Return-Path: Delivered-To: apmail-myfaces-users-archive@www.apache.org Received: (qmail 1980 invoked from network); 22 Sep 2006 13:10:46 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 22 Sep 2006 13:10:46 -0000 Received: (qmail 3230 invoked by uid 500); 22 Sep 2006 13:10:39 -0000 Delivered-To: apmail-myfaces-users-archive@myfaces.apache.org Received: (qmail 3197 invoked by uid 500); 22 Sep 2006 13:10:39 -0000 Mailing-List: contact users-help@myfaces.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "MyFaces Discussion" Delivered-To: mailing list users@myfaces.apache.org Received: (qmail 3186 invoked by uid 99); 22 Sep 2006 13:10:38 -0000 Received: from idunn.apache.osuosl.org (HELO idunn.apache.osuosl.org) (140.211.166.84) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 22 Sep 2006 06:10:38 -0700 Authentication-Results: idunn.apache.osuosl.org header.from=rogerio.araujo@gmail.com; domainkeys=good Authentication-Results: idunn.apache.osuosl.org smtp.mail=rogerio.araujo@gmail.com; spf=pass X-ASF-Spam-Status: No, hits=2.5 required=5.0 tests=DNS_FROM_RFC_ABUSE,HTML_MESSAGE Received-SPF: pass (idunn.apache.osuosl.org: domain gmail.com designates 64.233.166.180 as permitted sender) DomainKey-Status: good X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01 Received: from [64.233.166.180] ([64.233.166.180:30646] helo=py-out-1112.google.com) by idunn.apache.osuosl.org (ecelerity 2.1.1.8 r(12930)) with ESMTP id 73/6A-06791-9C0E3154 for ; Fri, 22 Sep 2006 06:10:33 -0700 Received: by py-out-1112.google.com with SMTP id i75so1147169pye for ; Fri, 22 Sep 2006 06:10:29 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:references; b=blGLt5IYOIerQMyZDYcqmJ8WdCO84u6h4gNKvp0SBsbXvmgolfJH3Ui0ps+7Cx2AxIe2vr9rbyoi0EjuAXpjpfNEXG/O58/bM41XxG7c3CNOqmRmbMFyDNY3eRykqdUQZvVsGGFtCZnZz/Ox1OssHL1L88Jnua60ZcA2fGRH5nc= Received: by 10.35.41.14 with SMTP id t14mr1361903pyj; Fri, 22 Sep 2006 06:10:29 -0700 (PDT) Received: by 10.35.72.17 with HTTP; Fri, 22 Sep 2006 06:10:28 -0700 (PDT) Message-ID: <41e8ec0c0609220610m69b3ef52jd8ae6295138ebfb6@mail.gmail.com> Date: Fri, 22 Sep 2006 10:10:28 -0300 From: "Rogerio Pereira" Reply-To: rogerio.araujo@gmail.com To: "MyFaces Discussion" Subject: Re: Authorization via view-handler In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_55020_22795337.1158930628989" References: <6442513.post@talk.nabble.com> X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N ------=_Part_55020_22795337.1158930628989 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline I created a PhaseListener for this purpose. 2006/9/22, Patrick Dreyer : > > Sorry, forgot about the MyFaces wiki... > Just found the page about "Access FacesContext from Servlet" > http://wiki.apache.org/myfaces/AccessFacesContextFromServlet > > Patrick Dreyer schrieb: > > Hi Jan > > > > Don't do authentication/authorization through a ViewHandler, use a > servlet filter instead. > > Citation from JavaWorld ( > http://www.javaworld.com/javaworld/jw-07-2004/jw-0719-jsf.html): > > > >> * Use a base backing bean: This solution is simple. However, it ties > the backing beans to a specific inheritance hierarchy. > >> * Use a JSF ViewHandler decorator: This way, the security logic is > tightly coupled with a specific Web tier technology. > >> * Use a servlet filter: A JSF application is no different from other > Java-based Web applications. It makes a filter the best place > to hand= le > authentication checking. This way, the authentication logic is decoupled > from the Web application. > > > > Additionally, by using a ServletFilter the configuration keeps in > web.xml and it's a snap to force SSL for example. > > > > There is an interesting article about page authorization in JSF on > http://jdj.sys-con.com/read/250254.htm > > > > We generally put secured page in different directories (user role > dependent) and close the whole directory with a security constraint. > > > > I'm pretty sure, you'd like to store authentication/authorization > information in a JSF backing bean, thus you'll ask yourself: "How to acce= ss > backing beans in a servlet filter?" A quick google search ("access jsf > backing bean from servlet filter") showed up a very good hit at the first > place (http://www.thoughtsabout.net/blog/archives/000033.html). > > > > Patrick > > > > janw schrieb: > >> Hello, > >> > >> I'd like to use a ViewHandler for authorization. > >> I use tiles, so I have already a Viewhandler defined in my application > >> (JspTilesViewHandlerImpl). > >> How can I integrate these two view-handlers? I think I cannot define a > >> second view-handler. > >> > >> I know there are frameworks like SecurityFilter, Acegi, but I need onl= y > a > >> very simple auth mechanism. > >> > >> Regards, > >> Jan > > > > > > --=20 Yours truly (Atenciosamente), Rog=E9rio (_rogerio_) http://faces.eti.br ------=_Part_55020_22795337.1158930628989 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline I created a PhaseListener for this purpose.

2006/9/22, Patrick Dreyer <patrick.dreyer@gmx.net>:
Sorry, forgot about the MyFaces wiki...
Just found the page about "= Access FacesContext from Servlet" http://wiki.apache.org/myfaces/AccessF= acesContextFromServlet

Patrick Dreyer schrieb:
> Hi Jan
>
> Don't do= authentication/authorization through a ViewHandler, use a servlet filter i= nstead.
> Citation from JavaWorld ( http://www.javaworld.com/javaworld/jw-07-2004/jw-0719-jsf.html):
>= ;
>> * Use a base backing bean: This solution is simple. However, = it ties the backing beans to a specific inheritance hierarchy.
>> = * Use a JSF ViewHandler decorator: This way, the security logic is tightly = coupled with a specific Web tier technology.
>> * Use a servlet filter: A JSF application is no different from= other Java-based Web applications. It makes a filter the best place >&n= bsp;  to handle authentication checking. This way, the authentication = logic is decoupled from the Web application.
>
> Additionally, by using a ServletFilter the configuration k= eeps in web.xml and it's a snap to force SSL for example.
>
> T= here is an interesting article about page authorization in JSF on http://jdj.sys-con.com/read/250254.htm
>
> We generally put= secured page in different directories (user role dependent) and close the = whole directory with a security constraint.
>
> I'm pretty sure= , you'd like to store authentication/authorization information in a JSF bac= king bean, thus you'll ask yourself: "How to access backing beans in a= servlet filter?" A quick google search ("access jsf backing bean= from servlet filter") showed up a very good hit at the first place ( http://w= ww.thoughtsabout.net/blog/archives/000033.html).
>
> Patric= k
>
> janw schrieb:
>> Hello,
>>
>> = I'd like to use a ViewHandler for authorization.
>> I use tiles, so I have already a Viewhandler defined in my app= lication
>> (JspTilesViewHandlerImpl).
>> How can I integ= rate these two view-handlers? I think I cannot define a
>> second = view-handler.
>>
>> I know there are frameworks like SecurityFilter, A= cegi, but I need only a
>> very simple auth mechanism.
>>=
>> Regards,
>> Jan
>
>




--
Yours truly (Atenciosamente),
Rog=E9rio (_rogerio_)
http://faces.eti.= br ------=_Part_55020_22795337.1158930628989--