www.gmx.net/de/go/freemail
>> > >> >
>> > >>
>> > >
>> >
>>
>>
>> --
>>
>> http://www.irian.at
>>
>> Your JSF powerhouse -
>> JSF Consulting, Development and
>> Courses in English and German
>>
>> Professional Support for Apache MyFaces
>>
>
Re: MyFaces and Security
Posted by Rudi Steiner <ru...@googlemail.com>.
Hi Petr, hi Martin,
I think the right way is to register an action-listener in the
faces-config and to determine in the method processAction(ActionEvent
event), if the current user has the role to execute this action.
Has anyone an idea, how to implement the role-check, maybe with
annotations on the method which is going to be called? How can I find
out from the event-param, which method in the backingbean is going to
be called by this action?
thanks a lot,
Rudi
On 5/15/07, Martin Marinschek <ma...@gmail.com> wrote:
> You wouldn't register a phase-listener, you'd rather decorate the
> action-listener to find a solution to this.
>
> faces-config.xml:
> <application>
> <action-listener>your decorator goes here</action-listener>
> </applicaton>
>
> ... the default-action listener calls all actions!
>
> regards,
>
> Martin
>
> On 5/15/07, Petr Kotek <ko...@crcdata.cz> wrote:
> > Hi Rudi,
> >
> > I am only begginer in JSF and I don't now if exisist better way to
> > handle login but next code may help You.
> >
> > PhaseListener
> > -------------------------------------------
> > public class LoginPhaseListener implements PhaseListener {
> > private final String LOGIN_SOURCE = "loginButton";
> > private final String METHOD_GET = "GET";
> > private final String MAIN_PAGE = "main.jsp";
> > private final String LOGIN_PAGE = "index.jsp";
> >
> > public LoginPhaseListener() {
> > }
> >
> > public PhaseId getPhaseId() {
> > return PhaseId.RESTORE_VIEW;
> > }
> >
> > public void beforePhase(PhaseEvent phaseEvent) {
> > }
> >
> > public void afterPhase(PhaseEvent phaseEvent) {
> > FacesContext ctx;
> > ExternalContext ex;
> > JSFSession session;
> > HttpServletRequest hsrq;
> > String login;
> > String password;
> > HttpServletResponse hrsp;
> >
> > ctx = phaseEvent.getFacesContext();
> > session =
> > (JSFSession)ctx.getApplication().createValueBinding("#{JSFSession}").getValue(ctx);
> > if (!session.isLogged()) {
> > ex = ctx.getExternalContext();
> > try {
> > hsrq = (HttpServletRequest)ex.getRequest();
> > // If source is loginButton, then try doLogin
> > if (LOGIN_SOURCE.equalsIgnoreCase(hsrq.getParameter("source"))) {
> > // Get ifo from login page
> > login = hsrq.getParameter("login");
> > password = hsrq.getParameter("password");
> > // Check it
> > if ((login == null) || (password == null) || (login.length()
> > == 0) || (password.length() == 0)) {
> > ctx.addMessage(null, new
> > FacesMessage(FacesMessage.SEVERITY_ERROR, "Login or Password can't be
> > empty!", null));
> > } else if (session.doLogin(login, password)) {
> > if (METHOD_GET.equalsIgnoreCase(hsrq.getMethod())) {
> > // Special login (for debug app - autologin) from request
> > parameters (?source=loginButton&login=name&password=psw) - redirect to
> > main.jsp
> > ex.redirect(MAIN_PAGE);
> > }
> > } else {
> > ctx.addMessage(null, new
> > FacesMessage(FacesMessage.SEVERITY_ERROR, "Bad Login or Password!", null));
> > }
> > } else if (hsrq.getRequestURI().indexOf(LOGIN_PAGE) < 0) {
> > ctx.addMessage(null, new
> > FacesMessage(FacesMessage.SEVERITY_ERROR, "Session Logged Out or
> > Expired!", null));
> > ex.redirect(LOGIN_PAGE);
> > }
> > } catch (Exception e) {
> > e.printStackTrace();
> > ctx.addMessage(null, new
> > FacesMessage(FacesMessage.SEVERITY_ERROR, "Unexpected login error!",
> > e.getMessage()));
> > try {
> > ex.redirect(LOGIN_PAGE);
> > } catch (IOException f) {;}
> > }
> > }
> > }
> > }
> > -------------------------------------------
> > Navigation Handler
> > -------------------------------------------
> > public class LoginNavigationHandler extends NavigationHandler {
> > private final NavigationHandler deflNavHandler; // Original handler
> >
> > public LoginNavigationHandler(NavigationHandler navHandler) {
> > super();
> > deflNavHandler = navHandler;
> > }
> >
> > public void handleNavigation(FacesContext facesContext, String
> > fromAction, String outcome) {
> > JSFSession session;
> > try {
> > session =
> > (JSFSession)facesContext.getApplication().createValueBinding("#{JSFSession}").getValue(facesContext);
> > if (!session.isLogged()) {
> > outcome = "logout";
> > }
> > } catch (Exception ex) {
> > ex.printStackTrace();
> > } finally {
> > deflNavHandler.handleNavigation(facesContext, fromAction, outcome);
> > }
> > }
> > }
> > -------------------------------------------
> >
> >
> > Where JSFSession is session bean with boolean .isLogged() and boolean
> > .doLogin(login, password) methods. Actually I checked login/password
> > against database table with valid users.
