myfaces-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Veit Guna" <Veit.G...@gmx.de>
Subject Re: MyFaces and Security
Date Tue, 15 May 2007 10:11:00 GMT
I didn't follow the whole thread, but isn't acegi (if you use spring) a solution? I use it
to protect specific url's as well es method invocations on backing beans. Works fine for me
(but I'm using spring). I must also admit, that I'm using jsf-spring to let spring create
the backing beans for me (and thus let acegi take over security).

/Veit


-------- Original-Nachricht --------
Datum: Tue, 15 May 2007 12:03:21 +0200
Von: "Rudi Steiner" <rudi.steiner@googlemail.com>
An: "MyFaces Discussion" <users@myfaces.apache.org>
Betreff: Re: MyFaces and Security

> Hi Cagatay,
> 
> thanks for the hint. This is definitely one step in making an jsf-app
> secure.
> 
> I would like to increase the security of my app by writing a
> phaselistener, which checks the action the current request is calling
> and makes sure, that the current user has the right to call this
> action (example calling the method deleteUser() in a backingbean).
> 
> Could anyone please tell me, how I can determine in a phaselistener
> which action is going to be called in the current request?
> 
> best regards,
> Rudi
> 
> On 5/14/07, Cagatay Civici <cagatay.civici@gmail.com> wrote:
> > Hi,
> >
> >  Regarding your concerns about the viewstate at client;
> >
> >  http://wiki.apache.org/myfaces/Secure_Your_Application
> >
> >  Cagatay
> >
> >
> > On 5/14/07, Rudi Steiner <rudi.steiner@googlemail.com> wrote:
> > > Hello,
> > >
> > > I'm in the final state of a project and thinking about, which is the
> > > best way to make a myFaces-App secure (authentication, authorization,
> > > ...)
> > >
> > > I'm thinking about the Tomcat build in mechanism or an alternative
> > > like securityFilter. But thinking about it, I got some questions like,
> > > how about to fake the view state on the client side.
> > >
> > > Could It be, that for example a normal user who knows the
> > > applicationcode, fakes the viewstate on the client for a page which
> > > has for example some commandbuttons which are rendered for an admin
> > > but are not rendered for a normal user? Has anyone made experiences in
> > > this area?
> > >
> > > thanks a lot,
> > > Rudi
> > >
> >
> >

-- 
GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS.
Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail

Mime
View raw message