Checking Access Rights for a JSF Page

In an application with role-based access it is common practice to hide
menu options which navigate to pages you are not allowed to see.



When using a JSF, a good solution to implement this is to use the open source security project
created by Duncan Mills. Aternatively, you can take a look at the
custom solution implemented in the Oracle SR Demo (install through
JDeveloper -> Check for Updates).



Both techniques can only be used to hide or disable menu options,
buttons and/or other user interface components. It does not prevent
illegal access to unauthorized pages through URL hacking. For example,
if you run the SR Demo, and log in as dfaviet, a user with customer
role, you do not see the Management tab. However, if you then change
the browser URL to .../SRDemoADFBC/faces/app/management/SRManage.jspx you will go to the management page, no problem!



JHeadstart uses a simple technique to prevent illegal access to JSF
pages. This technique can also be used in non-JHeadstart applications,
provided that you use the ADF DataBinding layer. We will demonstrate
the technique by protecting the SRManage.jspx page of the SRDemo.



The trick is to use the parameter element of the page definition. Open the app_management_SRManagePageDef page definition. You can
specify a parameter by going to the structure pane of the page
definition, right mouse click on parameters and choose Insert inside parameters => parameter.  A dialog  pops up where  you can enter  an  id and value.

Enter roles as the value for id property, and #{userInfo.manager}  as the value for the value property. Your page definition XML should look like this:



<?xml version="1.0" encoding="UTF-8" ?>



<pageDefinition xmlns="http://xmlns.oracle.com/adfm/uimodel"



               
version="10.1.3.35.83" id="app_management_SRManagePageDef"



               
Package="oracle.srdemo.view.pageDefs">



  <parameters>



    <parameter id="roles" value="#{userInfo.manager}"/>



  </parameters>



  .....



Now, the last step is to add code to the page lifecycle class that
evaluates the above roles expression and returns an access denied
message when the expression evaluates to false. This is surprisingly
simple. Add the following method to the SRDemoPageLifecycle class:



  protected void checkRoles(LifecycleContext ctx)

  {

    DCBindingContainer container =  (DCBindingContainer) ctx.getBindingContainer();

    DCParameter rolesParam = container.findParameter("roles");

    if (rolesParam != null)

    {

      if (!(Boolean)rolesParam.getValue())

      {

        HttpServletResponse response =

         
(HttpServletResponse)
JSFUtils.getFacesContext().getExternalContext().getResponse();


        try

        {

          response.sendError(HttpServletResponse.SC_FORBIDDEN,

                            
"You have insufficient privileges for the requested page");


        }

        catch (IOException e){}

        JSFUtils.getFacesContext().renderResponse();

      }

    }

  }



And call this method as the first statement in the prepareModel() method.
That's all. Instead of sending the SC_FORBIDDEN message to the browser,
you can also add a global "AccessDenied" navigation case to your
faces-config, which navigates to a custom error page. To do this, use
the following code instead of the response.sendError call:



  NavigationHandler navHandler = JSFUtils.getFacesContext().getApplication().getNavigationHandler();

  navHandler.handleNavigation(JSFUtils.getFacesContext(),null,"AccessDenied");       



As you see, the page definition parameter element is quite handy for
configuring generic code in the page lifecycle class. We will shortly
post other techniques that also rely on the parameter element. Stay
tuned!


Comments:

And what is the name of the library where the class oracle.adf.controller.v2.context.LifecycleContext is situated?

Posted by Andrey on April 04, 2008 at 12:27 AM PDT #

adf-controller.jar, located in <jdev_home>/adfc/lib/adf-controller.jar.

Steven Davelaar.

Posted by Steven Davelaar on April 06, 2008 at 08:37 PM PDT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Java EE Consultants - JHeadstart, ADF, JSF

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today