> >
> > Petr
> >
> >
> >
> > Rudi Steiner wrote:
> > > Hi Veit,
> > >
> > > I don't use spring, so I can't use this mechanism :(
> > >
> > > Is there a possibility to get the action to call over the facesContext?
> > >
> > > thanks,
> > > Rudi
> > >
> > > On 5/15/07, Walter Oliver (BR/ICI3) <ol...@boschrexroth.de>
> > > wrote:
> > >> Frau Nolte wird heute abend 16:30 erste Testbestellungen absenden.
> > >>
> > >> Kunden können ebenso bereits bestellen.
> > >>
> > >> Gruss Oliver Walter
> > >>
> > >> > -----Ursprüngliche Nachricht-----
> > >> > Von: Veit Guna [mailto:Veit.Guna@gmx.de]
> > >> > Gesendet: Dienstag, 15. Mai 2007 12:11
> > >> > An: MyFaces Discussion
> > >> > Betreff: Re: MyFaces and Security
> > >> >
> > >> > I didn't follow the whole thread, but isn't acegi (if you use
> > >> > spring) a solution? I use it to protect specific url's as
> > >> > well es method invocations on backing beans. Works fine for
> > >> > me (but I'm using spring). I must also admit, that I'm using
> > >> > jsf-spring to let spring create the backing beans for me (and
> > >> > thus let acegi take over security).
> > >> >
> > >> > /Veit
> > >> >
> > >> >
> > >> > -------- Original-Nachricht --------
> > >> > Datum: Tue, 15 May 2007 12:03:21 +0200
> > >> > Von: "Rudi Steiner" <ru...@googlemail.com>
> > >> > An: "MyFaces Discussion" <us...@myfaces.apache.org>
> > >> > Betreff: Re: MyFaces and Security
> > >> >
> > >> > > Hi Cagatay,
> > >> > >
> > >> > > thanks for the hint. This is definitely one step in making
> > >> > an jsf-app
> > >> > > secure.
> > >> > >
> > >> > > I would like to increase the security of my app by writing a
> > >> > > phaselistener, which checks the action the current request
> > >> > is calling
> > >> > > and makes sure, that the current user has the right to call this
> > >> > > action (example calling the method deleteUser() in a backingbean).
> > >> > >
> > >> > > Could anyone please tell me, how I can determine in a phaselistener
> > >> > > which action is going to be called in the current request?
> > >> > >
> > >> > > best regards,
> > >> > > Rudi
> > >> > >
> > >> > > On 5/14/07, Cagatay Civici <ca...@gmail.com> wrote:
> > >> > > > Hi,
> > >> > > >
> > >> > > > Regarding your concerns about the viewstate at client;
> > >> > > >
> > >> > > > http://wiki.apache.org/myfaces/Secure_Your_Application
> > >> > > >
> > >> > > > Cagatay
> > >> > > >
> > >> > > >
> > >> > > > On 5/14/07, Rudi Steiner <ru...@googlemail.com> wrote:
> > >> > > > > Hello,
> > >> > > > >
> > >> > > > > I'm in the final state of a project and thinking about,
> > >> > which is the
> > >> > > > > best way to make a myFaces-App secure (authentication,
> > >> > authorization,
> > >> > > > > ...)
> > >> > > > >
> > >> > > > > I'm thinking about the Tomcat build in mechanism or an
> > >> > alternative
> > >> > > > > like securityFilter. But thinking about it, I got some
> > >> > questions like,
> > >> > > > > how about to fake the view state on the client side.
