Overview
Other MyFaces Extensions
- ExtVal
- Ext-Script
- [Orchestra]
- [Portlet Bridge]
Community
Development
Sponsorship
Your browser does not support iframes
...
...
CODI provides some basic hooks to integrate a custom security concept. It isn't related to an existing framework. CODI just allows to integrate such frameworks based on the ViewConfig
or via interceptors.
This interface is (besides the Secured
annotation) the most important part of the concept. Both artifact types are also the only required parts.
This interface is independent of JSF. However, currently you need the JSF 1.x or 2.x module to use an out-of-the-box implementation of it. Further, details and examples are available in the documentation of the CODI-JSF-module.
Since it's a generic concept, it's also possible to provide an implementation for other view-technologies.
The AbstractAccessDecisionVoter
allows an easier implementation.
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
@Page(navigation = REDIRECT)
public interface Pages extends ViewConfig
{
@Secured(LoginAccessDecisionVoter.class)
public interface Secure extends Pages
{
public @Page class InternalPage implements Secure {}
}
}
|
In case of a violation CODI will use the DefaultErrorView
as navigation target (if configured).
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
@Page(navigation = REDIRECT)
public interface Pages extends ViewConfig
{
@Secured(value = LoginAccessDecisionVoter.class, errorView = Login.class)
public interface Secure extends Pages
{
public @Page class InternalPage implements Secure {}
}
}
|
In this case the page represented by Login.class with be used instead of the DefaultErrorView
.
In case of a detected violation a SecurityViolation
has to be added to the result returned by the AccessDecisionVoter
.
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
@ApplicationScoped
public class LoginAccessDecisionVoter extends AbstractAccessDecisionVoter
{
private static final long serialVersionUID = -6332617547592896599L;
@Inject
private UserHolder userHolder;
@Inject
//@Jsf //only required in combination with the JSF module
private MessageContext messageContext;
@Override
protected void checkPermission(InvocationContext invocationContext, Set<SecurityViolation> violations)
{
if(!this.userHolder.isLoggedIn())
{
violations.add(newSecurityViolation(this.messageContext.message().text("{msgAccessDenied}").toText()));
}
}
}
|
The rest is done by CODI. Please note that there is a natural overhead if the @Secured annotation is used as interceptor. In combination with the JSF module, we recommend to us it for the ViewConfig
instead of beans because the performance overhead is minimal compared to an interceptor.
...