myfaces-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Walter Oliver (BR/ICI3)" <oliver.wal...@boschrexroth.de>
Subject AW: MyFaces and Security
Date Tue, 15 May 2007 10:19:41 GMT
Frau Nolte wird heute abend 16:30 erste Testbestellungen absenden.

Kunden können ebenso bereits bestellen.

Gruss Oliver Walter

> -----Urspr√ľngliche Nachricht-----
> Von: Veit Guna [mailto:Veit.Guna@gmx.de] 
> Gesendet: Dienstag, 15. Mai 2007 12:11
> An: MyFaces Discussion
> Betreff: Re: MyFaces and Security
> 
> I didn't follow the whole thread, but isn't acegi (if you use 
> spring) a solution? I use it to protect specific url's as 
> well es method invocations on backing beans. Works fine for 
> me (but I'm using spring). I must also admit, that I'm using 
> jsf-spring to let spring create the backing beans for me (and 
> thus let acegi take over security).
> 
> /Veit
> 
> 
> -------- Original-Nachricht --------
> Datum: Tue, 15 May 2007 12:03:21 +0200
> Von: "Rudi Steiner" <rudi.steiner@googlemail.com>
> An: "MyFaces Discussion" <users@myfaces.apache.org>
> Betreff: Re: MyFaces and Security
> 
> > Hi Cagatay,
> > 
> > thanks for the hint. This is definitely one step in making 
> an jsf-app
> > secure.
> > 
> > I would like to increase the security of my app by writing a
> > phaselistener, which checks the action the current request 
> is calling
> > and makes sure, that the current user has the right to call this
> > action (example calling the method deleteUser() in a backingbean).
> > 
> > Could anyone please tell me, how I can determine in a phaselistener
> > which action is going to be called in the current request?
> > 
> > best regards,
> > Rudi
> > 
> > On 5/14/07, Cagatay Civici <cagatay.civici@gmail.com> wrote:
> > > Hi,
> > >
> > >  Regarding your concerns about the viewstate at client;
> > >
> > >  http://wiki.apache.org/myfaces/Secure_Your_Application
> > >
> > >  Cagatay
> > >
> > >
> > > On 5/14/07, Rudi Steiner <rudi.steiner@googlemail.com> wrote:
> > > > Hello,
> > > >
> > > > I'm in the final state of a project and thinking about, 
> which is the
> > > > best way to make a myFaces-App secure (authentication, 
> authorization,
> > > > ...)
> > > >
> > > > I'm thinking about the Tomcat build in mechanism or an 
> alternative
> > > > like securityFilter. But thinking about it, I got some 
> questions like,
> > > > how about to fake the view state on the client side.
> > > >
> > > > Could It be, that for example a normal user who knows the
> > > > applicationcode, fakes the viewstate on the client for 
> a page which
> > > > has for example some commandbuttons which are rendered 
> for an admin
> > > > but are not rendered for a normal user? Has anyone made 
> experiences in
> > > > this area?
> > > >
> > > > thanks a lot,
> > > > Rudi
> > > >
> > >
> > >
> 
> -- 
> GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS.
> Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail
> 

Mime
View raw message