Versions Compared

Old Version 19

changes.mady.by.user Gerhard Petracek

Saved on

compared with

New Version 20

changes.mady.by.user Gerhard Petracek

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • AccessBeanEvent
  • CloseConversationEvent
  • CloseWindowContextEvent
  • CreateWindowContextEvent
  • RestartConversationEvent
  • ScopeBeanEvent
  • StartConversationEvent
  • UnscopeBeanEvent

Security

AccessDecisionVoter

AbstractAccessDecisionVoter

SecurityViolation

...

CODI provides some basic hooks to integrate a custom security concept. It isn't related to an existing framework. CODI just allows to integrate such frameworks based on the ViewConfig or via interceptors.

AccessDecisionVoter

This interface is (besides the Secured annotation) the most important part of the concept. Both artifact types are also the only required parts.
This interface is independent of JSF. However, currently you need the JSF 1.x or 2.x module to use an out-of-the-box implementation of it. Further, details and examples are available in the documentation of the CODI-JSF-module.

Since it's a generic concept, it's also possible to provide an implementation for other view-technologies.

The AbstractAccessDecisionVoter allows an easier implementation.

Secured

Code Block
java
java
titleSimple usage of @Secured for ViewConfigs

@Page(navigation = REDIRECT)
public interface Pages extends ViewConfig
{
    @Secured(LoginAccessDecisionVoter.class)
    public interface Secure extends Pages
    {
        public @Page class InternalPage implements Secure {}
    }
}

In case of a violation CODI will use the DefaultErrorView as navigation target (if configured).

Code Block
java
java
titleSimple usage of @Secured for ViewConfigs with a special error page

@Page(navigation = REDIRECT)
public interface Pages extends ViewConfig
{
    @Secured(value = LoginAccessDecisionVoter.class, errorView = Login.class)
    public interface Secure extends Pages
    {
        public @Page class InternalPage implements Secure {}
    }
}

In this case the page represented by Login.class with be used instead of the DefaultErrorView.

SecurityViolation

In case of a detected violation a SecurityViolation has to be added to the result returned by the AccessDecisionVoter.

Code Block
java
java
titleSimple example for creating a SecurityViolation

@ApplicationScoped
public class LoginAccessDecisionVoter extends AbstractAccessDecisionVoter
{
    private static final long serialVersionUID = -6332617547592896599L;

    @Inject
    private UserHolder userHolder;

    @Inject
    //@Jsf //only required in combination with the JSF module
    private MessageContext messageContext;

    @Override
    protected void checkPermission(InvocationContext invocationContext, Set<SecurityViolation> violations)
    {
        if(!this.userHolder.isLoggedIn())
        {
            violations.add(newSecurityViolation(this.messageContext.message().text("{msgAccessDenied}").toText()));
        }
    }
}

The rest is done by CODI. Please note that there is a natural overhead if the @Secured annotation is used as interceptor. In combination with the JSF module, we recommend to us it for the ViewConfig instead of beans because the performance overhead is minimal compared to an interceptor.

AbstractDecisionVoter

AbstractBeanCreationDecisionVoter

...