[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [ajug-members]: Security question



Thanks Rob... I'll take your advice on not sticking to declarative security.
We are going to use the Jboss Security Extension (Security Proxy) to
implement a centralized rule-based authorization policy. For now, we'll go
with the default credential caching mechanism.

As for the 'request' taglib... I don't know if we can use it because our
components are all JSF based. JSF doesn't support non-jsf custom tags.
However, I can copy the concept and create a corresponding JSF custom
component. Since we're not using Struts, we will also extend the JSF command
link / button tags to support authorization.

By the way, I completely agree with you about the 'request' taglib concept.
I think it forms a design pattern known as 'Limited View' where you only
show the user what's relevant. Most frameworks today use the 'Full view with
errors' antipattern, where you show everthing, and when authorization fails,
you show an error to the user.


Chinmay Nagarkar
Coreconcept Inc.
1000 Abernathy Road, 400 Northpark
Suite 1010, Atlanta, GA 30328.

-----Original Message-----
From: Rob Kischuk [mailto:rkischuk@gttx.org]
Sent: Thursday, April 22, 2004 5:00 PM
To: ajug-members@ajug.org
Subject: Re: [ajug-members]: Security question

Yeah, I've definitely done this, and definitely encourage it.  J2EE
security can be quite powerful, yet so many people spend so much time
unnecessarily reinventing it.  This is one area where being inside a
J2EE container really works some magic, and adds a lot of value.

One thing I would advise is not to bend over backwards trying to stick
exclusively to declarative security.  Sometimes, especially in the view,
you may need to check things programmtically in order to selectively
render parts of the page based on user permissions.  There's a jakarta
request taglib that has a request:isUserInRole tag that is useful, and
if you are using Struts, take not that it supports role-based security
in restricting access to Struts actions.

-Rob

Chinmay Nagarkar wrote:

>Hi Everyone,
>Another dumb security question...
>Our team have Tomcat 5.0.18 and Jboss3.2.3 running as Web-container and
>app-container respectively. We want to use form based authentication on the
>web-container and standard J2EE declarative security to allows authorized
>access to EJBs.
>Does anyone have any experience with this type of requirement? I'm looking
>for a 'Aye' or specific words of caution.
>Thanks,
>Chinmay
>
>
>