SlideShare una empresa de Scribd logo

Jsfandsecurity

C
cagataycivici
1 de 35
JSF and Security Çağatay Çivici
About Me • Apache MyFaces PMC(Project Management Committee) member • Co-Author of “The Definitive Guide to Apache MyFaces and Facelets” from APRESS • Reference in “Core JavaServer Faces 2nd Edition” • Recognized speaker in international and local conferences • Oracle RCF(Rich Client Framework) member • Krank (CRUD Framework for JSF-Spring-JPA) member • Sourceforge jsf-comp member • Spring Security(Acegi) JSF Integration author • JSF Chart Creator project lead • FacesTrace project lead • YUI4JSF project lead • FC Barcelona Fan • Blog: http://www.prime.com.tr/cagataycivici • Prime Technology - 2008
Roadmap • JSF and Security • Non-JSF Based Approaches • JSF Based Approaches • Page authorization • Protect ViewState
JSF and Security • The mismatch! Security Support in JSF • JSF – MVC Framework – Component Oriented – Event Driven • Security – Authentication – Authorization
JSF API • FacesContext.getCurrentInstance().getExternalContext().getRemoteUser() • FacesContext.getCurrentInstance().getExternalContext().getAuthType() • FacesContext.getCurrentInstance().getExternalContext().isUserInRole(Strin g role) • FacesContext.getCurrentInstance().getExternalContext().getUserPrincipal()
Approaches • Non-JSF based – Container Managed Security – Security Filter – Spring Security • JSF based – ViewHandler – PhaseListener – Seam Security
Container Managed Security • <security-constraint> <web-resource-collection> <web-resource-name>secure pages</web-resource-name> <url-pattern>/secure.jsf<url-pattern> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>myrealm</realm-name> </login-config> <security-role> <description>Admin Role</description> <role-name>admin</role-name> </security-role>
Container Managed Security The Good • Based on Servlet API • Well known • Fine for URL Protection • JSF Component Security • JSF Login Page • Securing JSF Navigations
Container Managed Security • Case study DEMO with JSF Navigation Issue
Servlet Filter Security Filter Request Faces Servlet Response
Servlet Filter The Good • Based on Servlet API • Well known • Good for URL Protection • Non-Faces Resources The Bad • JSF Component Security • Faces APIs • Requires Maintenance
Spring Security <security:http auto-config='true'> <security:intercept-url pattern=quot;/login.jspquot; filters=quot;nonequot;/> <security:intercept-url pattern=quot;/admin/*quot; access=quot;ROLE_ADMINquot; /> <security:intercept-url pattern=quot;/**quot; access=quot;ROLE_USER,ROLE_ADMINquot; /> <security:concurrent-session-control max-sessions=quot;1quot;/> <security:logout logout-url=quot;/logoutquot; logout-success-url=quot;/quot;/> </security:http>
Spring Security • Securing JSF Beans public class MySecuredBackingBean { … … … @Secured({“ROLE_ADMIN,ROLE_ADMINS_GIRLFRIEN D”}) public String delete() { //delete something } … … … }
Spring Security The Good • Extendable • Easy configuration • Bean security • ACL • Securing methods The Bad • Complex for simple applications • Page authorization
ViewHandler • Decorate for Security • Integration point: createView public class SecurityViewHandler extends ViewHandler{ … … … public UIViewRoot createView(FacesContext facesContext, String viewId) { if(!userCanAccess(viewId)) return base.createView(facesContext, quot;/accessDenied.jspquot;); else return base.createView(facesContext, viewId); } … … … }
ViewHandler Demo
ViewHandler The Good • JSF Based The Bad • Non faces resources(images, styles) • Possibility to be supressed
PhaseListener Faces Servlet Restore View Security Check Request Apply Request Values Validations Update Model Response Invoke Application Security Check Render Response
PhaseListener public class SecurityPhaseListener implements PhaseListener{ … public void afterPhase(PhaseEvent phaseEvent) { PhaseId phaseId = phaseEvent.getPhaseId(); if(phaseId.equals(PhaseId.RESTORE_VIEW) || phaseId.equals(PhaseId.INVOKE_APPLICATION)) { String viewId = phaseEvent.getFacesContext().getViewRoot().getViewId(); if(!canUserAccess(viewId)) { HttpServletResponse response = (HttpServletResponse)phaseEvent.getFacesContext().getExternalContext().getRespo nse(); try { response.sendRedirect(quot;/jsfcalistay/accessDeniedPhaseListener.jsfquot;); phaseEvent.getFacesContext().responseComplete(); } catch (IOException e) { //send a 404 } } } } …
PhaseListener Demo
PhaseListener The Good • JSF Based The Bad • Non faces resources(images, styles)
Seam Security Components.xml <security:identity authenticate-method=quot;#{authenticator.authenticate}quot;/> Authenticate Method boolean () authenticate; <h:form> <h:outputLabel for=quot;namequot; value=quot;Usernamequot;/> <h:inputText id=quot;namequot; value=quot;#{identity.username}quot;/> <h:outputLabel for=quot;passwordquot; value=quot;Passwordquot;/> <h:inputSecret id=quot;passwordquot; value=quot;#{identity.password}quot;/> <h:commandButton value=quot;Loginquot; action=quot;#{identity.login}quot;/> </h:form>
Seam Security • URL Protection • pages.xml <page view-id=quot;/controlPanel.xhtmlquot;> <restrict>#{s:hasRole(‘ROLE_ADMIN’)}</restrict> </page>
Seam Security • Securing backing beans @Name(“orderControllerquot;) public class OrderController { @Restrict(quot;#{s:hasRole(‘ROLE_ADMIN')}quot;) public void deleteOrder() { //blabla } }
Seam Security The Good • JSF Based • URL Protection • Controller security • Entity security • Page authorization • JSF login form The Bad • Authenticate method
Page Authorization • Acegi-JSF Components • Facelets Functions • Seam • MyFaces SecurityContext
Acegi-JSF Components • Page definition security <authz:authorize ifAllGranted=”ROLE_SUPERVISOR,ROLE_ADMIN”> Components that are only visible to the users that satisfy the requirements here… <h:commandButton value=“Delete” …/> </authz:authorize> • ifAllGranted • ifAnyGranted • ifNotGranted <authz:authentication operation=”username”/>
