myfaces-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Bischoff <>
Subject Re: [O/T] JSF Best Practices for Authentication/Authorization
Date Fri, 03 Nov 2006 22:01:29 GMT
I should also mention some of the technologies we are using.

* Java 1.4
* EJB 2.0

Unfortunately, this project has been underway for over a year now, and 
we are not using all the latest-and-greatest technologies. I have little 
power to change this.

I have much more flexibility when it comes to choosing web technologies 
and frameworks to use. I have to stay in Java 1.4 land though. :)

Web Tier:
* Java 1.4
* Myfaces 1.1.4 (w/JSP)
* Tomahawk Nightlies
* Ajax4jsf 1.0.3

Best Regards,

Jeff Bischoff
Kenneth L Kurz & Associates, Inc.

Jeff Bischoff wrote:
> As for my specific requirements:
> I have a simple intranet application. There is a public (no auth) 
> section, and a secure section for logged-in users. My main requirement 
> is simple. I want to force the users to authenticate (log in) before 
> they access the restricted portion of the application. View paths to 
> this portion are predictable (i.e. /public/* vs /system/*). Desired 
> authorization scheme will be rather simple (e.g. admins, users, 
> unauthenticated). I may want control-level access controls later, but I 
> feel that a good approach to page-level authorization is the most 
> important goal here.
> It almost sounds like container-managed security would be sufficient for 
> my needs. However, the documentation from my container (JBoss) seems 
> overly detailed and complex - I couldn't even tell when they were 
> talking about JAAS rather than container-managed security. Is this 
> overkill for me, or am I seeing more complexity than there has to be? 
> I'm just not sure yet...
> Thanks guys for your time, thoughts, and opinions...
> Regards,
> Jeff Bischoff
> Kenneth L Kurz & Associates, Inc.
> Jeff Bischoff wrote:
>> Greetings Colleagues,
>> I have often wondered what the majority of you are using for 
>> authentication and authorization in your non-public websites. Over the 
>> last year on this mailing list, I have seen bits and scraps of 
>> discussion on this topic. Most often, I hear mention of solutions like 
>> container-managed security and phase listeners. Sometimes custom 
>> navigation-handlers or servlet filters get mentioned too. Cant' say 
>> I've quite seen evidence of any consensus on which of these is 
>> preferred, so I'm interested to hear your thoughts.
>> I have come across this article [1] which offers an approach (and some 
>> source code) to authorization in JSF. What are your opinions on this 
>> approach? Would you consider this and similar approaches to be best 
>> practice? What other alternatives can you recommend (from experience)?
>> I will post my specific requirements for my security search as a reply 
>> to this post, so as not to narrow the overall discussion.
>> [1]
>> Regards,
>> Jeff Bischoff
>> Kenneth L Kurz & Associates, Inc.

View raw message