Effective Page Authorization In JavaServer Faces
— Application security - the art of applications defending themselves - represents an important line of defence in an overall in-depth security strategy. Web applications that follow the Model-View-Controller (MVC) architecture can, and should, have security implemented on all three layers. Normally it's the controller component that handles page authorization in MVC, the view layer that hides controls and information based on user authorization, and the model that enforces the business rules and input validation. However, it's up to the developer, based on an individual security policy and the programming technology used, to decide where to put security. Using pluggable validator components in JavaServer Faces (JSF), for example, developers may decide to verify user input on the view layer as well as on the model layer.
I also modified the code to use a Custom Security Implementation instead of Container Managed Security. The places where I had to make changes were:
com.groundside.jsf.security.shared.J2eeSecurityObject
- Line 114: Fetched the username from a Session Attribute
- Line 242: Checked role using a custom method which internally used the rolesmap stored as a session attribute
I'll update this post once I verify that it is working :)
No comments:
Post a Comment