> > >> > > > >
> > >> > > > > Could It be, that for example a normal user who knows the
> > >> > > > > applicationcode, fakes the viewstate on the client for
> > >> > a page which
> > >> > > > > has for example some commandbuttons which are rendered
> > >> > for an admin
> > >> > > > > but are not rendered for a normal user? Has anyone made
> > >> > experiences in
> > >> > > > > this area?
> > >> > > > >
> > >> > > > > thanks a lot,
> > >> > > > > Rudi
> > >> > > > >
> > >> > > >
> > >> > > >
> > >> >
> > >> > --
> > >> > GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS.
> > >> > Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail
> > >> >
> > >>
> > >
> >
>
>
> --
>
> http://www.irian.at
>
> Your JSF powerhouse -
> JSF Consulting, Development and
> Courses in English and German
>
> Professional Support for Apache MyFaces
>
Re: MyFaces and Security
Posted by Martin Marinschek <ma...@gmail.com>.
You wouldn't register a phase-listener, you'd rather decorate the
action-listener to find a solution to this.
faces-config.xml:
<application>
<action-listener>your decorator goes here</action-listener>
</applicaton>
... the default-action listener calls all actions!
regards,
Martin
On 5/15/07, Petr Kotek <ko...@crcdata.cz> wrote:
> Hi Rudi,
>
> I am only begginer in JSF and I don't now if exisist better way to
> handle login but next code may help You.
>
> PhaseListener
> -------------------------------------------
> public class LoginPhaseListener implements PhaseListener {
> private final String LOGIN_SOURCE = "loginButton";
> private final String METHOD_GET = "GET";
> private final String MAIN_PAGE = "main.jsp";
> private final String LOGIN_PAGE = "index.jsp";
>
> public LoginPhaseListener() {
> }
>
> public PhaseId getPhaseId() {
> return PhaseId.RESTORE_VIEW;
> }
>
> public void beforePhase(PhaseEvent phaseEvent) {
> }
>
> public void afterPhase(PhaseEvent phaseEvent) {
> FacesContext ctx;
> ExternalContext ex;
> JSFSession session;
> HttpServletRequest hsrq;
> String login;
> String password;
> HttpServletResponse hrsp;
>
> ctx = phaseEvent.getFacesContext();
> session =
> (JSFSession)ctx.getApplication().createValueBinding("#{JSFSession}").getValue(ctx);
> if (!session.isLogged()) {
> ex = ctx.getExternalContext();
> try {
> hsrq = (HttpServletRequest)ex.getRequest();
> // If source is loginButton, then try doLogin
> if (LOGIN_SOURCE.equalsIgnoreCase(hsrq.getParameter("source"))) {
> // Get ifo from login page
> login = hsrq.getParameter("login");
> password = hsrq.getParameter("password");
> // Check it
> if ((login == null) || (password == null) || (login.length()
> == 0) || (password.length() == 0)) {
> ctx.addMessage(null, new
> FacesMessage(FacesMessage.SEVERITY_ERROR, "Login or Password can't be
> empty!", null));
> } else if (session.doLogin(login, password)) {
> if (METHOD_GET.equalsIgnoreCase(hsrq.getMethod())) {
> // Special login (for debug app - autologin) from request
> parameters (?source=loginButton&login=name&password=psw) - redirect to
> main.jsp
> ex.redirect(MAIN_PAGE);
> }
> } else {
> ctx.addMessage(null, new
> FacesMessage(FacesMessage.SEVERITY_ERROR, "Bad Login or Password!", null));
> }
> } else if (hsrq.getRequestURI().indexOf(LOGIN_PAGE) < 0) {
> ctx.addMessage(null, new
> FacesMessage(FacesMessage.SEVERITY_ERROR, "Session Logged Out or
> Expired!", null));
> ex.redirect(LOGIN_PAGE);
> }
> } catch (Exception e) {
> e.printStackTrace();
> ctx.addMessage(null, new
> FacesMessage(FacesMessage.SEVERITY_ERROR, "Unexpected login error!",
> e.getMessage()));
> try {
> ex.redirect(LOGIN_PAGE);
> } catch (IOException f) {;}
> }
> }
> }
> }
> -------------------------------------------
> Navigation Handler
> -------------------------------------------
> public class LoginNavigationHandler extends NavigationHandler {
> private final NavigationHandler deflNavHandler; // Original handler
>
> public LoginNavigationHandler(NavigationHandler navHandler) {
> super();
> deflNavHandler = navHandler;
> }
>
> public void handleNavigation(FacesContext facesContext, String
> fromAction, String outcome) {
> JSFSession session;
> try {
> session =
> (JSFSession)facesContext.getApplication().createValueBinding("#{JSFSession}").getValue(facesContext);
> if (!session.isLogged()) {
> outcome = "logout";
> }
> } catch (Exception ex) {
> ex.printStackTrace();
> } finally {
> deflNavHandler.handleNavigation(facesContext, fromAction, outcome);
> }
> }
> }
> -------------------------------------------
>
>
> Where JSFSession is session bean with boolean .isLogged() and boolean
> .doLogin(login, password) methods. Actually I checked login/password
> against database table with valid users.