Facelets Function public static boolean isUserInRole(String rolName) { boolean inRole = false; Authentication authentication = SecurityContextHolder. getContext().getAuthentication(); GrantedAuthority[] roles = authentication.getAuthorities(); for(GrantedAuthority role : roles) { if(role.getAuthority().equals(roleName)) { inRole = true; break; } } return inRole;} <h:commandButton value=“Delete” action=“#{bean.delete}” rendered=“#{barca:isUserInRole(‘ROLE_ADMIN’)}” />
Seam Security <h:commandButton action=“#{someBackingBean.deleteSomething}” rendered=quot;#{s:hasRole(ROLE_ADMIN')}quot; ” />
Seam Security <h:dataTable value=quot;#{orders}quot; var=“ordquot;> … <h:column> <f:facet name=quot;headerquot;>Delete</f:facet> <s:link value=quot;Delete Orderquot; action=quot;#{orderController.delete}quot; rendered=quot;#{s:hasPermission('order','delete',ord)}quot;/> </h:column> … </h:dataTable>
MyFaces SecurityContext • EL extension • Defaults to Container Managed Security • Easy to plugin custom SecurityContextImpl #{securityContext.authType} #{securityContext.remoteUser} #{securityContext.ifGranted['rolename']} #{securityContext.ifAllGranted['rolename1,rolename2']} #{securityContext.ifAnyGranted['rolename1,rolename2']} #{securityContext.ifNotGranted['rolename1,rolename2']} <h:commandButton action=“#{someBackingBean.deleteSomething}” rendered=“#{securityContext.ifAllGranted['rolename1,rolename2']}”
Custom SecurityContext public class MyAwesomeSecurityContextImpl extends SecurityContext{ public String getAuthType() { //return my authtype as string } public String getRemoteUser() { //return current logged in user } public boolean ifGranted(String role) { //check if user in the given role } } <context-param> <param-name>org.apache.myfaces.SECURITY_CONTEXT</param- name> <param- value>com.my.company.MyAwesomeSecurityContextImpl</param-value> </context-param>
Protect the ViewState • <input type=quot;hiddenquot; name=quot;javax.faces.ViewStatequot; id=quot;javax.faces.ViewStatequot; value=quot;cjnoN2li7kqi8Z2WbOa811eyyZ3UHh2K56Gg6gQszNDFicizAEsfAahhbsLly/n77sA5+Qfp3HR/nuDxQ62wnmwBjJ4RAKf4R++/cXW /6+iBp3BCjEJEyaYamWpbwrEaff4JIBH95NBpeV+NxAA/ajo21eqj2HB6LsUfA/jOjGVoNhvb/wEbUdAhW7q64qj0QUFLKoKLxmP1y4ZE2O ffr5SFQZBOOJDgQ219TiC2mMmOGpYJkyda5gf8fSBzHIjTJtMpkoPyBhuBp3BCjEJEyXJRPvnqCGSDcCbEtYQi9lx7B74ivhUaCnn2c0Jf3 3AWzMZafd4RNF495qXRBsegWA0ZGpQWr/pe/hNJf2fEUOCwfNk/xPZNlKz8QmN0iarCTQTGXQUZh8aZKX3uFxSPynZ5nz1be+hzqZ5 HcMBKR6zG++byQ1lmXPvJOwLEzGZ2gJBkPY95iKWXqkldrEj87AtO0GvWKkE+V46kbWZ2hpmETVQZzkdqLi0j6nW5LnDfXfT9GCUNs wqgMEhjknsobneBwGULiZ7ix43qkMIXlJ0YYESCRkdc57DY5lYzQY/W26Dxt8JGgGwkj9LAbJs03bMPAahnWEpxeeseC4TvtW809acOZj XJ/3O3at/Mdqyu14mxtt2t5e5DSNLmAqgXXSHmUGEYznwQOS9KyLsBTpFUYDQe0MDREW1NzChacqWBkD10DopxLJ+HDAEuD85bV /iYHJz3NQlzSPJwaGEbp8PlbVVn/YdMtV/elpZmX34kj/rC1o0CiAc68+VrTHIPwhs4q8DYvcQTEgB+6hgWx5G6TkwrRhb9m0B98DSaU3Lx du7UJaXOafbaEjXSEyWiD8ZW0PywLECX1UtWwQ3lxKXXibG23a3l7kNI0uYCqBddi6ETJipf4L/lvDjBDcQHeUBdU2Kl/sQnpJU+kqlHNe+ 0j0ilVnF04Q5OFWpmZIp1dso7ZLgQbkpUG/7K5RR0CtfzUc+sJzIQZmV4/1DwdqXjG2z3+VQNWgP0yz9PbwB2YzeJki6CbMuNWrW5Yo8 MwLtBaF2HGEB7MR6SP0wx4IoA28lSdx2HsSThYKP/O8kW3qyokVzYupYWNcHddqlK6Nu2bzFICQ2DtbnzrTFOD/MPRsM45Xce4hXQ7 D23T9BaBsIhHCyErpSfr+veeLLUqr6AqodKRwOCiyWPOPLoenvrsH388cbZqcv3W1RIgOM5YAqfgzrbNbZcxtA9fFGskT+VNArlJp7MY2Zt ORGP/z4apxqvV+IJXwOdOtK6xuHH3e+QjOSqc/GOxadVsmET+jLv72lP+tN9Du3Rn9EkkRUgl/bNuabOAZaDtacU2qTh/fKtiHZe6gEyqz2 XwH2dIdSbemJc0889xiBEZqBgOESYQ22cVFOOxNTwHxlat63brvaxQdx0wSYsFlYHTMwo/qVs49VhOu2DHokq5xNbrZ//rpVt3XMqe+X5 yD30S2vur+xawTZjTYlmSorxONvTwvjFLiftnMe9ieA2XcRf2Qbws+smPawkBKEtAOXiiLAp3hIb33FrYxDYVoEChnmQc+DMzxNlOw3zaJ MykZRn6oy0AomUxUdxI2kGlCVOHejxQnBDvmj6XAsYSzlrbJN+FidIfTYpkV3e0cDIW8rHsiTatBZWL3zmu0YI1JyLAVQw8+a0n/+1yAVCT 6J+NhfDo6UdiC9Ilyws7TtDXQhssR3qoh9x17Nxlif/LOBU817V6Ip/Y+eyLjYgs/fnEaxgdeW8OMENxAd5cqlB1zDTb+dUn6Vk/yis6RGMAX1 UAVou7uRDmYV0TtZKFttVdlyTjfp5Q5F0Tsj4qzw+vDTlYWbf7hrD1TosZGsbT6Mc9obUgkSsULRUr/eCRKxQtFSv94JErFC0VK/3prA0Mc Ldt5A0fhuQAXRbLOB+tk5wheoIGO390JZB08jJAso9qbBLvdfzUc+sJzIQZmV4/1DwdqU5XLWwZnjkhp82k0VBRHmxnoTdDbCj4eWbUK6 PiWsmY45zzkmNPnEkcj6dL1XByNR++RYWIXMIHvQULVqI+6gSQrrgKnOqESqFDaWpLPzgKORF9t+3+sQzXpj6O42fVIYewkG+d/LfFV C6IQuOrZIA/HSrCzJcAUhuNAc6UCH/zvVkucTURgX/mJGk1QFJZCDR3dQvrdm0gkhCZKzNWfEYpoGjAhKICqbugdxmuLZQbqW0qYiPn CeOPTHL3QbIpfoZ/GHI/z4himtRXVRLML+5NyB2zY5gCFkLE1ndMjTdMGDpmu9tJOqUsmfHADUrVXiF58GlBNEiwUL8hxxTB30vWPCS mt5ZNuML57GU98tciku9zMr9RZF042UTURw0RNvg5d3FpSVK6iuF5MRKSfkQs6zPN1m1JXj6tq4jBjWZ4l10TKWvM45qwYwB1/9Uk6wb gDeawD1AXpX/lFLKOgPz2bRzp62oQJknhKfANxS8NX6FbUoeEbq8UCvndmMVg1mRBD8AAeZ+aejfKFoACLDXlY0hy1RisbE/kMDSpxP /D+j7V/RdhJO+0eszWvJJtNPs2swsZzoK4hjt/dCWQdPI/71KpGQim5xlqjHjHY4mDGZleP9Q8Hal88oxKykFUQYDEQ3KRz675N28vIu+Rt 7AybDcnlzTi+YbOKvA2L3EExIAfuoYFseRCQzwdnhDhIoZ8NDazCdYM8p2H3t46MR2rMsR+B0Q6Izbtm8xSAkNgzlihd3SqMtOVuj07dMZ FhXIWaExKordOT96wcyFY3hLqImCn+z/U0SFUFoQZvLd+NN5nRpZ306hMq+VDqbwXh4IBAOYAzwHZo8jCDrfGHs7DYKb34rSHlMnPT Yk1MTgY2274j9ci5o1CAQDmAM8B2ZX62EUfdC6sJpjOWqdcwBfPofXChsPp82sx//RPwgu6y9nXdc4RLxtAo64SXmcdzKJXAMTvWO3xs b75vJDWWZcbbviP1yLmjUIBAOYAzwHZrrqBsyYPolmbjgXhK2KMvrWFOtn0nQne/O3AKPReE70WiloiJgp0WZCcEO+aPpcC1eyyZ3UHh 2KV/gOQ+q4Q7PBdBhadxtM+pWXQJfDPX9K3T/QjJykD7a4vEyF0rrpfH681LoX50+YgkSsULRUr/eCRKxQtFSv9589YNTYpEoSmmChJ1 cujHKbQDA6ApqouhzFPZN1RXmspR2IL0iXLCxwBmf6k7hYMeqiH3HXs3GW+yfPXMCEGAHoin9j57IuNum608SbPOCr9c/wJwAXAev7x k/N7Gn0FfWRhlVfpdYSGzirwNi9xBMSAH7qGBbHkdQFKnbYQ80DjnPOSY0+cSRyPp0vVcHI1MwwOB6mohdlzFJnDPSn3W9hJzQXrQy OiVVQOut45pL+PULx/inIPznHECBqgvm5ECbe6WdfeFnfxIW5JaekPaEUbGwU6i3uqLKDHYb58r/IxlDcqoIvU7KUTRSh3NKV7m0wAtPa HaYoPIWJOpZof+SCRKxQtFSv93H9+08c8xaRmmChJ1cujHKM6oQT0D3hjZxxwQB7wM7MtSxrTlWiv+ocs46hAgrz4w==quot; />
ViewState Encryption • Turned on by default • Several algorithms, default: DES <context-param> <param-name>org.apache.myfaces.secret</param- name> <param-value>NzY1NDMyMTA=</param-value> </context-param> <context-param> <param-name>org.apache.myfaces.algorithm</param-name> <param-value>Blowfish</param-value> </context-param>
The End • cagatay@apache.org • http://www.prime.com.tr/cagataycivici • PlayStation3 online id: facescontext

