关于JSF授权的建议 [英] Suggestion on JSF authorization

问题描述

我学习了如何在JDBC领域中使用容器身份验证. 我在Internet上进行了大量搜索，但是除了以下文章外，我没有找到有关JSF授权的任何内容. JSF授权

I learnt how to use container authentication with JDBC realm. I searched a lot on internet but I couldn't find anything on JSF authorization except the following article. JSF authorization

我的目标是避免使用直接链接访问受保护的页面，并基于经过身份验证的用户权限来显示/隐藏菜单项和表单组件. 可以使用JSF标签的rendered属性来实现最后一部分，但是在创建自己的肮脏且高度耦合的解决方案之前，我想知道是否有一些特定的最佳实践或库可以提供帮助.实际上，要有条件渲染的组件数量非常多，我不想为每个组件编写特定的功能. 也许我可以为每个经过身份验证的用户创建一个地图，其中包含所有条件渲染组件的名称(id)，以及一个带有String参数(组件的唯一名称/id)的函数.这是一个好主意吗 ?我有什么选择? 我不想将其他通用框架(例如spring)添加到项目中，以便仅使用其中的一小部分(安全框架).

My goal is to avoid access to protected pages using direct links and to show/hide menu items and form components based on the authenticated user privileges. The last part can be implemented using the rendered attribute of JSF tags but before creating my own dirty and high coupled solution I wonder if there are some specific best practices or libraries that can help. in fact the number of components to be conditionally rendered is quite high and I wouldn't like to write a specific function for each of them. Perhaps I can create for each authenticated user a map with the names (id) of all the conditionally rendered components and a single function with a String parameter (the unique name/id of the component). Is that a good idea ? What alternatives do I have ? I wouldn't like to add to the project other general purpose frameworks such as spring for using only a small part of them (the security one).

谢谢 菲利波(Filippo)

Thanks Filippo

推荐答案

使用Java EE 6中的Expression Language版本，您应该能够使用以下表达式:

With the Expression Language version in Java EE 6 you should be able to use expressions like these:

<h:inputText rendered="#{facesContext.externalContext.isUserInRole('foo')}" />

对于较旧的版本，您可以创建这种形式的托管Bean:

With older versions, you can create a managed bean of this form:

public class RoleMap implements Map<String, Boolean> {

    public Boolean get(Object key) {
        ExternalContext extCtxt = FacesContext.getCurrentInstance()
                                              .getExternalContext();
        return extCtxt.isUserInRole(key.toString());
    }

    //TODO: other methods; mostly throwing UnsupportedOperationException

然后可以将测试表达为以下形式:

The test can then be expression in the form:

<h:inputText rendered="#{roleMap['foo']}" />

第三方框架提供了其他选项，例如Apache Tomahawk库的visibleOnUserRole组件属性.

Third party frameworks offer other options, such as the Apache Tomahawk library's visibleOnUserRole component attributes.

这篇关于关于JSF授权的建议的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！