[Rev.02: Due to no answers for Rev.01, let me please re-specify my question]:
For a Java EE web app_ with JSF 2.x frontend the following URLs shall be in place:
Initially (static case, and as treated in thousands of book examples):
www.acme.org/app/www.acme.org/app/index.jsfwww.acme.org/app/contact.jsfwww.acme.org/app/about.jsfwww.acme.org/app/provider-registration.jsfwww.acme.org/app/login.jsf
differs between sys-admin and provider-admin and redirects a sys-admin to:www.acme.org/app/sys-admin-console.jsf
and a provider-admin to theadmin-console.jsflisted below.
Later on (i.e. dynamically created and activated, and the aspect that's unclear to me):
www.acme.org/app/providerName/www.acme.org/app/providerName/index.jsfwww.acme.org/app/providerName/contact.jsfwww.acme.org/app/providerName/login.jsffor provider-admin and provider's customerswww.acme.org/app/providerName/admin-console.jsfwww.acme.org/app/providerName/pageX.jsf
where
providerNameis an arbitrary name chosen by the provider and verified+granted by the system, andpageXis one or more pages created and arbitrarily named by each provider independently.The "system realm" will know about the roles "sys-admin" and "provider-admin", whereas each "provider realm" will know about "provider-admin" and "customer" roles.
My questions now are:
From within the initial FacesServlet, what must I do to get these "sub-realms" (sub-JSF-webapps) running and the one or more Servlet(s) working well (together)?
How do I impose the access control rules?
(a) By a dynamically deployed but static Servlet security config? or
(b) By an internal security component at app-level instead of servlet/web-container level?
I'd be very thankful for any help or any link to examples treating this problem.
Natalia.