Recomendados

Arquitectura y Funcionalidades Liferay Portal
Arquitectura y Funcionalidades Liferay PortalArquitectura y Funcionalidades Liferay Portal
Arquitectura y Funcionalidades Liferay Portal
Stratebi
 
Sling models by Justin Edelson
Sling models by Justin Edelson Sling models by Justin Edelson
Sling models by Justin Edelson
AEM HUB
 
DSpace 7 - The Angular UI from a user’s perspective
DSpace 7 - The Angular UI from a user’s perspectiveDSpace 7 - The Angular UI from a user’s perspective
DSpace 7 - The Angular UI from a user’s perspective
Atmire
 
Sling Models Overview
Sling Models OverviewSling Models Overview
Sling Models Overview
Justin Edelson
 
APIs, REST e RESTful: O que os programadores precisam saber? - Marcos Echevar...
APIs, REST e RESTful: O que os programadores precisam saber? - Marcos Echevar...APIs, REST e RESTful: O que os programadores precisam saber? - Marcos Echevar...
APIs, REST e RESTful: O que os programadores precisam saber? - Marcos Echevar...
Tchelinux
 
Role based access control
Role based access controlRole based access control
Role based access control
Peter Edwards
 
Oracle on AWS RDS Migration - 성기명
Oracle on AWS RDS Migration - 성기명Oracle on AWS RDS Migration - 성기명
Oracle on AWS RDS Migration - 성기명
AWSKRUG - AWS한국사용자모임
 
Delegation d'authentification
Delegation d'authentificationDelegation d'authentification
Delegation d'authentification
Sébastien Brault
 

Recomendados

Arquitectura y Funcionalidades Liferay Portal
Arquitectura y Funcionalidades Liferay PortalArquitectura y Funcionalidades Liferay Portal
Arquitectura y Funcionalidades Liferay Portal
Stratebi
 
Sling models by Justin Edelson
Sling models by Justin Edelson Sling models by Justin Edelson
Sling models by Justin Edelson
AEM HUB
 
DSpace 7 - The Angular UI from a user’s perspective
DSpace 7 - The Angular UI from a user’s perspectiveDSpace 7 - The Angular UI from a user’s perspective
DSpace 7 - The Angular UI from a user’s perspective
Atmire
 
Sling Models Overview
Sling Models OverviewSling Models Overview
Sling Models Overview
Justin Edelson
 
APIs, REST e RESTful: O que os programadores precisam saber? - Marcos Echevar...
APIs, REST e RESTful: O que os programadores precisam saber? - Marcos Echevar...APIs, REST e RESTful: O que os programadores precisam saber? - Marcos Echevar...
APIs, REST e RESTful: O que os programadores precisam saber? - Marcos Echevar...
Tchelinux
 
Role based access control
Role based access controlRole based access control
Role based access control
Peter Edwards
 
Oracle on AWS RDS Migration - 성기명
Oracle on AWS RDS Migration - 성기명Oracle on AWS RDS Migration - 성기명
Oracle on AWS RDS Migration - 성기명
AWSKRUG - AWS한국사용자모임
 
Delegation d'authentification
Delegation d'authentificationDelegation d'authentification
Delegation d'authentification
Sébastien Brault
 
Data Migration Using AWS Snowball, Snowball Edge & Snowmobile
Data Migration Using AWS Snowball, Snowball Edge & SnowmobileData Migration Using AWS Snowball, Snowball Edge & Snowmobile
Data Migration Using AWS Snowball, Snowball Edge & Snowmobile
Amazon Web Services
 
/path/to/content - the Apache Jackrabbit content repository
/path/to/content - the Apache Jackrabbit content repository/path/to/content - the Apache Jackrabbit content repository
/path/to/content - the Apache Jackrabbit content repository
Jukka Zitting
 
Tinder and DynamoDB: It's a Match! Massive Data Migration, Zero Down Time - D...
Tinder and DynamoDB: It's a Match! Massive Data Migration, Zero Down Time - D...Tinder and DynamoDB: It's a Match! Massive Data Migration, Zero Down Time - D...
Tinder and DynamoDB: It's a Match! Massive Data Migration, Zero Down Time - D...
Amazon Web Services
 
Scouter와 influx db – grafana 연동 가이드
Scouter와 influx db – grafana 연동 가이드Scouter와 influx db – grafana 연동 가이드
Scouter와 influx db – grafana 연동 가이드
Ji-Woong Choi
 
AEM GEMs Session Oak Lucene Indexes
AEM GEMs Session Oak Lucene IndexesAEM GEMs Session Oak Lucene Indexes
AEM GEMs Session Oak Lucene Indexes
AdobeMarketingCloud
 
