How do I do security in JSF?

Question

I am using Java EE 6 with all reference implementations. Having made some security constraints for some pages such as everything beneath /secure/*. This is roug

Answer 1

Showing multiple versions of the same page is not about security (different version != links hiding), restricting access and requiring additional authorization is, I'll answer that if you dont mind.

You can read about both (authentication, authorization) on JAAS page. It is also the best framework in my opinion. It takes some time to master but after then, it's pretty easy and you'll even realize it's not heavy-weight at all - you're not forced to use every single feature. (just like EJB)

JAAS can log you even using ldap or windows account, theres even support for multiple authentication steps - you can implement pass+sms login. You can do that even with acegi, of course (it's just not that easy)

Since you've already mentioned JSF, JAAS fits even better than acegi, you can annotate any backing bean with @RolesAllowed and if user session does not meet requirements, SecurityException will be thrown. This works for servlets and beans (ejb, backing), not for jsps (however it wouldnt make much sense anyway)

You can read about @RolesAllowed here, but if you're already considering it, don't miss JBoss Seam Security - it's built on top of both security annotations and JAAS and it's also pretty addictive to use. Worth of reading.

BTW guys: I'm not rep-whoring, just found interesting question so... feel free to fight for bounty :)