自定义注解JSF [英] Custom Annotation JSF

问题描述

我想作一个自定义的注解来检查时，某些功能的安全对我的JSF Web应用程序。为了安全我使用Tomcat安全性JAAS，所以我没有应用程序管理的安全对我的处置。

I wanted to make a custom annotation to check security on some functions for my JSF web application. For security I use Tomcat security with JaaS, so I have no application managed security to my disposal.

什么是真正想要做的就是让我在备份豆类像Spring Security的方法的注释（@Secured（角色））。我的安全系统实现让每一个功能是一个角色，您可以动态地使用户角色这些都是存储在数据库中，当有人在所有的（功能）的角色记录在用户角色将在tomcat的安全设置作为角色。

What actually want to do is make an annotation for my methods in the Backing Beans like Spring Security (@Secured("role")). My security system is implemented so that every function is a role and you can dynamically make "user roles" these are stored in the DB and when somebody logs in all the (function)roles in that "user role" will be set in tomcat security as roles.

所以现在我有这一块code的检查，如果我的用户可以访问的功能：

So now I have this piece of code to check if my user can access the function:

       public static void checkSecurity(final String function) {
    final FacesContext facesContext = FacesContext.getCurrentInstance();
    try {
        if (facesContext.getExternalContext().getRemoteUser() == null) {
            facesContext.getExternalContext().redirect("login.xhtml");
            return;
        }
        if (!facesContext.getExternalContext().isUserInRole(function)) {
            facesContext.getExternalContext().redirect("restricted.xhtml");
            return;
        }
    } catch (final Exception ex /* Mandatory "IOException e" will be caught + all other exceptions. */) {
        facesContext.getExternalContext().setResponseStatus(403); // HTTP Status 403: Forbidden. Can also throw 401.
        facesContext.responseComplete();
    }
}

现在我必须把这个SecurityUtil.checkSecurity（name_of_function）;在每一个方法。
但我想有这样的@CustomSecurity（function_name_role）的注释。

Now I have to call this SecurityUtil.checkSecurity("name_of_function"); in every method. But I want to have an annotation like this @CustomSecurity("function_name_role").

   @Target(ElementType.METHOD)
   @Retention(RetentionPolicy.RUNTIME)
   public @interface CustomSecurity {
     // Single Element called value.
      String value();
   }

当一个方法有此注释的checkSecurity功能自动必须执行。所以我有一个点来扫描这个注释，或做出某种ActionListener的。 JSF应该有一些这方面的选择，但我都上找到了这个论坛没有真正的帮助。

And when a method has this annotation the checkSecurity function automatically has to be performed. So I have to scan for this annotation at a point, or make some kind of actionlistener. JSF should have some options for this but all the forums I found on this don't really help.

是否有人有一些想法？

Does somebody has some ideas?

编辑：
我试着这个博客它工作，但只对一个组件的动作（当你没有作用组件不渲染）。因此，如何安全是这个当人们试图攻入JSF结构。我宁愿它在每个方法运行。

I tried this blog it works but only on an action of a component (and components don't render when you don't have the role). So how secure is this when people try to hack into the JSF structure. And I rather have it running on every method.

        public class SecurityActionListener extends ActionListenerImpl implements ActionListener {

    private static final Logger LOGGER = FacesLogger.APPLICATION.getLogger();

    @SuppressWarnings("unused")
    @Override
    public void processAction(final ActionEvent event) {

        final FacesContext context = FacesContext.getCurrentInstance();
        final Application application = context.getApplication();
        final ConfigurableNavigationHandler navHandler = (ConfigurableNavigationHandler) application.getNavigationHandler();

        // Action stuff
        final UIComponent source = event.getComponent();
        final ActionSource actionSource = (ActionSource) source;
        MethodBinding binding;

        binding = actionSource.getAction();
        final String expr = binding.getExpressionString();
        if (!expr.startsWith("#")) {
            super.processAction(event);
            return;
        }

        final int idx = expr.indexOf('.');
        final String target = expr.substring(0, idx).substring(2);
        final String t = expr.substring(idx + 1);
        final String method = t.substring(0, (t.length() - 1));

        final MethodExpression expression = new MethodExpressionMethodBindingAdapter(binding);
        final ELContext elContext = context.getELContext();
        final ExpressionFactory factory = context.getApplication().getExpressionFactory();

        final ValueExpression ve = factory.createValueExpression(elContext, "#{" + target + '}', Object.class);
        final Object result = ve.getValue(elContext);

        // Check if the target method is a secured method
        // and check security accordingly
        final Method[] methods = result.getClass().getMethods();
        for (final Method meth : methods) {
            if (meth.getName().equals(method)) {
                if (meth.isAnnotationPresent(CustomSecurity.class)) {
                    final CustomSecurity securityAnnotation = meth.getAnnotation(CustomSecurity.class);
                    System.out.println("Function to check security on: " + securityAnnotation.value()); // TODO TO LOG
                    SecurityUtil.checkSecurity(securityAnnotation.value());
                } else {
                    super.processAction(event);
                }
                break;
            }
        }
    }

}

这在faces-config.xml文件：

       ＆lt;作用，听者GT;
            com.nielsr.randompackagebecauseofnda.SecurityActionListener
       ＆LT; /动作监听＆GT;


And this in the faces-config.xml: <action-listener> com.nielsr.randompackagebecauseofnda.SecurityActionListener </action-listener>

此博客也可能是一个答案，但我不知道是怎么回事将与我的JAAS Tomcat的安全工作，因为安全是部署在tomcat的lib文件夹一个独立的JAR一个单独的项目。

This blog could also be an answer, but I don't know how it will work with my JaaS Tomcat security because the security is in a separate project deployed as a standalone JAR in the tomcat lib folder.

但其实我不知道我有，以确保我的豆子。因为我已经配置的所有功能（又名角色见上图）是1页在web.xml的安全约束。我只渲染，如果你要在该组件上的权利或function_role页面上的组件。因此，这确保足够了吗？或者，如果某人有一个页面上的功能的权利，他可以使自己的组件，因此破解我的网站？

But I actually don't know that I have to secure my Beans. Because I have configured all the functions (aka roles see above) that are on 1 page in the Web.xml as security constraints. And I render the components on the page only if you have to rights or "function_role" on that component. So is this secured enough? Or if somebody has a right to a function on a page can he render the components himself and so hack my site?

我没那么熟悉的JSF知道这一点，什么是在控制器和视图之间的额外JSF抽象层回事？ （我更多的是Spring MVC的开发人员，但因为要求我必须使用JSF，但它是很好的拓展个人视野。）

I'm not that familiar to JSF to know this, what is going on in that extra JSF abstraction layer between Controller and View? (I'm more of a Spring MVC developer, but because of requirements I have to use JSF but it's nice to broaden my knowledge.)

推荐答案

您可以在扫描您的集注使用

You can "scan for your Annotations" using

http://code.google.com/p/reflections/

问候

这篇关于自定义注解JSF的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！