Oracle APEX Social Login
Oracle APEX Social LoginOracle APEX Social Login
Oracle APEX Social Login
msewtz
 
AWS Summit Seoul 2023 | AWS로 구축한 피플펀드의 신용평가 MLOps 플랫폼 개발 여정
AWS Summit Seoul 2023 | AWS로 구축한 피플펀드의 신용평가 MLOps 플랫폼 개발 여정AWS Summit Seoul 2023 | AWS로 구축한 피플펀드의 신용평가 MLOps 플랫폼 개발 여정
AWS Summit Seoul 2023 | AWS로 구축한 피플펀드의 신용평가 MLOps 플랫폼 개발 여정
Amazon Web Services Korea
 
以AWS Lambda與Amazon API Gateway打造無伺服器後端
以AWS Lambda與Amazon API Gateway打造無伺服器後端以AWS Lambda與Amazon API Gateway打造無伺服器後端
以AWS Lambda與Amazon API Gateway打造無伺服器後端
Amazon Web Services
 
AWS Summit Seoul 2023 | 다중 계정 및 하이브리드 환경에서 안전한 IAM 체계 만들기
AWS Summit Seoul 2023 | 다중 계정 및 하이브리드 환경에서 안전한 IAM 체계 만들기AWS Summit Seoul 2023 | 다중 계정 및 하이브리드 환경에서 안전한 IAM 체계 만들기
AWS Summit Seoul 2023 | 다중 계정 및 하이브리드 환경에서 안전한 IAM 체계 만들기
Amazon Web Services Korea
 
Introduction to REST - API
Introduction to REST - APIIntroduction to REST - API
Introduction to REST - API
Chetan Gadodia
 
ECS to EKS 마이그레이션 경험기 - 유용환(Superb AI) :: AWS Community Day Online 2021
ECS to EKS 마이그레이션 경험기 - 유용환(Superb AI) :: AWS Community Day Online 2021ECS to EKS 마이그레이션 경험기 - 유용환(Superb AI) :: AWS Community Day Online 2021
ECS to EKS 마이그레이션 경험기 - 유용환(Superb AI) :: AWS Community Day Online 2021
AWSKRUG - AWS한국사용자모임
 
게임서비스를 위한 ElastiCache 활용 전략 :: 구승모 솔루션즈 아키텍트 :: Gaming on AWS 2016
게임서비스를 위한 ElastiCache 활용 전략 :: 구승모 솔루션즈 아키텍트 :: Gaming on AWS 2016게임서비스를 위한 ElastiCache 활용 전략 :: 구승모 솔루션즈 아키텍트 :: Gaming on AWS 2016
게임서비스를 위한 ElastiCache 활용 전략 :: 구승모 솔루션즈 아키텍트 :: Gaming on AWS 2016
Amazon Web Services Korea
 
AWS Summit Seoul 2023 | 스마트한 클라우드 스토리지 비용 관리 전략
AWS Summit Seoul 2023 | 스마트한 클라우드 스토리지 비용 관리 전략AWS Summit Seoul 2023 | 스마트한 클라우드 스토리지 비용 관리 전략
AWS Summit Seoul 2023 | 스마트한 클라우드 스토리지 비용 관리 전략
Amazon Web Services Korea
 
What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018
Matt Raible
 
AWS Summit Seoul 2023 | Amazon EKS 데이터 전송 비용 절감 및 카오스 엔지니어링 적용 사례
AWS Summit Seoul 2023 | Amazon EKS 데이터 전송 비용 절감 및 카오스 엔지니어링 적용 사례AWS Summit Seoul 2023 | Amazon EKS 데이터 전송 비용 절감 및 카오스 엔지니어링 적용 사례
AWS Summit Seoul 2023 | Amazon EKS 데이터 전송 비용 절감 및 카오스 엔지니어링 적용 사례
Amazon Web Services Korea
 
Introdução APIs RESTful
Introdução APIs RESTfulIntrodução APIs RESTful
Introdução APIs RESTful
Douglas V. Pasqua
 
AWS Builders - Industry Edition: DevSecOps on AWS - 시작은 IAM 부터
AWS Builders - Industry Edition: DevSecOps on AWS - 시작은 IAM 부터AWS Builders - Industry Edition: DevSecOps on AWS - 시작은 IAM 부터
AWS Builders - Industry Edition: DevSecOps on AWS - 시작은 IAM 부터
Amazon Web Services Korea
 
Best practices for RESTful web service design
Best practices for RESTful web service designBest practices for RESTful web service design
Best practices for RESTful web service design
Ramin Orujov
 
RESTful API - Best Practices
RESTful API - Best PracticesRESTful API - Best Practices
RESTful API - Best Practices
Tricode (part of Dept)
 
AWS Summit Seoul 2023 | LG유플러스 IPTV 서비스, 무중단 클라우드 마이그레이션 이야기
AWS Summit Seoul 2023 | LG유플러스 IPTV 서비스, 무중단 클라우드 마이그레이션 이야기AWS Summit Seoul 2023 | LG유플러스 IPTV 서비스, 무중단 클라우드 마이그레이션 이야기
AWS Summit Seoul 2023 | LG유플러스 IPTV 서비스, 무중단 클라우드 마이그레이션 이야기
Amazon Web Services Korea
 
Jsf Ajax
Jsf AjaxJsf Ajax
Jsf Ajax
rajivmordani
 
Jsfsunum
JsfsunumJsfsunum
Jsfsunum
cagataycivici
 

Más contenido relacionado

La actualidad más candente

게임서비스를 위한 ElastiCache 활용 전략 :: 구승모 솔루션즈 아키텍트 :: Gaming on AWS 2016
게임서비스를 위한 ElastiCache 활용 전략 :: 구승모 솔루션즈 아키텍트 :: Gaming on AWS 2016게임서비스를 위한 ElastiCache 활용 전략 :: 구승모 솔루션즈 아키텍트 :: Gaming on AWS 2016
게임서비스를 위한 ElastiCache 활용 전략 :: 구승모 솔루션즈 아키텍트 :: Gaming on AWS 2016
Amazon Web Services Korea
 
What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018
Matt Raible
 
AWS Summit Seoul 2023 | Amazon EKS 데이터 전송 비용 절감 및 카오스 엔지니어링 적용 사례
AWS Summit Seoul 2023 | Amazon EKS 데이터 전송 비용 절감 및 카오스 엔지니어링 적용 사례AWS Summit Seoul 2023 | Amazon EKS 데이터 전송 비용 절감 및 카오스 엔지니어링 적용 사례
AWS Summit Seoul 2023 | Amazon EKS 데이터 전송 비용 절감 및 카오스 엔지니어링 적용 사례
Amazon Web Services Korea
 
AWS Summit Seoul 2023 | LG유플러스 IPTV 서비스, 무중단 클라우드 마이그레이션 이야기
AWS Summit Seoul 2023 | LG유플러스 IPTV 서비스, 무중단 클라우드 마이그레이션 이야기AWS Summit Seoul 2023 | LG유플러스 IPTV 서비스, 무중단 클라우드 마이그레이션 이야기
AWS Summit Seoul 2023 | LG유플러스 IPTV 서비스, 무중단 클라우드 마이그레이션 이야기
Amazon Web Services Korea
 

La actualidad más candente (20)

Data Migration Using AWS Snowball, Snowball Edge & Snowmobile
Data Migration Using AWS Snowball, Snowball Edge & SnowmobileData Migration Using AWS Snowball, Snowball Edge & Snowmobile
Data Migration Using AWS Snowball, Snowball Edge & Snowmobile
 
/path/to/content - the Apache Jackrabbit content repository
/path/to/content - the Apache Jackrabbit content repository/path/to/content - the Apache Jackrabbit content repository
/path/to/content - the Apache Jackrabbit content repository
 
Tinder and DynamoDB: It's a Match! Massive Data Migration, Zero Down Time - D...
Tinder and DynamoDB: It's a Match! Massive Data Migration, Zero Down Time - D...Tinder and DynamoDB: It's a Match! Massive Data Migration, Zero Down Time - D...
Tinder and DynamoDB: It's a Match! Massive Data Migration, Zero Down Time - D...
 
