Java JSF 身份验证和授权
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/1187949/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
JSF authentication and authorization
提问by Zecrates
What is the best way to go about implementing authentication and authorization for a JSF web application? Preferrably I'd still want to use container-based security, as I need to call EJBs that require the principal.
为 JSF Web 应用程序实现身份验证和授权的最佳方法是什么?最好我仍然想使用基于容器的安全性,因为我需要调用需要主体的 EJB。
I realize form-based authentication is a major struggle with JSF, but can I perhaps use a PhaseListener or something similar together with programmatic logon to authenticate the user?
我意识到基于表单的身份验证是 JSF 的一大难题,但是我是否可以使用 PhaseListener 或类似的东西与编程登录一起来验证用户?
Any other methods I should rather have a look at?
我应该看看其他任何方法吗?
回答by David Rabinowitz
You can use the Spring Security framework, see instructions here http://ocpsoft.com/java/acegi-spring-security-jsf-login-page/
您可以使用 Spring Security 框架,请参阅此处的说明http://ocpsoft.com/java/acegi-spring-security-jsf-login-page/
回答by Tiger
Try to check out the blog for using JAAS with JSF.This is the example of how to deploy the JAAS with JSF for authentication and authorization.
尝试查看将 JAAS 与 JSF 结合使用的博客。这是如何使用 JSF 部署 JAAS 以进行身份验证和授权的示例。
I hope it helps.
我希望它有帮助。
Tiger
老虎
回答by Vineet Manohar
I use JSF Seam and have used Seam's built-in authentication and authorization and find it extremely easy to use.
我使用 JSF Seam 并使用了 Seam 的内置身份验证和授权,发现它非常易于使用。
For authentication, you simply implement 1 method, public boolean login(String username, a String password) { ... }and returns boolean. Then you can mark pages as "login-required" and seam takes care of the rest.
对于身份验证,您只需实现 1 个方法,public boolean login(String username, a String password) { ... }并返回布尔值。然后您可以将页面标记为“需要登录”,seam 负责其余的工作。
For authorization, Seam gives you a @RestrictAnnotation that you can put on your Controller or Service methods and again, Seam takes care of the rest.
对于授权,Seam 会给你一个@Restrict注解,你可以把它放在你的 Controller 或 Service 方法上,同样,Seam 会处理剩下的事情。
Advanced authorization: You can also handle more advanced authorization with Seamwhere roles are dynamic - e.g. in a bulletin board you are "author" of some posts, but "reader" or other posts, by simply delegating your @Restrict annotation to a Java method.
高级授权:您还可以使用 Seam处理更高级的授权,其中角色是动态的 - 例如,在公告板中,您是某些帖子的“作者”,但是“读者”或其他帖子,只需将您的 @Restrict 注释委托给 Java 方法.
I would encourage you to take a look at Seam. Seam is just a layer on top of JSF so technically you would still be running on JSF . If for some reason you cannot use Seam, maybe you can borrow some ideas from how Seam handles Authorization and Authentication in JSF.
我鼓励你看看Seam。Seam 只是 JSF 之上的一层,因此从技术上讲,您仍然会在 JSF 上运行。如果由于某种原因你不能使用Seam,也许你可以借鉴Seam 在JSF 中如何处理授权和认证的一些想法。
回答by mjn
You could use the Servlet 3.0 HttpServletRequest API as shown in this answer to a JSF 2.0 question:
您可以使用 Servlet 3.0 HttpServletRequest API,如对 JSF 2.0 问题的回答所示:
