JSF and Security
       Çağatay Çivici
About Me
•   Apache MyFaces PMC(Project Management Committee) member
•   Co-Author of “The Definitive Guide to Apache MyFa...
Roadmap
•   JSF and Security
•   Non-JSF Based Approaches
•   JSF Based Approaches
•   Page authorization
•   Protect View...
JSF and Security
• The mismatch!          Security Support in
                         JSF
• JSF
  – MVC Framework
  – Com...
JSF API
•   FacesContext.getCurrentInstance().getExternalContext().getRemoteUser()
•   FacesContext.getCurrentInstance().g...
Approaches
• Non-JSF based
  – Container Managed Security
  – Security Filter
  – Spring Security
• JSF based
  – ViewHand...
Container Managed Security
•   <security-constraint>
       <web-resource-collection>
         <web-resource-name>secure p...
Container Managed Security
                   The Good

     • Based on Servlet API
     • Well known
     • Fine for URL ...
Container Managed Security
• Case study DEMO with JSF Navigation
  Issue
Servlet Filter
              Security Filter



   Request




                                Faces Servlet
   Response
Servlet Filter
                   The Good
     • Based on Servlet API
     • Well known
     • Good for URL Protection
  ...
Spring Security

 <security:http auto-config='true'>
 <security:intercept-url pattern=quot;/login.jspquot; filters=quot;no...
Spring Security
• Securing JSF Beans
    public class MySecuredBackingBean {
    …
    …
    …
              @Secured({“RO...
Spring Security
                  The Good
    • Extendable
    • Easy configuration
    • Bean security
    • ACL
    • S...
ViewHandler
• Decorate for Security
• Integration point: createView
   public class SecurityViewHandler extends ViewHandle...
ViewHandler Demo
ViewHandler
                  The Good
    • JSF Based




                  The Bad

   • Non faces resources(images, sty...
PhaseListener
                   Faces Servlet

                   Restore View
                   Security Check
   Reque...
PhaseListener
 public class SecurityPhaseListener implements PhaseListener{
        …
        public void afterPhase(Phase...
PhaseListener Demo
PhaseListener
                  The Good
    • JSF Based




                  The Bad

   • Non faces resources(images, s...
Seam Security
                          Components.xml
 <security:identity authenticate-method=quot;#{authenticator.authen...
Seam Security
• URL Protection
• pages.xml


    <page view-id=quot;/controlPanel.xhtmlquot;>
            <restrict>#{s:ha...
Seam Security
• Securing backing beans

   @Name(“orderControllerquot;)
   public class OrderController {

   @Restrict(qu...
Seam Security
                    The Good
   • JSF Based
   • URL Protection
   • Controller security
   • Entity securit...
Page Authorization
•   Acegi-JSF Components
•   Facelets Functions
•   Seam
•   MyFaces SecurityContext
Acegi-JSF Components
• Page definition security
   <authz:authorize ifAllGranted=”ROLE_SUPERVISOR,ROLE_ADMIN”>
     Compon...
Facelets Function
   public static boolean isUserInRole(String rolName) {
              boolean inRole = false;
          ...
Seam Security

 <h:commandButton
       action=“#{someBackingBean.deleteSomething}”
       rendered=quot;#{s:hasRole(ROLE_...
Seam Security

<h:dataTable value=quot;#{orders}quot; var=“ordquot;>
…
 <h:column>
     <f:facet name=quot;headerquot;>Del...
MyFaces SecurityContext
• EL extension
• Defaults to Container Managed Security
• Easy to plugin custom SecurityContextImp...
Custom SecurityContext
 public class MyAwesomeSecurityContextImpl extends SecurityContext{
   public String getAuthType() ...
Protect the ViewState
•   <input type=quot;hiddenquot; name=quot;javax.faces.ViewStatequot; id=quot;javax.faces.ViewStateq...
ViewState Encryption
• Turned on by default
• Several algorithms, default: DES
     <context-param>
          <param-name>...
The End
• cagatay@apache.org
• http://www.prime.com.tr/cagataycivici
• PlayStation3 online id: facescontext
Upcoming SlideShare
Loading in...5
×

Jsfandsecurity

5,467

Published on

0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
5,467
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Jsfandsecurity