Scouter와 influx db – grafana 연동 가이드
Scouter와 influx db – grafana 연동 가이드Scouter와 influx db – grafana 연동 가이드
Scouter와 influx db – grafana 연동 가이드
 
AEM GEMs Session Oak Lucene Indexes
AEM GEMs Session Oak Lucene IndexesAEM GEMs Session Oak Lucene Indexes
AEM GEMs Session Oak Lucene Indexes
 
Oracle APEX Social Login
Oracle APEX Social LoginOracle APEX Social Login
Oracle APEX Social Login
 
AWS Summit Seoul 2023 | AWS로 구축한 피플펀드의 신용평가 MLOps 플랫폼 개발 여정
AWS Summit Seoul 2023 | AWS로 구축한 피플펀드의 신용평가 MLOps 플랫폼 개발 여정AWS Summit Seoul 2023 | AWS로 구축한 피플펀드의 신용평가 MLOps 플랫폼 개발 여정
AWS Summit Seoul 2023 | AWS로 구축한 피플펀드의 신용평가 MLOps 플랫폼 개발 여정
 
以AWS Lambda與Amazon API Gateway打造無伺服器後端
以AWS Lambda與Amazon API Gateway打造無伺服器後端以AWS Lambda與Amazon API Gateway打造無伺服器後端
以AWS Lambda與Amazon API Gateway打造無伺服器後端
 
AWS Summit Seoul 2023 | 다중 계정 및 하이브리드 환경에서 안전한 IAM 체계 만들기
AWS Summit Seoul 2023 | 다중 계정 및 하이브리드 환경에서 안전한 IAM 체계 만들기AWS Summit Seoul 2023 | 다중 계정 및 하이브리드 환경에서 안전한 IAM 체계 만들기
AWS Summit Seoul 2023 | 다중 계정 및 하이브리드 환경에서 안전한 IAM 체계 만들기
 
Introduction to REST - API
Introduction to REST - APIIntroduction to REST - API
Introduction to REST - API
 
ECS to EKS 마이그레이션 경험기 - 유용환(Superb AI) :: AWS Community Day Online 2021
ECS to EKS 마이그레이션 경험기 - 유용환(Superb AI) :: AWS Community Day Online 2021ECS to EKS 마이그레이션 경험기 - 유용환(Superb AI) :: AWS Community Day Online 2021
ECS to EKS 마이그레이션 경험기 - 유용환(Superb AI) :: AWS Community Day Online 2021
 
게임서비스를 위한 ElastiCache 활용 전략 :: 구승모 솔루션즈 아키텍트 :: Gaming on AWS 2016
게임서비스를 위한 ElastiCache 활용 전략 :: 구승모 솔루션즈 아키텍트 :: Gaming on AWS 2016게임서비스를 위한 ElastiCache 활용 전략 :: 구승모 솔루션즈 아키텍트 :: Gaming on AWS 2016
게임서비스를 위한 ElastiCache 활용 전략 :: 구승모 솔루션즈 아키텍트 :: Gaming on AWS 2016
 
AWS Summit Seoul 2023 | 스마트한 클라우드 스토리지 비용 관리 전략
AWS Summit Seoul 2023 | 스마트한 클라우드 스토리지 비용 관리 전략AWS Summit Seoul 2023 | 스마트한 클라우드 스토리지 비용 관리 전략
AWS Summit Seoul 2023 | 스마트한 클라우드 스토리지 비용 관리 전략
 
What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018
 
AWS Summit Seoul 2023 | Amazon EKS 데이터 전송 비용 절감 및 카오스 엔지니어링 적용 사례
AWS Summit Seoul 2023 | Amazon EKS 데이터 전송 비용 절감 및 카오스 엔지니어링 적용 사례AWS Summit Seoul 2023 | Amazon EKS 데이터 전송 비용 절감 및 카오스 엔지니어링 적용 사례
AWS Summit Seoul 2023 | Amazon EKS 데이터 전송 비용 절감 및 카오스 엔지니어링 적용 사례
 
Introdução APIs RESTful
Introdução APIs RESTfulIntrodução APIs RESTful
Introdução APIs RESTful
 
AWS Builders - Industry Edition: DevSecOps on AWS - 시작은 IAM 부터
AWS Builders - Industry Edition: DevSecOps on AWS - 시작은 IAM 부터AWS Builders - Industry Edition: DevSecOps on AWS - 시작은 IAM 부터
AWS Builders - Industry Edition: DevSecOps on AWS - 시작은 IAM 부터
 
Best practices for RESTful web service design
Best practices for RESTful web service designBest practices for RESTful web service design
Best practices for RESTful web service design
 
RESTful API - Best Practices
RESTful API - Best PracticesRESTful API - Best Practices
RESTful API - Best Practices
 
AWS Summit Seoul 2023 | LG유플러스 IPTV 서비스, 무중단 클라우드 마이그레이션 이야기
AWS Summit Seoul 2023 | LG유플러스 IPTV 서비스, 무중단 클라우드 마이그레이션 이야기AWS Summit Seoul 2023 | LG유플러스 IPTV 서비스, 무중단 클라우드 마이그레이션 이야기
AWS Summit Seoul 2023 | LG유플러스 IPTV 서비스, 무중단 클라우드 마이그레이션 이야기
 

Similar a Jsfandsecurity

Apache Roller, Acegi Security and Single Sign-on
Apache Roller, Acegi Security and Single Sign-onApache Roller, Acegi Security and Single Sign-on
Apache Roller, Acegi Security and Single Sign-on
Matt Raible
 
[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (3/3)
[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (3/3)[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (3/3)
[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (3/3)
Carles Farré
 
Jarv.us Showcase — SenchaCon 2011
Jarv.us Showcase — SenchaCon 2011Jarv.us Showcase — SenchaCon 2011
Jarv.us Showcase — SenchaCon 2011
Chris Alfano
 
Migrating from Struts 1 to Struts 2
Migrating from Struts 1 to Struts 2Migrating from Struts 1 to Struts 2
Migrating from Struts 1 to Struts 2
Matt Raible
 
Uma introdução ao framework Spring
Uma introdução ao framework SpringUma introdução ao framework Spring
Uma introdução ao framework Spring
elliando dias
 
Intro To Mvc Development In Php
Intro To Mvc Development In PhpIntro To Mvc Development In Php
Intro To Mvc Development In Php
funkatron
 
Solr and symfony in Harmony with SolrJs
Solr and symfony in Harmony with SolrJsSolr and symfony in Harmony with SolrJs
Solr and symfony in Harmony with SolrJs
Wildan Maulana
 

