Return-Path: Delivered-To: apmail-myfaces-users-archive@www.apache.org Received: (qmail 21590 invoked from network); 7 Nov 2006 15:37:29 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 7 Nov 2006 15:37:29 -0000 Received: (qmail 62785 invoked by uid 500); 7 Nov 2006 15:37:35 -0000 Delivered-To: apmail-myfaces-users-archive@myfaces.apache.org Received: (qmail 62568 invoked by uid 500); 7 Nov 2006 15:37:35 -0000 Mailing-List: contact users-help@myfaces.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "MyFaces Discussion" Delivered-To: mailing list users@myfaces.apache.org Received: (qmail 62557 invoked by uid 99); 7 Nov 2006 15:37:35 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 07 Nov 2006 07:37:35 -0800 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: neutral (herse.apache.org: local policy) Received: from [216.148.222.49] (HELO outbound2-red-R.bigfish.com) (216.148.222.49) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 07 Nov 2006 07:37:20 -0800 Received: from outbound2-red.bigfish.com (localhost.localdomain [127.0.0.1]) by outbound2-red-R.bigfish.com (Postfix) with ESMTP id 038411747E18 for ; Tue, 7 Nov 2006 15:36:58 +0000 (UTC) Received: from mail13-red-R.bigfish.com (unknown [172.18.12.3]) by outbound2-red.bigfish.com (Postfix) with ESMTP id F083B17451FD for ; Tue, 7 Nov 2006 15:36:57 +0000 (UTC) Received: from mail13-red.bigfish.com (localhost.localdomain [127.0.0.1]) by mail13-red-R.bigfish.com (Postfix) with ESMTP id CB18958F168 for ; Tue, 7 Nov 2006 15:36:57 +0000 (UTC) X-BigFish: VP Received: by mail13-red (MessageSwitch) id 1162913817805744_469; Tue, 7 Nov 2006 15:36:57 +0000 (UCT) Received: from atex01.thegoldensource.com (83-64-44-182.traun.xdsl-line.inode.at [83.64.44.182]) by mail13-red.bigfish.com (Postfix) with ESMTP id 638FF58F168 for ; Tue, 7 Nov 2006 15:36:57 +0000 (UTC) x-mimeole: Produced By Microsoft Exchange V6.0.6603.0 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Subject: RE: AW: AW: [O/T] JSF Best Practices for Authentication/Authorization Date: Tue, 7 Nov 2006 16:35:44 +0100 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: AW: AW: [O/T] JSF Best Practices for Authentication/Authorization Thread-Index: AccCfC25YPP6FDGTQUeiYxXz7lSAJgABgkBw From: "Bieringer, Dominik" To: "MyFaces Discussion" X-Virus-Checked: Checked by ClamAV on apache.org Hi Jeff, Yes I've seen... I had to stop writing my reply because my train arrived and I had to go to the bus station ;) I will read and answer all your mails when I am on the way home today... Dominik -----Original Message----- From: Jeff Bischoff [mailto:jbischoff@klkurz.com]=20 Sent: Tuesday, November 07, 2006 15:52 To: MyFaces Discussion Subject: Re: AW: AW: [O/T] JSF Best Practices for Authentication/Authorization Bieringer.Dominik.nf@gmx.net wrote: > Yes, that's correct. I am using http basic authentication, which means that > when a page get's rendered, the user is already authenticated and there is > no possiblity to re-show the login screen again, because the browser caches > the username and password. >=20 > I am not able to use form based login, because there are many applications > accessing my page, not only browsers, and it's a lot easier for applications > if there is http basic authentication instead of form based > authentication... (Just think about download managers)... >=20 Oh yes, that makes perfect sense for you. I just wanted to make sure I=20 understood what you are doing. Of course as I read everyone's=20 descriptions, I am thinking about my own plans and I definately want to=20 use form-based authentication. > @SecurityGuard(TypRoles.ADMIN) > public AdminBean getAdminBean() > { > JsfSecurityManager.getCurrentInstance().check(); > } > Like I said, we haven't moved to the new Java yet. But okay, so the=20 annotation is labeling that this method should only be run by admins,=20 and it's the SecurityManager that is responsible for looking at the=20 annotation and deciding whether to continue? Thanks for explaining! (by the way, did you see my other reply to you yesterday?) Regards, Jeff Bischoff Kenneth L Kurz & Associates, Inc.