>
> Petr
>
>
>
> Rudi Steiner wrote:
> > Hi Veit,
> >
> > I don't use spring, so I can't use this mechanism :(
> >
> > Is there a possibility to get the action to call over the facesContext?
> >
> > thanks,
> > Rudi
> >
> > On 5/15/07, Walter Oliver (BR/ICI3) <ol...@boschrexroth.de>
> > wrote:
> >> Frau Nolte wird heute abend 16:30 erste Testbestellungen absenden.
> >>
> >> Kunden können ebenso bereits bestellen.
> >>
> >> Gruss Oliver Walter
> >>
> >> > -----Ursprüngliche Nachricht-----
> >> > Von: Veit Guna [mailto:Veit.Guna@gmx.de]
> >> > Gesendet: Dienstag, 15. Mai 2007 12:11
> >> > An: MyFaces Discussion
> >> > Betreff: Re: MyFaces and Security
> >> >
> >> > I didn't follow the whole thread, but isn't acegi (if you use
> >> > spring) a solution? I use it to protect specific url's as
> >> > well es method invocations on backing beans. Works fine for
> >> > me (but I'm using spring). I must also admit, that I'm using
> >> > jsf-spring to let spring create the backing beans for me (and
> >> > thus let acegi take over security).
> >> >
> >> > /Veit
> >> >
> >> >
> >> > -------- Original-Nachricht --------
> >> > Datum: Tue, 15 May 2007 12:03:21 +0200
> >> > Von: "Rudi Steiner" <ru...@googlemail.com>
> >> > An: "MyFaces Discussion" <us...@myfaces.apache.org>
> >> > Betreff: Re: MyFaces and Security
> >> >
> >> > > Hi Cagatay,
> >> > >
> >> > > thanks for the hint. This is definitely one step in making
> >> > an jsf-app
> >> > > secure.
> >> > >
> >> > > I would like to increase the security of my app by writing a
> >> > > phaselistener, which checks the action the current request
> >> > is calling
> >> > > and makes sure, that the current user has the right to call this
> >> > > action (example calling the method deleteUser() in a backingbean).
> >> > >
> >> > > Could anyone please tell me, how I can determine in a phaselistener
> >> > > which action is going to be called in the current request?
> >> > >
> >> > > best regards,
> >> > > Rudi
> >> > >
> >> > > On 5/14/07, Cagatay Civici <ca...@gmail.com> wrote:
> >> > > > Hi,
> >> > > >
> >> > > > Regarding your concerns about the viewstate at client;
> >> > > >
> >> > > > http://wiki.apache.org/myfaces/Secure_Your_Application
> >> > > >
> >> > > > Cagatay
> >> > > >
> >> > > >
> >> > > > On 5/14/07, Rudi Steiner <ru...@googlemail.com> wrote:
> >> > > > > Hello,
> >> > > > >
> >> > > > > I'm in the final state of a project and thinking about,
> >> > which is the
> >> > > > > best way to make a myFaces-App secure (authentication,
> >> > authorization,
> >> > > > > ...)
> >> > > > >
> >> > > > > I'm thinking about the Tomcat build in mechanism or an
> >> > alternative
> >> > > > > like securityFilter. But thinking about it, I got some
> >> > questions like,
> >> > > > > how about to fake the view state on the client side.
> >> > > > >
> >> > > > > Could It be, that for example a normal user who knows the
> >> > > > > applicationcode, fakes the viewstate on the client for
> >> > a page which
> >> > > > > has for example some commandbuttons which are rendered
> >> > for an admin
> >> > > > > but are not rendered for a normal user? Has anyone made
> >> > experiences in
> >> > > > > this area?
> >> > > > >
> >> > > > > thanks a lot,
> >> > > > > Rudi
> >> > > > >
> >> > > >
> >> > > >
> >> >
> >> > --
> >> > GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS.
> >> > Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail
> >> >
> >>
> >
>
--
http://www.irian.at
Your JSF powerhouse -
JSF Consulting, Development and
Courses in English and German
Professional Support for Apache MyFaces
Re: MyFaces and Security
Posted by Petr Kotek <ko...@crcdata.cz>.