Similar a Jsfandsecurity (20)

Jsf Ajax
Jsf AjaxJsf Ajax
Jsf Ajax
 
Jsfsunum
JsfsunumJsfsunum
Jsfsunum
 
And the Greatest of These Is ... Rack Support
And the Greatest of These Is ... Rack SupportAnd the Greatest of These Is ... Rack Support
And the Greatest of These Is ... Rack Support
 
Myfacesplanet
MyfacesplanetMyfacesplanet
Myfacesplanet
 
Apache Roller, Acegi Security and Single Sign-on
Apache Roller, Acegi Security and Single Sign-onApache Roller, Acegi Security and Single Sign-on
Apache Roller, Acegi Security and Single Sign-on
 
JavaEE Security
JavaEE SecurityJavaEE Security
JavaEE Security
 
Custom Action Framework
Custom Action FrameworkCustom Action Framework
Custom Action Framework
 
[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (3/3)
[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (3/3)[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (3/3)
[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (3/3)
 
Android the Agile way
Android the Agile wayAndroid the Agile way
Android the Agile way
 
Seam Glassfish Slidecast
Seam Glassfish SlidecastSeam Glassfish Slidecast
Seam Glassfish Slidecast
 
Plone Interactivity
Plone InteractivityPlone Interactivity
Plone Interactivity
 
Jarv.us Showcase — SenchaCon 2011
Jarv.us Showcase — SenchaCon 2011Jarv.us Showcase — SenchaCon 2011
Jarv.us Showcase — SenchaCon 2011
 
Migrating from Struts 1 to Struts 2
Migrating from Struts 1 to Struts 2Migrating from Struts 1 to Struts 2
Migrating from Struts 1 to Struts 2
 
Developing and testing ajax components
Developing and testing ajax componentsDeveloping and testing ajax components
Developing and testing ajax components
 
Migration testing framework
Migration testing frameworkMigration testing framework
Migration testing framework
 
Merb jQuery
Merb jQueryMerb jQuery
Merb jQuery
 
Uma introdução ao framework Spring
Uma introdução ao framework SpringUma introdução ao framework Spring
Uma introdução ao framework Spring
 
Intro To Mvc Development In Php
Intro To Mvc Development In PhpIntro To Mvc Development In Php
Intro To Mvc Development In Php
 
Solr and symfony in Harmony with SolrJs
Solr and symfony in Harmony with SolrJsSolr and symfony in Harmony with SolrJs
Solr and symfony in Harmony with SolrJs
 
YUI 3
YUI 3YUI 3
YUI 3
 

Más de cagataycivici

PrimeTime JSF with PrimeFaces - Dec 2014
PrimeTime JSF with PrimeFaces - Dec 2014PrimeTime JSF with PrimeFaces - Dec 2014
PrimeTime JSF with PrimeFaces - Dec 2014
cagataycivici
 
14 Fr 13 Civici Component Library Showdown
14 Fr 13 Civici Component Library Showdown14 Fr 13 Civici Component Library Showdown
14 Fr 13 Civici Component Library Showdown
cagataycivici
 

Más de cagataycivici (9)

PrimeNG - Components para la Vida Real
PrimeNG - Components para la Vida RealPrimeNG - Components para la Vida Real
PrimeNG - Components para la Vida Real
 
How to Mess Up Your Angular UI Components
How to Mess Up Your Angular UI ComponentsHow to Mess Up Your Angular UI Components
How to Mess Up Your Angular UI Components
 
Itsjustangular
ItsjustangularItsjustangular
Itsjustangular
 
PrimeTime JSF with PrimeFaces - Dec 2014
PrimeTime JSF with PrimeFaces - Dec 2014PrimeTime JSF with PrimeFaces - Dec 2014
PrimeTime JSF with PrimeFaces - Dec 2014
 
PrimeFaces User Guide 5.0
PrimeFaces User Guide 5.0PrimeFaces User Guide 5.0
PrimeFaces User Guide 5.0
 
Primefaces Confess 2012
Primefaces Confess 2012Primefaces Confess 2012
Primefaces Confess 2012
 
14 Fr 13 Civici Component Library Showdown
14 Fr 13 Civici Component Library Showdown14 Fr 13 Civici Component Library Showdown
14 Fr 13 Civici Component Library Showdown
 
