Security in JSF

Hey guys,

Ive just had a search over the boards about implementing security in JSF and Im still a little unsure about the best way to go about implementing security...

My situation is that we are going to have a large number of users for our system...in the region of 400 we expect. Each user will have access to defined sections of the site vie JSF. My question is this, would it be easier for us to implement our own security system and wire that into JSF or use the container security? My concern with the container security is that we may need to end up expanding the security roles for users as the system goes and creating our own system for this might prove easier in the long run...

Ive been having a look at a few examples and I cant seem to find anything that handles security mappings the same as Spring (Which is the framework I know best) Can anyone show me how you define a secure section to a site? I expect we will end up with everything under /admin/** being requiring a login and everything else being open to the public...I know this is a simple thing but I would like to get some input on the best way to go about implementing it in JSF...we are trying to stick as close to the J2EE outlines as possible...the next thing I have to do is read up on JAAS which I personally have no knowledge of to see if this could help us at all...

Any comments or pointers to other sites that could help me get an understanding of my options would be great

Thanks,
Kris

Based on my own personal observations, DIY security should always be a solution of Last Resort:

http://www.mousetech.com/blog/?cat=4

However, JSF offers some unique challenges when using container-based security. One of the key features of CBS is URL protection, done by defining URL/role mappings in the web.xml file. Since JSF URLs are more like handles on a conversation than direct lines to functionalities, you have to make sure that any URL-based security such as sandboxing all the admin functions under an "admin" URL subcontext aren't defeated by JSF invoking the admin functions while still working under an unsecured URL.

One of the ways you can do this is via the <redirect /> directive in your navigation cases. This causes internal invocations of secured functionailities to be redirected out and back in again under their secured URLs rather than under the original non-secured URL that the secure page was invoked from

The security role mechanism provided by the container is not intended to be fine-grained. However, it makes up for that by being ubiquitous. When I need specialized security services, my aproach is to let the CBS mechanisms provide the first line of defense, then use the UserPrincipal user Id as a key into the fine-grained security mechanism.