  1. 1. JSF and Security Çağatay Çivici
  2. 2. About Me • Apache MyFaces PMC(Project Management Committee) member • Co-Author of “The Definitive Guide to Apache MyFaces and Facelets” from APRESS • Reference in “Core JavaServer Faces 2nd Edition” • Recognized speaker in international and local conferences • Oracle RCF(Rich Client Framework) member • Krank (CRUD Framework for JSF-Spring-JPA) member • Sourceforge jsf-comp member • Spring Security(Acegi) JSF Integration author • JSF Chart Creator project lead • FacesTrace project lead • YUI4JSF project lead • FC Barcelona Fan • Blog: http://www.prime.com.tr/cagataycivici • Prime Technology - 2008
  3. 3. Roadmap • JSF and Security • Non-JSF Based Approaches • JSF Based Approaches • Page authorization • Protect ViewState
  4. 4. JSF and Security • The mismatch! Security Support in JSF • JSF – MVC Framework – Component Oriented – Event Driven • Security – Authentication – Authorization
  5. 5. JSF API • FacesContext.getCurrentInstance().getExternalContext().getRemoteUser() • FacesContext.getCurrentInstance().getExternalContext().getAuthType() • FacesContext.getCurrentInstance().getExternalContext().isUserInRole(Strin g role) • FacesContext.getCurrentInstance().getExternalContext().getUserPrincipal()
  6. 6. Approaches • Non-JSF based – Container Managed Security – Security Filter – Spring Security • JSF based – ViewHandler – PhaseListener – Seam Security
  7. 7. Container Managed Security • <security-constraint> <web-resource-collection> <web-resource-name>secure pages</web-resource-name> <url-pattern>/secure.jsf<url-pattern> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>myrealm</realm-name> </login-config> <security-role> <description>Admin Role</description> <role-name>admin</role-name> </security-role>
  8. 8. Container Managed Security The Good • Based on Servlet API • Well known • Fine for URL Protection • JSF Component Security • JSF Login Page • Securing JSF Navigations
  9. 9. Container Managed Security • Case study DEMO with JSF Navigation Issue
  10. 10. Servlet Filter Security Filter Request Faces Servlet Response
  11. 11. Servlet Filter The Good • Based on Servlet API • Well known • Good for URL Protection • Non-Faces Resources The Bad • JSF Component Security • Faces APIs • Requires Maintenance
  12. 12. Spring Security <security:http auto-config='true'> <security:intercept-url pattern=quot;/login.jspquot; filters=quot;nonequot;/> <security:intercept-url pattern=quot;/admin/*quot; access=quot;ROLE_ADMINquot; /> <security:intercept-url pattern=quot;/**quot; access=quot;ROLE_USER,ROLE_ADMINquot; /> <security:concurrent-session-control max-sessions=quot;1quot;/> <security:logout logout-url=quot;/logoutquot; logout-success-url=quot;/quot;/> </security:http>
  13. 13. Spring Security • Securing JSF Beans public class MySecuredBackingBean { … … … @Secured({“ROLE_ADMIN,ROLE_ADMINS_GIRLFRIEN D”}) public String delete() { //delete something } … … … }