Open Your Source
Open Your SourceOpen Your Source
Open Your Source
 
Facelets
FaceletsFacelets
Facelets
 

Jsfandsecurity

  • 1. JSF and Security Çağatay Çivici
  • 2. About Me • Apache MyFaces PMC(Project Management Committee) member • Co-Author of “The Definitive Guide to Apache MyFaces and Facelets” from APRESS • Reference in “Core JavaServer Faces 2nd Edition” • Recognized speaker in international and local conferences • Oracle RCF(Rich Client Framework) member • Krank (CRUD Framework for JSF-Spring-JPA) member • Sourceforge jsf-comp member • Spring Security(Acegi) JSF Integration author • JSF Chart Creator project lead • FacesTrace project lead • YUI4JSF project lead • FC Barcelona Fan • Blog: http://www.prime.com.tr/cagataycivici • Prime Technology - 2008
  • 3. Roadmap • JSF and Security • Non-JSF Based Approaches • JSF Based Approaches • Page authorization • Protect ViewState
  • 4. JSF and Security • The mismatch! Security Support in JSF • JSF – MVC Framework – Component Oriented – Event Driven • Security – Authentication – Authorization
  • 5. JSF API • FacesContext.getCurrentInstance().getExternalContext().getRemoteUser() • FacesContext.getCurrentInstance().getExternalContext().getAuthType() • FacesContext.getCurrentInstance().getExternalContext().isUserInRole(Strin g role) • FacesContext.getCurrentInstance().getExternalContext().getUserPrincipal()
  • 6. Approaches • Non-JSF based – Container Managed Security – Security Filter – Spring Security • JSF based – ViewHandler – PhaseListener – Seam Security
  • 7. Container Managed Security • <security-constraint> <web-resource-collection> <web-resource-name>secure pages</web-resource-name> <url-pattern>/secure.jsf<url-pattern> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>myrealm</realm-name> </login-config> <security-role> <description>Admin Role</description> <role-name>admin</role-name> </security-role>
  • 8. Container Managed Security The Good • Based on Servlet API • Well known • Fine for URL Protection • JSF Component Security • JSF Login Page • Securing JSF Navigations
  • 9. Container Managed Security • Case study DEMO with JSF Navigation Issue
  • 10. Servlet Filter Security Filter Request Faces Servlet Response
  • 11. Servlet Filter The Good • Based on Servlet API • Well known • Good for URL Protection • Non-Faces Resources The Bad • JSF Component Security • Faces APIs • Requires Maintenance
  • 12. Spring Security <security:http auto-config='true'> <security:intercept-url pattern=quot;/login.jspquot; filters=quot;nonequot;/> <security:intercept-url pattern=quot;/admin/*quot; access=quot;ROLE_ADMINquot; /> <security:intercept-url pattern=quot;/**quot; access=quot;ROLE_USER,ROLE_ADMINquot; /> <security:concurrent-session-control max-sessions=quot;1quot;/> <security:logout logout-url=quot;/logoutquot; logout-success-url=quot;/quot;/> </security:http>
  • 13. Spring Security • Securing JSF Beans public class MySecuredBackingBean { … … … @Secured({“ROLE_ADMIN,ROLE_ADMINS_GIRLFRIEN D”}) public String delete() { //delete something } … … … }
  • 14. Spring Security The Good • Extendable • Easy configuration • Bean security • ACL • Securing methods The Bad • Complex for simple applications • Page authorization
  • 15. ViewHandler • Decorate for Security • Integration point: createView public class SecurityViewHandler extends ViewHandler{ … … … public UIViewRoot createView(FacesContext facesContext, String viewId) { if(!userCanAccess(viewId)) return base.createView(facesContext, quot;/accessDenied.jspquot;); else return base.createView(facesContext, viewId); } … … … }
  • 17. ViewHandler The Good • JSF Based The Bad • Non faces resources(images, styles) • Possibility to be supressed
  • 18. PhaseListener Faces Servlet Restore View Security Check Request Apply Request Values Validations Update Model Response Invoke Application Security Check Render Response
  • 19. PhaseListener public class SecurityPhaseListener implements PhaseListener{ … public void afterPhase(PhaseEvent phaseEvent) { PhaseId phaseId = phaseEvent.getPhaseId(); if(phaseId.equals(PhaseId.RESTORE_VIEW) || phaseId.equals(PhaseId.INVOKE_APPLICATION)) { String viewId = phaseEvent.getFacesContext().getViewRoot().getViewId(); if(!canUserAccess(viewId)) { HttpServletResponse response = (HttpServletResponse)phaseEvent.getFacesContext().getExternalContext().getRespo nse(); try { response.sendRedirect(quot;/jsfcalistay/accessDeniedPhaseListener.jsfquot;); phaseEvent.getFacesContext().responseComplete(); } catch (IOException e) { //send a 404 } } } } …
  • 21. PhaseListener The Good • JSF Based The Bad • Non faces resources(images, styles)
  • 22. Seam Security Components.xml <security:identity authenticate-method=quot;#{authenticator.authenticate}quot;/> Authenticate Method boolean () authenticate; <h:form> <h:outputLabel for=quot;namequot; value=quot;Usernamequot;/> <h:inputText id=quot;namequot; value=quot;#{identity.username}quot;/> <h:outputLabel for=quot;passwordquot; value=quot;Passwordquot;/> <h:inputSecret id=quot;passwordquot; value=quot;#{identity.password}quot;/> <h:commandButton value=quot;Loginquot; action=quot;#{identity.login}quot;/> </h:form>
  • 23. Seam Security • URL Protection • pages.xml <page view-id=quot;/controlPanel.xhtmlquot;> <restrict>#{s:hasRole(‘ROLE_ADMIN’)}</restrict> </page>
  • 24. Seam Security • Securing backing beans @Name(“orderControllerquot;) public class OrderController { @Restrict(quot;#{s:hasRole(‘ROLE_ADMIN')}quot;) public void deleteOrder() { //blabla } }
  • 25. Seam Security The Good • JSF Based • URL Protection • Controller security • Entity security • Page authorization • JSF login form The Bad • Authenticate method
  • 26. Page Authorization • Acegi-JSF Components • Facelets Functions • Seam • MyFaces SecurityContext
  • 27. Acegi-JSF Components • Page definition security <authz:authorize ifAllGranted=”ROLE_SUPERVISOR,ROLE_ADMIN”> Components that are only visible to the users that satisfy the requirements here… <h:commandButton value=“Delete” …/> </authz:authorize> • ifAllGranted • ifAnyGranted • ifNotGranted <authz:authentication operation=”username”/>
