what is the best way to implement authorization in JSF2? through, servlet filter, phase listener or ther is something new that I am not aware of?
可以将文章内容翻译成中文,广告屏蔽插件可能会导致该功能失效(如失效,请关闭广告屏蔽插件后再试):
问题:
回答1:
There are two pieces to this: Authentication, and Authorisation.
First Authentication: You can configure your web.xml to perform JAAS-based authentication according to a url pattern. Alternatively, if url-based authentication is too coarse-grained for you, you could do this manually with a PhaseListener or page actions using the HttpServletRequest login() method (new in Servlet 3.0). You can access this method through the FacesContext.getCurrentInstance().getExternalContext()
.
Once you are authenticated to a JASS realm, you can consider role based authorisation. Again there are a number of options:
- You can restrict page access to specified roles in the web.xml according to a url-pattern
- You can use the
FacesContext.getCurrentInstance().getExternalContext().isUserInRole("role")
to programmatically access the current role in your backing beans. - You can conditionally render components in the view using Expression Language, based on the user role. (Seam has the s:hasRole EL expression, IceFaces has the renderedOnUserRole attribute, or you can expose the role from your own backing bean).