This week's book giveaway is in the OO, Patterns, UML and Refactoring forum. We're giving away four copies of Refactoring for Software Design Smells: Managing Technical Debt and have Girish Suryanarayana, Ganesh Samarthyam & Tushar Sharma on-line! See this thread for details.
I want create web-application with privilegies. Depending on user roles application must give privilegies for user (on view, adding, editing and deleting). I know how to realize last three, but the first seem me unresolvable.
General problem is that if user know url of page (e.g. "localhost:8080/prime-test/pages/test.jsf") he would get it.
System of privilegies is unstatic and is got from DB. So I think I need store them in ManagedBean. Also I want give error-page to user if he hasn't enough right (when he push url).
How can I get it?
Joined: Apr 24, 2013
Of couse I can don't render all on page if user haven't rights. But I think this is bad way
There is a security manager built into the J2EE standard. If you use it, it will automatically handle the process of logging users in when needed and will guard selected URLs by wrapping a fortress around your webapp. Unlike user-designed "security systems" - which are usually not very secure at all - this system was designed by professional security experts and comes pre-debugged with every J2EE webapp server.
The Container-Managed J2EE security system doesn't actually guard "pages", it controls access to URLs, based on URL patterns that you supply in the WEB-INF/web.xml file. Each URL pattern is associated with one or more security roles and only people who possess one or more of those roles will be granted access to that URL. Unauthorized accessors will be diverted to a "Not Authorized" page automatically by the server without any user-written application code being used.
The storage mechanism for this system is configured into the webapp server using plug-replaceable components that implement what are known as security Realms. Most webapp servers come with multiple Realm modules to allow the userid/password and userid/role information to be stored in different mechanisms, such as databases, LDAP, and so forth.
An IDE is no substitute for an Intelligent Developer.