Custom Annotation JSF | 易学教程

问题

I wanted to make a custom annotation to check security on some functions for my JSF web application. For security I use Tomcat security with JaaS, so I have no application managed security to my disposal.

What actually want to do is make an annotation for my methods in the Backing Beans like Spring Security (@Secured("role")). My security system is implemented so that every function is a role and you can dynamically make "user roles" these are stored in the DB and when somebody logs in all the (function)roles in that "user role" will be set in tomcat security as roles.

So now I have this piece of code to check if my user can access the function:

       public static void checkSecurity(final String function) {
    final FacesContext facesContext = FacesContext.getCurrentInstance();
    try {
        if (facesContext.getExternalContext().getRemoteUser() == null) {
            facesContext.getExternalContext().redirect("login.xhtml");
            return;
        }
        if (!facesContext.getExternalContext().isUserInRole(function)) {
            facesContext.getExternalContext().redirect("restricted.xhtml");
            return;
        }
    } catch (final Exception ex /* Mandatory "IOException e" will be caught + all other exceptions. */) {
        facesContext.getExternalContext().setResponseStatus(403); // HTTP Status 403: Forbidden. Can also throw 401.
        facesContext.responseComplete();
    }
}

Now I have to call this SecurityUtil.checkSecurity("name_of_function"); in every method. But I want to have an annotation like this @CustomSecurity("function_name_role").

   @Target(ElementType.METHOD)
   @Retention(RetentionPolicy.RUNTIME)
   public @interface CustomSecurity {
     // Single Element called value.
      String value();
   }

And when a method has this annotation the checkSecurity function automatically has to be performed. So I have to scan for this annotation at a point, or make some kind of actionlistener. JSF should have some options for this but all the forums I found on this don't really help.

Does somebody has some ideas?

EDIT: I tried this blog it works but only on an action of a component (and components don't render when you don't have the role). So how secure is this when people try to hack into the JSF structure. And I rather have it running on every method.

        public class SecurityActionListener extends ActionListenerImpl implements ActionListener {

    private static final Logger LOGGER = FacesLogger.APPLICATION.getLogger();

    @SuppressWarnings("unused")
    @Override
    public void processAction(final ActionEvent event) {

        final FacesContext context = FacesContext.getCurrentInstance();
        final Application application = context.getApplication();
        final ConfigurableNavigationHandler navHandler = (ConfigurableNavigationHandler) application.getNavigationHandler();

        // Action stuff
        final UIComponent source = event.getComponent();
        final ActionSource actionSource = (ActionSource) source;
        MethodBinding binding;

        binding = actionSource.getAction();
        final String expr = binding.getExpressionString();
        if (!expr.startsWith("#")) {
            super.processAction(event);
            return;
        }

        final int idx = expr.indexOf('.');
        final String target = expr.substring(0, idx).substring(2);
        final String t = expr.substring(idx + 1);
        final String method = t.substring(0, (t.length() - 1));

        final MethodExpression expression = new MethodExpressionMethodBindingAdapter(binding);
        final ELContext elContext = context.getELContext();
        final ExpressionFactory factory = context.getApplication().getExpressionFactory();

        final ValueExpression ve = factory.createValueExpression(elContext, "#{" + target + '}', Object.class);
        final Object result = ve.getValue(elContext);

        // Check if the target method is a secured method
        // and check security accordingly
        final Method[] methods = result.getClass().getMethods();
        for (final Method meth : methods) {
            if (meth.getName().equals(method)) {
                if (meth.isAnnotationPresent(CustomSecurity.class)) {
                    final CustomSecurity securityAnnotation = meth.getAnnotation(CustomSecurity.class);
                    System.out.println("Function to check security on: " + securityAnnotation.value()); // TODO TO LOG
                    SecurityUtil.checkSecurity(securityAnnotation.value());
                } else {
                    super.processAction(event);
                }
                break;
            }
        }
    }

}

And this in the faces-config.xml: <action-listener> com.nielsr.randompackagebecauseofnda.SecurityActionListener </action-listener>

This blog could also be an answer, but I don't know how it will work with my JaaS Tomcat security because the security is in a separate project deployed as a standalone JAR in the tomcat lib folder.

But I actually don't know that I have to secure my Beans. Because I have configured all the functions (aka roles see above) that are on 1 page in the Web.xml as security constraints. And I render the components on the page only if you have to rights or "function_role" on that component. So is this secured enough? Or if somebody has a right to a function on a page can he render the components himself and so hack my site?

I'm not that familiar to JSF to know this, what is going on in that extra JSF abstraction layer between Controller and View? (I'm more of a Spring MVC developer, but because of requirements I have to use JSF but it's nice to broaden my knowledge.)