Hi Rudi,
I am only begginer in JSF and I don't now if exisist better way to
handle login but next code may help You.
PhaseListener
-------------------------------------------
public class LoginPhaseListener implements PhaseListener {
private final String LOGIN_SOURCE = "loginButton";
private final String METHOD_GET = "GET";
private final String MAIN_PAGE = "main.jsp";
private final String LOGIN_PAGE = "index.jsp";
public LoginPhaseListener() {
}
public PhaseId getPhaseId() {
return PhaseId.RESTORE_VIEW;
}
public void beforePhase(PhaseEvent phaseEvent) {
}
public void afterPhase(PhaseEvent phaseEvent) {
FacesContext ctx;
ExternalContext ex;
JSFSession session;
HttpServletRequest hsrq;
String login;
String password;
HttpServletResponse hrsp;
ctx = phaseEvent.getFacesContext();
session =
(JSFSession)ctx.getApplication().createValueBinding("#{JSFSession}").getValue(ctx);
if (!session.isLogged()) {
ex = ctx.getExternalContext();
try {
hsrq = (HttpServletRequest)ex.getRequest();
// If source is loginButton, then try doLogin
if (LOGIN_SOURCE.equalsIgnoreCase(hsrq.getParameter("source"))) {
// Get ifo from login page
login = hsrq.getParameter("login");
password = hsrq.getParameter("password");
// Check it
if ((login == null) || (password == null) || (login.length()
== 0) || (password.length() == 0)) {
ctx.addMessage(null, new
FacesMessage(FacesMessage.SEVERITY_ERROR, "Login or Password can't be
empty!", null));
} else if (session.doLogin(login, password)) {
if (METHOD_GET.equalsIgnoreCase(hsrq.getMethod())) {
// Special login (for debug app - autologin) from request
parameters (?source=loginButton&login=name&password=psw) - redirect to
main.jsp
ex.redirect(MAIN_PAGE);
}
} else {
ctx.addMessage(null, new
FacesMessage(FacesMessage.SEVERITY_ERROR, "Bad Login or Password!", null));
}
} else if (hsrq.getRequestURI().indexOf(LOGIN_PAGE) < 0) {
ctx.addMessage(null, new
FacesMessage(FacesMessage.SEVERITY_ERROR, "Session Logged Out or
Expired!", null));
ex.redirect(LOGIN_PAGE);
}
} catch (Exception e) {
e.printStackTrace();
ctx.addMessage(null, new
FacesMessage(FacesMessage.SEVERITY_ERROR, "Unexpected login error!",
e.getMessage()));
try {
ex.redirect(LOGIN_PAGE);
} catch (IOException f) {;}
}
}
}
}
-------------------------------------------
Navigation Handler
-------------------------------------------
public class LoginNavigationHandler extends NavigationHandler {
private final NavigationHandler deflNavHandler; // Original handler
public LoginNavigationHandler(NavigationHandler navHandler) {
super();
deflNavHandler = navHandler;
}
public void handleNavigation(FacesContext facesContext, String
fromAction, String outcome) {
JSFSession session;
try {
session =
(JSFSession)facesContext.getApplication().createValueBinding("#{JSFSession}").getValue(facesContext);
if (!session.isLogged()) {
outcome = "logout";
}
} catch (Exception ex) {
ex.printStackTrace();
} finally {
deflNavHandler.handleNavigation(facesContext, fromAction, outcome);
}
}
}
-------------------------------------------
Where JSFSession is session bean with boolean .isLogged() and boolean
.doLogin(login, password) methods. Actually I checked login/password
against database table with valid users.
Petr
Rudi Steiner wrote:
> Hi Veit,
>
> I don't use spring, so I can't use this mechanism :(
>
> Is there a possibility to get the action to call over the facesContext?
>
> thanks,
> Rudi
>
> On 5/15/07, Walter Oliver (BR/ICI3) <ol...@boschrexroth.de>
> wrote:
>> Frau Nolte wird heute abend 16:30 erste Testbestellungen absenden.
>>
>> Kunden können ebenso bereits bestellen.
>>
>> Gruss Oliver Walter
>>
>> > -----Ursprüngliche Nachricht-----
>> > Von: Veit Guna [mailto:Veit.Guna@gmx.de]
>> > Gesendet: Dienstag, 15. Mai 2007 12:11
>> > An: MyFaces Discussion
>> > Betreff: Re: MyFaces and Security
>> >
>> > I didn't follow the whole thread, but isn't acegi (if you use
>> > spring) a solution? I use it to protect specific url's as
>> > well es method invocations on backing beans. Works fine for
>> > me (but I'm using spring). I must also admit, that I'm using
>> > jsf-spring to let spring create the backing beans for me (and
>> > thus let acegi take over security).
