I'm using JAAS and have applied security on some folders for different roles. I want to hide some navigation for different users because, although the pages are not accessible, the user can still see the links that he has no rights on? What's the simple way to achieve this in JSF? Do I need to call a method to check the role in the "rendered" property of each navigation link? Any sample code? Please help!
Use rendered for view, take
rendered="#{userBean.role =='ADMIN'}"
also configure filter or use Spring security's filter to restrict them to access the URL
The corrent answer is here, may be helpful for someone else: Is "isUserInRole" method related to JAAS?
Related
We are using acceptable usage policy feature to implement a requirement where the user has to accept some licence agreement before using our registered services.
We have implemented our custom AcceptableUsagePolicyRepository as proposed in the docs and the user is successfully redirected to acceptance policy view based on a condition.
At this point we need to customize this view, so we have added the generated casAcceptableUsagePolicyView.html in the overlay. Our goal is to present different terms text based on the user status(admin,typical user etc). Terms text and user status should be fetched from the database.
In a typical MVC application, a controller would be used to generate the java objects that would be finally rendered in the view.
Question: What is the recommended way of customizing the aforementioned view to dynamically render our content?
Question: What is the recommended way of customizing the aforementioned view to dynamically render our content?
The easiest way, for the time being, would be to supply your own AcceptableUsagePolicyVerifyAction bean in a #Configuration class:
#Bean
public Action acceptableUsagePolicyVerifyAction() {
return new MyAcceptableUsagePolicyVerifyAction(...);
}
In your own MyAcceptableUsagePolicyVerifyAction, you'd then fetch the user status/text you need and stuff it into the RequestContext's relevant scope. In the casAcceptableUsagePolicyView, you can next write a bit of conditional logic to determine the relevant text based on the status found in the webflow scope.
To learn about how #Configuration classes work in general, you can:
Review this post
or This post
or consult the documentation for Spring and/or Spring Boot.
I am a beginner in the world of ACL coding.I have no prior knowledge of filters and other concepts and cannot learn that because of time constraints.So I found an alternative way to implement ACL.
I have only 3 users suppose user,admin and sys.
So I just create jsp pages starting with the respective user types and the name of the page.
eg:- "userCheckStatus.jsp" and "sysCreateUser.jsp"
And then i check whether the usertype which is stored in the session matches with the respective page the user is trying to access. I just want to know that is this a good practise and will it provide me with the thing which I am trying to achieve. If not then what is lacking in the above method and please advise me for the same.
Thanks in advance!!!
Your approach may work. One drawback is if you change your mind and you will want to give access rights to another user or introduce new role, you will have to rewrite it completely. For example you will have to find all references to that jsp and fix the links. If user bookmarked the jsp, it will be not found anymore. Some kind of indirection (mapping access to jsp in configuration file) would be better.
Standard servlet security is not so hard to try. See Oracle documentation. The good news is that servlet API has direct support for it.
I am writing a web application using JSP/Spring MVC and would need to customize the UI based on the customer using it. I would need to hide/show certain sections of the screen, hide show certain labels and their text boxes and also modify labels based on different customers. Currently we are controlling the hide/show in the JSPs by elements and divs based on the logged in customer. For example:
if (customer= "A")
show this
else
hide this
The code gets cluttered and the JSP will get bloated as we add more customers.
Another alternative I have thought is split a page into sections and control the sections in the same way, but might end up in code repetition accross the JSPs.
For example
if (customer = "A")
jsp:include headerA.jsp
else
jsp:include genericheader.jsp
Another alternative would be to write different JSPs and route based on the client.
Is there a better way to handle this kind of situations. Can someone suggest the best practices to implement such a solution?
Thanks.
A UI that chooses what to do for each user can't possibly scale beyond your users A and B. You need a role-based authentication and authorization system.
Since you're already using Spring, I'd recommend looking at Spring Security and its role based capabilities. There are tags that can help you.
Another way to look at it is that role-based logic like this does not belong in tags. I'd recommend putting it in controllers and let them assemble pages for you.
Another possibility is something like SiteMesh, which allows you to create composite views.
One more: jQuery was born to manipulate the DOM. Use it along with CSS.
First thing it should be based on Role and not based on customer, and each customer will have certain role. It may possible that many customers will have same role and screen access and UI.
Based on role, you can use Spring Secutiry for Authentication and Authorization.
If you need to use Layout differently as per customer role, preferably you should use some Layout Manager such as Tiles, SiteMesh etc.
or use portlets for different login views to different customers
You just stated if person A logs in from one store, vs person B logs in from another. Hate to say it, but that's a role, no matter how you want to spin it, this is related to user authorization.
In terms of how you want to implement it, you could do a variety of things, you could intercept the login request and set a session variable which prepends a string to determine the correct view (i.e. when user a logs in you get customerA, vs customerB, so when rendering the view you'd retrieve the value and render "customerA/index" vs. "customerB/index", etc.
You could also determine the person's roles within the controller and render the appropriate view, although this couples your user roles to your controller logic, which wouldn't be recommended in my opinion.
If this app is going to have a lot of different backends, I'd recommend portlets that way you can write a new backend for each app, rather than bloating your web application with every new store backend.
Those are just a couple ways, hope this helps.
Im currently validating 3 times. Example delete link is only allowed to super upers. So Im validating 3 times.
1-In the constructor (Redirect)
2-In the wicket link contruction (Set Link to False)
In the Onclick (Return)
I feel like an idiot validating 3 times. It should be something I can use to implement security in my wicket application.
You can enable components depending on the role a certain user has. For this you have to
implement your own authorization strategy and
annotate your component according which role is allowed which action.
A sample for this approach can be found here.
Use Wicket-Auth-Roles.
You need to implement your own AuthenticatedWebSession and add annotations to your components.
The following tutorial contains links to examples and how to integrate it:
https://www.google.de/search?sourceid=chrome&ie=UTF-8&q=wicket-security
How can I prevent a user from neglecting the normal work flow of a struts application? For example, I have a list of products. This products have options like view edit whatever. If you click on edit, you will be redirected to a page like /editProductInfo.do and there will be no problem if you go there from List and then click edit a bean will be created with the information of the requested product from database.
Now if you are not logged in and try to access this page /editProductInfo.do you will be asked to log in and if you do so there will be a NullPointerException because the Bean that is needed to fill the form of this /editProductInfo.do is not initialized or even created because the application does not even know which product was requested.
So I want to prevent Users from crossjumping from side to side which has no link to each other. Is this possible in Struts?
Thanks for advice :)
Ah you mention struts 1 :) We successfully used the Struts Workflow Extension for exactly that case. http://www.livinglogic.de/Struts/ It lets you define page flows and lets you react if users atempt to break these flows by reloading, entering URLs, using invalid bookmarks...
Encode the product in the URI; that way you beat both your problem and the problem of two open tabs/windows on different products...