  14. 14. Spring Security The Good • Extendable • Easy configuration • Bean security • ACL • Securing methods The Bad • Complex for simple applications • Page authorization
  15. 15. ViewHandler • Decorate for Security • Integration point: createView public class SecurityViewHandler extends ViewHandler{ … … … public UIViewRoot createView(FacesContext facesContext, String viewId) { if(!userCanAccess(viewId)) return base.createView(facesContext, quot;/accessDenied.jspquot;); else return base.createView(facesContext, viewId); } … … … }
  16. 16. ViewHandler Demo
  17. 17. ViewHandler The Good • JSF Based The Bad • Non faces resources(images, styles) • Possibility to be supressed
  18. 18. PhaseListener Faces Servlet Restore View Security Check Request Apply Request Values Validations Update Model Response Invoke Application Security Check Render Response
  19. 19. PhaseListener public class SecurityPhaseListener implements PhaseListener{ … public void afterPhase(PhaseEvent phaseEvent) { PhaseId phaseId = phaseEvent.getPhaseId(); if(phaseId.equals(PhaseId.RESTORE_VIEW) || phaseId.equals(PhaseId.INVOKE_APPLICATION)) { String viewId = phaseEvent.getFacesContext().getViewRoot().getViewId(); if(!canUserAccess(viewId)) { HttpServletResponse response = (HttpServletResponse)phaseEvent.getFacesContext().getExternalContext().getRespo nse(); try { response.sendRedirect(quot;/jsfcalistay/accessDeniedPhaseListener.jsfquot;); phaseEvent.getFacesContext().responseComplete(); } catch (IOException e) { //send a 404 } } } } …
  20. 20. PhaseListener Demo
  21. 21. PhaseListener The Good • JSF Based The Bad • Non faces resources(images, styles)
  22. 22. Seam Security Components.xml <security:identity authenticate-method=quot;#{authenticator.authenticate}quot;/> Authenticate Method boolean () authenticate; <h:form> <h:outputLabel for=quot;namequot; value=quot;Usernamequot;/> <h:inputText id=quot;namequot; value=quot;#{identity.username}quot;/> <h:outputLabel for=quot;passwordquot; value=quot;Passwordquot;/> <h:inputSecret id=quot;passwordquot; value=quot;#{identity.password}quot;/> <h:commandButton value=quot;Loginquot; action=quot;#{identity.login}quot;/> </h:form>
  23. 23. Seam Security • URL Protection • pages.xml <page view-id=quot;/controlPanel.xhtmlquot;> <restrict>#{s:hasRole(‘ROLE_ADMIN’)}</restrict> </page>
  24. 24. Seam Security • Securing backing beans @Name(“orderControllerquot;) public class OrderController { @Restrict(quot;#{s:hasRole(‘ROLE_ADMIN')}quot;) public void deleteOrder() { //blabla } }
  25. 25. Seam Security The Good • JSF Based • URL Protection • Controller security • Entity security • Page authorization • JSF login form The Bad • Authenticate method
  26. 26. Page Authorization • Acegi-JSF Components • Facelets Functions • Seam • MyFaces SecurityContext