>> >
>> > /Veit
>> >
>> >
>> > -------- Original-Nachricht --------
>> > Datum: Tue, 15 May 2007 12:03:21 +0200
>> > Von: "Rudi Steiner" <ru...@googlemail.com>
>> > An: "MyFaces Discussion" <us...@myfaces.apache.org>
>> > Betreff: Re: MyFaces and Security
>> >
>> > > Hi Cagatay,
>> > >
>> > > thanks for the hint. This is definitely one step in making
>> > an jsf-app
>> > > secure.
>> > >
>> > > I would like to increase the security of my app by writing a
>> > > phaselistener, which checks the action the current request
>> > is calling
>> > > and makes sure, that the current user has the right to call this
>> > > action (example calling the method deleteUser() in a backingbean).
>> > >
>> > > Could anyone please tell me, how I can determine in a phaselistener
>> > > which action is going to be called in the current request?
>> > >
>> > > best regards,
>> > > Rudi
>> > >
>> > > On 5/14/07, Cagatay Civici <ca...@gmail.com> wrote:
>> > > > Hi,
>> > > >
>> > > > Regarding your concerns about the viewstate at client;
>> > > >
>> > > > http://wiki.apache.org/myfaces/Secure_Your_Application
>> > > >
>> > > > Cagatay
>> > > >
>> > > >
>> > > > On 5/14/07, Rudi Steiner <ru...@googlemail.com> wrote:
>> > > > > Hello,
>> > > > >
>> > > > > I'm in the final state of a project and thinking about,
>> > which is the
>> > > > > best way to make a myFaces-App secure (authentication,
>> > authorization,
>> > > > > ...)
>> > > > >
>> > > > > I'm thinking about the Tomcat build in mechanism or an
>> > alternative
>> > > > > like securityFilter. But thinking about it, I got some
>> > questions like,
>> > > > > how about to fake the view state on the client side.
>> > > > >
>> > > > > Could It be, that for example a normal user who knows the
>> > > > > applicationcode, fakes the viewstate on the client for
>> > a page which
>> > > > > has for example some commandbuttons which are rendered
>> > for an admin
>> > > > > but are not rendered for a normal user? Has anyone made
>> > experiences in
>> > > > > this area?
>> > > > >
>> > > > > thanks a lot,
>> > > > > Rudi
>> > > > >
>> > > >
>> > > >
>> >
>> > --
>> > GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS.
>> > Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail
>> >
>>
>
Re: MyFaces and Security
Posted by Rudi Steiner <ru...@googlemail.com>.
Hi Veit,
I don't use spring, so I can't use this mechanism :(
Is there a possibility to get the action to call over the facesContext?
thanks,
Rudi
On 5/15/07, Walter Oliver (BR/ICI3) <ol...@boschrexroth.de> wrote:
> Frau Nolte wird heute abend 16:30 erste Testbestellungen absenden.
>
> Kunden können ebenso bereits bestellen.
>
> Gruss Oliver Walter
>
> > -----Ursprüngliche Nachricht-----
> > Von: Veit Guna [mailto:Veit.Guna@gmx.de]
> > Gesendet: Dienstag, 15. Mai 2007 12:11
> > An: MyFaces Discussion
> > Betreff: Re: MyFaces and Security
> >
> > I didn't follow the whole thread, but isn't acegi (if you use
> > spring) a solution? I use it to protect specific url's as
> > well es method invocations on backing beans. Works fine for
> > me (but I'm using spring). I must also admit, that I'm using
> > jsf-spring to let spring create the backing beans for me (and
> > thus let acegi take over security).
> >
> > /Veit
> >
> >
> > -------- Original-Nachricht --------
> > Datum: Tue, 15 May 2007 12:03:21 +0200
> > Von: "Rudi Steiner" <ru...@googlemail.com>
> > An: "MyFaces Discussion" <us...@myfaces.apache.org>
> > Betreff: Re: MyFaces and Security
> >
> > > Hi Cagatay,
> > >
> > > thanks for the hint. This is definitely one step in making
> > an jsf-app
> > > secure.
> > >
> > > I would like to increase the security of my app by writing a
> > > phaselistener, which checks the action the current request
> > is calling
> > > and makes sure, that the current user has the right to call this
> > > action (example calling the method deleteUser() in a backingbean).
