Does the Java Server Faces framework provide any security against unauthenticated access? I mean is it possible for a hacker to gain control over the underlying resources (Web server, Database server etc.) through some vulneraibility (manipulating URLs, etc.) in JSF framework?
Originally posted by Kavya Anjali: Thanks for the suggestions .
Also I wanted to know 1. Are there any shortcomings in JSF which a hacker can exploit and take undue advantage of it.
2. Any best practices or conventions followed for providiing secure JSF applications
Thanks for the suggestions in advance
You do realize that JSF is just a framework that renders HTML to a browser, don't you? It's not Flash or ActiveX. Treat JSF applications just as you would any other web application when it comes to security.
If you want to attach authentication logic to your JSF page then you some of the following options.
- In standard J2EE applications Servlet Filter is an API to authenticate user before displaying a desired page. This page may be .html, .jsp or a single resource on any page. You can use this API to authenticate user.
- JSF framework has it's own lifecycle composed of many phases. You can add some authentication code in these phase-listeners also, which will authenticate the user before 'restore view' phase of your jsf page
- If you want to manage this is in declarative way then you can use Spring AOP and declare JSF's phase-listener method using methodnamematching expression. Then this ASpect will get applied to each (approproate) method of life cycle and will authenticate the user.
All these and many other options are avaialble to authenticate the user.
Just like you, struggeling to get the right solutions!<br /> <br />Sun Certified Java Programmer 1.5<br /> <br />Target - SCWCD