  27. 27. Acegi-JSF Components • Page definition security <authz:authorize ifAllGranted=”ROLE_SUPERVISOR,ROLE_ADMIN”> Components that are only visible to the users that satisfy the requirements here… <h:commandButton value=“Delete” …/> </authz:authorize> • ifAllGranted • ifAnyGranted • ifNotGranted <authz:authentication operation=”username”/>
  28. 28. Facelets Function public static boolean isUserInRole(String rolName) { boolean inRole = false; Authentication authentication = SecurityContextHolder. getContext().getAuthentication(); GrantedAuthority[] roles = authentication.getAuthorities(); for(GrantedAuthority role : roles) { if(role.getAuthority().equals(roleName)) { inRole = true; break; } } return inRole;} <h:commandButton value=“Delete” action=“#{bean.delete}” rendered=“#{barca:isUserInRole(‘ROLE_ADMIN’)}” />
  29. 29. Seam Security <h:commandButton action=“#{someBackingBean.deleteSomething}” rendered=quot;#{s:hasRole(ROLE_ADMIN')}quot; ” />
  30. 30. Seam Security <h:dataTable value=quot;#{orders}quot; var=“ordquot;> … <h:column> <f:facet name=quot;headerquot;>Delete</f:facet> <s:link value=quot;Delete Orderquot; action=quot;#{orderController.delete}quot; rendered=quot;#{s:hasPermission('order','delete',ord)}quot;/> </h:column> … </h:dataTable>
  31. 31. MyFaces SecurityContext • EL extension • Defaults to Container Managed Security • Easy to plugin custom SecurityContextImpl #{securityContext.authType} #{securityContext.remoteUser} #{securityContext.ifGranted['rolename']} #{securityContext.ifAllGranted['rolename1,rolename2']} #{securityContext.ifAnyGranted['rolename1,rolename2']} #{securityContext.ifNotGranted['rolename1,rolename2']} <h:commandButton action=“#{someBackingBean.deleteSomething}” rendered=“#{securityContext.ifAllGranted['rolename1,rolename2']}”
  32. 32. Custom SecurityContext public class MyAwesomeSecurityContextImpl extends SecurityContext{ public String getAuthType() { //return my authtype as string } public String getRemoteUser() { //return current logged in user } public boolean ifGranted(String role) { //check if user in the given role } } <context-param> <param-name>org.apache.myfaces.SECURITY_CONTEXT</param- name> <param- value>com.my.company.MyAwesomeSecurityContextImpl</param-value> </context-param>
  33. 33. Protect the ViewState • <input type=quot;hiddenquot; name=quot;javax.faces.ViewStatequot; id=quot;javax.faces.ViewStatequot; value=quot;cjnoN2li7kqi8Z2WbOa811eyyZ3UHh2K56Gg6gQszNDFicizAEsfAahhbsLly/n77sA5+Qfp3HR/nuDxQ62wnmwBjJ4RAKf4R++/cXW /6+iBp3BCjEJEyaYamWpbwrEaff4JIBH95NBpeV+NxAA/ajo21eqj2HB6LsUfA/jOjGVoNhvb/wEbUdAhW7q64qj0QUFLKoKLxmP1y4ZE2O ffr5SFQZBOOJDgQ219TiC2mMmOGpYJkyda5gf8fSBzHIjTJtMpkoPyBhuBp3BCjEJEyXJRPvnqCGSDcCbEtYQi9lx7B74ivhUaCnn2c0Jf3 3AWzMZafd4RNF495qXRBsegWA0ZGpQWr/pe/hNJf2fEUOCwfNk/xPZNlKz8QmN0iarCTQTGXQUZh8aZKX3uFxSPynZ5nz1be+hzqZ5 HcMBKR6zG++byQ1lmXPvJOwLEzGZ2gJBkPY95iKWXqkldrEj87AtO0GvWKkE+V46kbWZ2hpmETVQZzkdqLi0j6nW5LnDfXfT9GCUNs wqgMEhjknsobneBwGULiZ7ix43qkMIXlJ0YYESCRkdc57DY5lYzQY/W26Dxt8JGgGwkj9LAbJs03bMPAahnWEpxeeseC4TvtW809acOZj