> > >
> > > Could anyone please tell me, how I can determine in a phaselistener
> > > which action is going to be called in the current request?
> > >
> > > best regards,
> > > Rudi
> > >
> > > On 5/14/07, Cagatay Civici <ca...@gmail.com> wrote:
> > > > Hi,
> > > >
> > > > Regarding your concerns about the viewstate at client;
> > > >
> > > > http://wiki.apache.org/myfaces/Secure_Your_Application
> > > >
> > > > Cagatay
> > > >
> > > >
> > > > On 5/14/07, Rudi Steiner <ru...@googlemail.com> wrote:
> > > > > Hello,
> > > > >
> > > > > I'm in the final state of a project and thinking about,
> > which is the
> > > > > best way to make a myFaces-App secure (authentication,
> > authorization,
> > > > > ...)
> > > > >
> > > > > I'm thinking about the Tomcat build in mechanism or an
> > alternative
> > > > > like securityFilter. But thinking about it, I got some
> > questions like,
> > > > > how about to fake the view state on the client side.
> > > > >
> > > > > Could It be, that for example a normal user who knows the
> > > > > applicationcode, fakes the viewstate on the client for
> > a page which
> > > > > has for example some commandbuttons which are rendered
> > for an admin
> > > > > but are not rendered for a normal user? Has anyone made
> > experiences in
> > > > > this area?
> > > > >
> > > > > thanks a lot,
> > > > > Rudi
> > > > >
> > > >
> > > >
> >
> > --
> > GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS.
> > Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail
> >
>
AW: MyFaces and Security
Posted by "Walter Oliver (BR/ICI3)" <ol...@boschrexroth.de>.
Frau Nolte wird heute abend 16:30 erste Testbestellungen absenden.
Kunden können ebenso bereits bestellen.
Gruss Oliver Walter
> -----Ursprüngliche Nachricht-----
> Von: Veit Guna [mailto:Veit.Guna@gmx.de]
> Gesendet: Dienstag, 15. Mai 2007 12:11
> An: MyFaces Discussion
> Betreff: Re: MyFaces and Security
>
> I didn't follow the whole thread, but isn't acegi (if you use
> spring) a solution? I use it to protect specific url's as
> well es method invocations on backing beans. Works fine for
> me (but I'm using spring). I must also admit, that I'm using
> jsf-spring to let spring create the backing beans for me (and
> thus let acegi take over security).
>
> /Veit
>
>
> -------- Original-Nachricht --------
> Datum: Tue, 15 May 2007 12:03:21 +0200
> Von: "Rudi Steiner" <ru...@googlemail.com>
> An: "MyFaces Discussion" <us...@myfaces.apache.org>
> Betreff: Re: MyFaces and Security
>
> > Hi Cagatay,
> >
> > thanks for the hint. This is definitely one step in making
> an jsf-app
> > secure.
> >
> > I would like to increase the security of my app by writing a
> > phaselistener, which checks the action the current request
> is calling
> > and makes sure, that the current user has the right to call this
> > action (example calling the method deleteUser() in a backingbean).
> >
> > Could anyone please tell me, how I can determine in a phaselistener
> > which action is going to be called in the current request?
> >
> > best regards,
> > Rudi
> >
> > On 5/14/07, Cagatay Civici <ca...@gmail.com> wrote:
> > > Hi,
> > >
> > > Regarding your concerns about the viewstate at client;
> > >
> > > http://wiki.apache.org/myfaces/Secure_Your_Application
> > >
> > > Cagatay
> > >
> > >
> > > On 5/14/07, Rudi Steiner <ru...@googlemail.com> wrote:
> > > > Hello,
> > > >
> > > > I'm in the final state of a project and thinking about,
> which is the
> > > > best way to make a myFaces-App secure (authentication,
> authorization,
> > > > ...)
> > > >
> > > > I'm thinking about the Tomcat build in mechanism or an
> alternative
> > > > like securityFilter. But thinking about it, I got some
> questions like,
> > > > how about to fake the view state on the client side.
> > > >
> > > > Could It be, that for example a normal user who knows the
> > > > applicationcode, fakes the viewstate on the client for
> a page which
> > > > has for example some commandbuttons which are rendered
> for an admin
> > > > but are not rendered for a normal user? Has anyone made
> experiences in
> > > > this area?
> > > >
> > > > thanks a lot,
> > > > Rudi
> > > >
> > >
> > >
>
> --
> GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS.
> Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail
>
Re: MyFaces and Security
Posted by Veit Guna <Ve...@gmx.de>.
