JSF authentication and authorization

问题

What is the best way to go about implementing authentication and authorization for a JSF web application? Preferrably I'd still want to use container-based security, as I need to call EJBs that require the principal.

I realize form-based authentication is a major struggle with JSF, but can I perhaps use a PhaseListener or something similar together with programmatic logon to authenticate the user?

Any other methods I should rather have a look at?

回答1:

Try to check out the blog for using JAAS with JSF. This is the example of how to deploy the JAAS with JSF for authentication and authorization.

I hope it helps.

Tiger

回答2:

You can use the Spring Security framework, see instructions here http://ocpsoft.com/java/acegi-spring-security-jsf-login-page/

回答3:

I use JSF Seam and have used Seam's built-in authentication and authorization and find it extremely easy to use.

For authentication, you simply implement 1 method, public boolean login(String username, a String password) { ... } and returns boolean. Then you can mark pages as "login-required" and seam takes care of the rest.

For authorization, Seam gives you a @Restrict Annotation that you can put on your Controller or Service methods and again, Seam takes care of the rest.

Advanced authorization: You can also handle more advanced authorization with Seam where roles are dynamic - e.g. in a bulletin board you are "author" of some posts, but "reader" or other posts, by simply delegating your @Restrict annotation to a Java method.

I would encourage you to take a look at Seam. Seam is just a layer on top of JSF so technically you would still be running on JSF . If for some reason you cannot use Seam, maybe you can borrow some ideas from how Seam handles Authorization and Authentication in JSF.