File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes JSF and the fly likes JSF page sequrity Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Make it so: Java DB Connections & Transactions this week in the JDBC forum!
JavaRanch » Java Forums » Java » JSF
Bookmark "JSF page sequrity" Watch "JSF page sequrity" New topic

JSF page sequrity

Gregory Androsov

Joined: Apr 24, 2013
Posts: 5
I want create web-application with privilegies. Depending on user roles application must give privilegies for user (on view, adding, editing and deleting). I know how to realize last three, but the first seem me unresolvable.
General problem is that if user know url of page (e.g. "localhost:8080/prime-test/pages/test.jsf") he would get it.

System of privilegies is unstatic and is got from DB. So I think I need store them in ManagedBean. Also I want give error-page to user if he hasn't enough right (when he push url).

How can I get it?
Gregory Androsov

Joined: Apr 24, 2013
Posts: 5
Of couse I can don't render all on page if user haven't rights. But I think this is bad way
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 17282

There is a security manager built into the J2EE standard. If you use it, it will automatically handle the process of logging users in when needed and will guard selected URLs by wrapping a fortress around your webapp. Unlike user-designed "security systems" - which are usually not very secure at all - this system was designed by professional security experts and comes pre-debugged with every J2EE webapp server.

The Container-Managed J2EE security system doesn't actually guard "pages", it controls access to URLs, based on URL patterns that you supply in the WEB-INF/web.xml file. Each URL pattern is associated with one or more security roles and only people who possess one or more of those roles will be granted access to that URL. Unauthorized accessors will be diverted to a "Not Authorized" page automatically by the server without any user-written application code being used.

The storage mechanism for this system is configured into the webapp server using plug-replaceable components that implement what are known as security Realms. Most webapp servers come with multiple Realm modules to allow the userid/password and userid/role information to be stored in different mechanisms, such as databases, LDAP, and so forth.

An IDE is no substitute for an Intelligent Developer.
Murad Imanbayli

Joined: Jan 24, 2013
Posts: 9

Hi Gregory ,you using PhaseListener for this problem .if you want Phaselistener example then see this link

Murad Imanbayli - SCJP. I am from Azerbaijan
Leader of Baku JUG , My Java and Oracle blog
I agree. Here's the link:
subject: JSF page sequrity
It's not a secret anymore!