I didn't follow the whole thread, but isn't acegi (if you use spring) a solution? I use it to protect specific url's as well es method invocations on backing beans. Works fine for me (but I'm using spring). I must also admit, that I'm using jsf-spring to let spring create the backing beans for me (and thus let acegi take over security).
/Veit
-------- Original-Nachricht --------
Datum: Tue, 15 May 2007 12:03:21 +0200
Von: "Rudi Steiner" <ru...@googlemail.com>
An: "MyFaces Discussion" <us...@myfaces.apache.org>
Betreff: Re: MyFaces and Security
> Hi Cagatay,
>
> thanks for the hint. This is definitely one step in making an jsf-app
> secure.
>
> I would like to increase the security of my app by writing a
> phaselistener, which checks the action the current request is calling
> and makes sure, that the current user has the right to call this
> action (example calling the method deleteUser() in a backingbean).
>
> Could anyone please tell me, how I can determine in a phaselistener
> which action is going to be called in the current request?
>
> best regards,
> Rudi
>
> On 5/14/07, Cagatay Civici <ca...@gmail.com> wrote:
> > Hi,
> >
> > Regarding your concerns about the viewstate at client;
> >
> > http://wiki.apache.org/myfaces/Secure_Your_Application
> >
> > Cagatay
> >
> >
> > On 5/14/07, Rudi Steiner <ru...@googlemail.com> wrote:
> > > Hello,
> > >
> > > I'm in the final state of a project and thinking about, which is the
> > > best way to make a myFaces-App secure (authentication, authorization,
> > > ...)
> > >
> > > I'm thinking about the Tomcat build in mechanism or an alternative
> > > like securityFilter. But thinking about it, I got some questions like,
> > > how about to fake the view state on the client side.
> > >
> > > Could It be, that for example a normal user who knows the
> > > applicationcode, fakes the viewstate on the client for a page which
> > > has for example some commandbuttons which are rendered for an admin
> > > but are not rendered for a normal user? Has anyone made experiences in
> > > this area?
> > >
> > > thanks a lot,
> > > Rudi
> > >
> >
> >
--
GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS.
Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail
Re: MyFaces and Security
Posted by Rudi Steiner <ru...@googlemail.com>.
Hi Cagatay,
thanks for the hint. This is definitely one step in making an jsf-app secure.
I would like to increase the security of my app by writing a
phaselistener, which checks the action the current request is calling
and makes sure, that the current user has the right to call this
action (example calling the method deleteUser() in a backingbean).
Could anyone please tell me, how I can determine in a phaselistener
which action is going to be called in the current request?
best regards,
Rudi
On 5/14/07, Cagatay Civici <ca...@gmail.com> wrote:
> Hi,
>
> Regarding your concerns about the viewstate at client;
>
> http://wiki.apache.org/myfaces/Secure_Your_Application
>
> Cagatay
>
>
> On 5/14/07, Rudi Steiner <ru...@googlemail.com> wrote:
> > Hello,
> >
> > I'm in the final state of a project and thinking about, which is the
> > best way to make a myFaces-App secure (authentication, authorization,
> > ...)
> >
> > I'm thinking about the Tomcat build in mechanism or an alternative
> > like securityFilter. But thinking about it, I got some questions like,
> > how about to fake the view state on the client side.
> >
> > Could It be, that for example a normal user who knows the
> > applicationcode, fakes the viewstate on the client for a page which
> > has for example some commandbuttons which are rendered for an admin
> > but are not rendered for a normal user? Has anyone made experiences in
> > this area?
> >
> > thanks a lot,
> > Rudi
> >
>
>
Re: MyFaces and Security
Posted by Cagatay Civici <ca...@gmail.com>.
Hi,
Regarding your concerns about the viewstate at client;
http://wiki.apache.org/myfaces/Secure_Your_Application
Cagatay
On 5/14/07, Rudi Steiner <ru...@googlemail.com> wrote:
>
> Hello,
>
> I'm in the final state of a project and thinking about, which is the
> best way to make a myFaces-App secure (authentication, authorization,
> ...)
>
> I'm thinking about the Tomcat build in mechanism or an alternative
> like securityFilter. But thinking about it, I got some questions like,
> how about to fake the view state on the client side.
>
> Could It be, that for example a normal user who knows the
> applicationcode, fakes the viewstate on the client for a page which
> has for example some commandbuttons which are rendered for an admin
> but are not rendered for a normal user? Has anyone made experiences in
> this area?
>
> thanks a lot,
> Rudi
>