  • 28. Facelets Function public static boolean isUserInRole(String rolName) { boolean inRole = false; Authentication authentication = SecurityContextHolder. getContext().getAuthentication(); GrantedAuthority[] roles = authentication.getAuthorities(); for(GrantedAuthority role : roles) { if(role.getAuthority().equals(roleName)) { inRole = true; break; } } return inRole;} <h:commandButton value=“Delete” action=“#{bean.delete}” rendered=“#{barca:isUserInRole(‘ROLE_ADMIN’)}” />
  • 29. Seam Security <h:commandButton action=“#{someBackingBean.deleteSomething}” rendered=quot;#{s:hasRole(ROLE_ADMIN')}quot; ” />
  • 30. Seam Security <h:dataTable value=quot;#{orders}quot; var=“ordquot;> … <h:column> <f:facet name=quot;headerquot;>Delete</f:facet> <s:link value=quot;Delete Orderquot; action=quot;#{orderController.delete}quot; rendered=quot;#{s:hasPermission('order','delete',ord)}quot;/> </h:column> … </h:dataTable>
  • 31. MyFaces SecurityContext • EL extension • Defaults to Container Managed Security • Easy to plugin custom SecurityContextImpl #{securityContext.authType} #{securityContext.remoteUser} #{securityContext.ifGranted['rolename']} #{securityContext.ifAllGranted['rolename1,rolename2']} #{securityContext.ifAnyGranted['rolename1,rolename2']} #{securityContext.ifNotGranted['rolename1,rolename2']} <h:commandButton action=“#{someBackingBean.deleteSomething}” rendered=“#{securityContext.ifAllGranted['rolename1,rolename2']}”
  • 32. Custom SecurityContext public class MyAwesomeSecurityContextImpl extends SecurityContext{ public String getAuthType() { //return my authtype as string } public String getRemoteUser() { //return current logged in user } public boolean ifGranted(String role) { //check if user in the given role } } <context-param> <param-name>org.apache.myfaces.SECURITY_CONTEXT</param- name> <param- value>com.my.company.MyAwesomeSecurityContextImpl</param-value> </context-param>
  • 33. Protect the ViewState • <input type=quot;hiddenquot; name=quot;javax.faces.ViewStatequot; id=quot;javax.faces.ViewStatequot; value=quot;cjnoN2li7kqi8Z2WbOa811eyyZ3UHh2K56Gg6gQszNDFicizAEsfAahhbsLly/n77sA5+Qfp3HR/nuDxQ62wnmwBjJ4RAKf4R++/cXW /6+iBp3BCjEJEyaYamWpbwrEaff4JIBH95NBpeV+NxAA/ajo21eqj2HB6LsUfA/jOjGVoNhvb/wEbUdAhW7q64qj0QUFLKoKLxmP1y4ZE2O ffr5SFQZBOOJDgQ219TiC2mMmOGpYJkyda5gf8fSBzHIjTJtMpkoPyBhuBp3BCjEJEyXJRPvnqCGSDcCbEtYQi9lx7B74ivhUaCnn2c0Jf3 3AWzMZafd4RNF495qXRBsegWA0ZGpQWr/pe/hNJf2fEUOCwfNk/xPZNlKz8QmN0iarCTQTGXQUZh8aZKX3uFxSPynZ5nz1be+hzqZ5 HcMBKR6zG++byQ1lmXPvJOwLEzGZ2gJBkPY95iKWXqkldrEj87AtO0GvWKkE+V46kbWZ2hpmETVQZzkdqLi0j6nW5LnDfXfT9GCUNs wqgMEhjknsobneBwGULiZ7ix43qkMIXlJ0YYESCRkdc57DY5lYzQY/W26Dxt8JGgGwkj9LAbJs03bMPAahnWEpxeeseC4TvtW809acOZj XJ/3O3at/Mdqyu14mxtt2t5e5DSNLmAqgXXSHmUGEYznwQOS9KyLsBTpFUYDQe0MDREW1NzChacqWBkD10DopxLJ+HDAEuD85bV /iYHJz3NQlzSPJwaGEbp8PlbVVn/YdMtV/elpZmX34kj/rC1o0CiAc68+VrTHIPwhs4q8DYvcQTEgB+6hgWx5G6TkwrRhb9m0B98DSaU3Lx du7UJaXOafbaEjXSEyWiD8ZW0PywLECX1UtWwQ3lxKXXibG23a3l7kNI0uYCqBddi6ETJipf4L/lvDjBDcQHeUBdU2Kl/sQnpJU+kqlHNe+ 0j0ilVnF04Q5OFWpmZIp1dso7ZLgQbkpUG/7K5RR0CtfzUc+sJzIQZmV4/1DwdqXjG2z3+VQNWgP0yz9PbwB2YzeJki6CbMuNWrW5Yo8 MwLtBaF2HGEB7MR6SP0wx4IoA28lSdx2HsSThYKP/O8kW3qyokVzYupYWNcHddqlK6Nu2bzFICQ2DtbnzrTFOD/MPRsM45Xce4hXQ7 D23T9BaBsIhHCyErpSfr+veeLLUqr6AqodKRwOCiyWPOPLoenvrsH388cbZqcv3W1RIgOM5YAqfgzrbNbZcxtA9fFGskT+VNArlJp7MY2Zt ORGP/z4apxqvV+IJXwOdOtK6xuHH3e+QjOSqc/GOxadVsmET+jLv72lP+tN9Du3Rn9EkkRUgl/bNuabOAZaDtacU2qTh/fKtiHZe6gEyqz2 XwH2dIdSbemJc0889xiBEZqBgOESYQ22cVFOOxNTwHxlat63brvaxQdx0wSYsFlYHTMwo/qVs49VhOu2DHokq5xNbrZ//rpVt3XMqe+X5 yD30S2vur+xawTZjTYlmSorxONvTwvjFLiftnMe9ieA2XcRf2Qbws+smPawkBKEtAOXiiLAp3hIb33FrYxDYVoEChnmQc+DMzxNlOw3zaJ MykZRn6oy0AomUxUdxI2kGlCVOHejxQnBDvmj6XAsYSzlrbJN+FidIfTYpkV3e0cDIW8rHsiTatBZWL3zmu0YI1JyLAVQw8+a0n/+1yAVCT 6J+NhfDo6UdiC9Ilyws7TtDXQhssR3qoh9x17Nxlif/LOBU817V6Ip/Y+eyLjYgs/fnEaxgdeW8OMENxAd5cqlB1zDTb+dUn6Vk/yis6RGMAX1 UAVou7uRDmYV0TtZKFttVdlyTjfp5Q5F0Tsj4qzw+vDTlYWbf7hrD1TosZGsbT6Mc9obUgkSsULRUr/eCRKxQtFSv94JErFC0VK/3prA0Mc Ldt5A0fhuQAXRbLOB+tk5wheoIGO390JZB08jJAso9qbBLvdfzUc+sJzIQZmV4/1DwdqU5XLWwZnjkhp82k0VBRHmxnoTdDbCj4eWbUK6 PiWsmY45zzkmNPnEkcj6dL1XByNR++RYWIXMIHvQULVqI+6gSQrrgKnOqESqFDaWpLPzgKORF9t+3+sQzXpj6O42fVIYewkG+d/LfFV C6IQuOrZIA/HSrCzJcAUhuNAc6UCH/zvVkucTURgX/mJGk1QFJZCDR3dQvrdm0gkhCZKzNWfEYpoGjAhKICqbugdxmuLZQbqW0qYiPn CeOPTHL3QbIpfoZ/GHI/z4himtRXVRLML+5NyB2zY5gCFkLE1ndMjTdMGDpmu9tJOqUsmfHADUrVXiF58GlBNEiwUL8hxxTB30vWPCS mt5ZNuML57GU98tciku9zMr9RZF042UTURw0RNvg5d3FpSVK6iuF5MRKSfkQs6zPN1m1JXj6tq4jBjWZ4l10TKWvM45qwYwB1/9Uk6wb gDeawD1AXpX/lFLKOgPz2bRzp62oQJknhKfANxS8NX6FbUoeEbq8UCvndmMVg1mRBD8AAeZ+aejfKFoACLDXlY0hy1RisbE/kMDSpxP /D+j7V/RdhJO+0eszWvJJtNPs2swsZzoK4hjt/dCWQdPI/71KpGQim5xlqjHjHY4mDGZleP9Q8Hal88oxKykFUQYDEQ3KRz675N28vIu+Rt 7AybDcnlzTi+YbOKvA2L3EExIAfuoYFseRCQzwdnhDhIoZ8NDazCdYM8p2H3t46MR2rMsR+B0Q6Izbtm8xSAkNgzlihd3SqMtOVuj07dMZ FhXIWaExKordOT96wcyFY3hLqImCn+z/U0SFUFoQZvLd+NN5nRpZ306hMq+VDqbwXh4IBAOYAzwHZo8jCDrfGHs7DYKb34rSHlMnPT Yk1MTgY2274j9ci5o1CAQDmAM8B2ZX62EUfdC6sJpjOWqdcwBfPofXChsPp82sx//RPwgu6y9nXdc4RLxtAo64SXmcdzKJXAMTvWO3xs b75vJDWWZcbbviP1yLmjUIBAOYAzwHZrrqBsyYPolmbjgXhK2KMvrWFOtn0nQne/O3AKPReE70WiloiJgp0WZCcEO+aPpcC1eyyZ3UHh 2KV/gOQ+q4Q7PBdBhadxtM+pWXQJfDPX9K3T/QjJykD7a4vEyF0rrpfH681LoX50+YgkSsULRUr/eCRKxQtFSv9589YNTYpEoSmmChJ1 cujHKbQDA6ApqouhzFPZN1RXmspR2IL0iXLCxwBmf6k7hYMeqiH3HXs3GW+yfPXMCEGAHoin9j57IuNum608SbPOCr9c/wJwAXAev7x k/N7Gn0FfWRhlVfpdYSGzirwNi9xBMSAH7qGBbHkdQFKnbYQ80DjnPOSY0+cSRyPp0vVcHI1MwwOB6mohdlzFJnDPSn3W9hJzQXrQy OiVVQOut45pL+PULx/inIPznHECBqgvm5ECbe6WdfeFnfxIW5JaekPaEUbGwU6i3uqLKDHYb58r/IxlDcqoIvU7KUTRSh3NKV7m0wAtPa HaYoPIWJOpZof+SCRKxQtFSv93H9+08c8xaRmmChJ1cujHKM6oQT0D3hjZxxwQB7wM7MtSxrTlWiv+ocs46hAgrz4w==quot; />
  • 34. ViewState Encryption • Turned on by default • Several algorithms, default: DES <context-param> <param-name>org.apache.myfaces.secret</param- name> <param-value>NzY1NDMyMTA=</param-value> </context-param> <context-param> <param-name>org.apache.myfaces.algorithm</param-name> <param-value>Blowfish</param-value> </context-param>
  • 35. The End • cagatay@apache.org • http://www.prime.com.tr/cagataycivici • PlayStation3 online id: facescontext