XJ/3O3at/Mdqyu14mxtt2t5e5DSNLmAqgXXSHmUGEYznwQOS9KyLsBTpFUYDQe0MDREW1NzChacqWBkD10DopxLJ+HDAEuD85bV /iYHJz3NQlzSPJwaGEbp8PlbVVn/YdMtV/elpZmX34kj/rC1o0CiAc68+VrTHIPwhs4q8DYvcQTEgB+6hgWx5G6TkwrRhb9m0B98DSaU3Lx du7UJaXOafbaEjXSEyWiD8ZW0PywLECX1UtWwQ3lxKXXibG23a3l7kNI0uYCqBddi6ETJipf4L/lvDjBDcQHeUBdU2Kl/sQnpJU+kqlHNe+ 0j0ilVnF04Q5OFWpmZIp1dso7ZLgQbkpUG/7K5RR0CtfzUc+sJzIQZmV4/1DwdqXjG2z3+VQNWgP0yz9PbwB2YzeJki6CbMuNWrW5Yo8 MwLtBaF2HGEB7MR6SP0wx4IoA28lSdx2HsSThYKP/O8kW3qyokVzYupYWNcHddqlK6Nu2bzFICQ2DtbnzrTFOD/MPRsM45Xce4hXQ7 D23T9BaBsIhHCyErpSfr+veeLLUqr6AqodKRwOCiyWPOPLoenvrsH388cbZqcv3W1RIgOM5YAqfgzrbNbZcxtA9fFGskT+VNArlJp7MY2Zt ORGP/z4apxqvV+IJXwOdOtK6xuHH3e+QjOSqc/GOxadVsmET+jLv72lP+tN9Du3Rn9EkkRUgl/bNuabOAZaDtacU2qTh/fKtiHZe6gEyqz2 XwH2dIdSbemJc0889xiBEZqBgOESYQ22cVFOOxNTwHxlat63brvaxQdx0wSYsFlYHTMwo/qVs49VhOu2DHokq5xNbrZ//rpVt3XMqe+X5 yD30S2vur+xawTZjTYlmSorxONvTwvjFLiftnMe9ieA2XcRf2Qbws+smPawkBKEtAOXiiLAp3hIb33FrYxDYVoEChnmQc+DMzxNlOw3zaJ MykZRn6oy0AomUxUdxI2kGlCVOHejxQnBDvmj6XAsYSzlrbJN+FidIfTYpkV3e0cDIW8rHsiTatBZWL3zmu0YI1JyLAVQw8+a0n/+1yAVCT 6J+NhfDo6UdiC9Ilyws7TtDXQhssR3qoh9x17Nxlif/LOBU817V6Ip/Y+eyLjYgs/fnEaxgdeW8OMENxAd5cqlB1zDTb+dUn6Vk/yis6RGMAX1 UAVou7uRDmYV0TtZKFttVdlyTjfp5Q5F0Tsj4qzw+vDTlYWbf7hrD1TosZGsbT6Mc9obUgkSsULRUr/eCRKxQtFSv94JErFC0VK/3prA0Mc Ldt5A0fhuQAXRbLOB+tk5wheoIGO390JZB08jJAso9qbBLvdfzUc+sJzIQZmV4/1DwdqU5XLWwZnjkhp82k0VBRHmxnoTdDbCj4eWbUK6 PiWsmY45zzkmNPnEkcj6dL1XByNR++RYWIXMIHvQULVqI+6gSQrrgKnOqESqFDaWpLPzgKORF9t+3+sQzXpj6O42fVIYewkG+d/LfFV C6IQuOrZIA/HSrCzJcAUhuNAc6UCH/zvVkucTURgX/mJGk1QFJZCDR3dQvrdm0gkhCZKzNWfEYpoGjAhKICqbugdxmuLZQbqW0qYiPn CeOPTHL3QbIpfoZ/GHI/z4himtRXVRLML+5NyB2zY5gCFkLE1ndMjTdMGDpmu9tJOqUsmfHADUrVXiF58GlBNEiwUL8hxxTB30vWPCS mt5ZNuML57GU98tciku9zMr9RZF042UTURw0RNvg5d3FpSVK6iuF5MRKSfkQs6zPN1m1JXj6tq4jBjWZ4l10TKWvM45qwYwB1/9Uk6wb gDeawD1AXpX/lFLKOgPz2bRzp62oQJknhKfANxS8NX6FbUoeEbq8UCvndmMVg1mRBD8AAeZ+aejfKFoACLDXlY0hy1RisbE/kMDSpxP /D+j7V/RdhJO+0eszWvJJtNPs2swsZzoK4hjt/dCWQdPI/71KpGQim5xlqjHjHY4mDGZleP9Q8Hal88oxKykFUQYDEQ3KRz675N28vIu+Rt 7AybDcnlzTi+YbOKvA2L3EExIAfuoYFseRCQzwdnhDhIoZ8NDazCdYM8p2H3t46MR2rMsR+B0Q6Izbtm8xSAkNgzlihd3SqMtOVuj07dMZ FhXIWaExKordOT96wcyFY3hLqImCn+z/U0SFUFoQZvLd+NN5nRpZ306hMq+VDqbwXh4IBAOYAzwHZo8jCDrfGHs7DYKb34rSHlMnPT Yk1MTgY2274j9ci5o1CAQDmAM8B2ZX62EUfdC6sJpjOWqdcwBfPofXChsPp82sx//RPwgu6y9nXdc4RLxtAo64SXmcdzKJXAMTvWO3xs b75vJDWWZcbbviP1yLmjUIBAOYAzwHZrrqBsyYPolmbjgXhK2KMvrWFOtn0nQne/O3AKPReE70WiloiJgp0WZCcEO+aPpcC1eyyZ3UHh 2KV/gOQ+q4Q7PBdBhadxtM+pWXQJfDPX9K3T/QjJykD7a4vEyF0rrpfH681LoX50+YgkSsULRUr/eCRKxQtFSv9589YNTYpEoSmmChJ1 cujHKbQDA6ApqouhzFPZN1RXmspR2IL0iXLCxwBmf6k7hYMeqiH3HXs3GW+yfPXMCEGAHoin9j57IuNum608SbPOCr9c/wJwAXAev7x k/N7Gn0FfWRhlVfpdYSGzirwNi9xBMSAH7qGBbHkdQFKnbYQ80DjnPOSY0+cSRyPp0vVcHI1MwwOB6mohdlzFJnDPSn3W9hJzQXrQy OiVVQOut45pL+PULx/inIPznHECBqgvm5ECbe6WdfeFnfxIW5JaekPaEUbGwU6i3uqLKDHYb58r/IxlDcqoIvU7KUTRSh3NKV7m0wAtPa HaYoPIWJOpZof+SCRKxQtFSv93H9+08c8xaRmmChJ1cujHKM6oQT0D3hjZxxwQB7wM7MtSxrTlWiv+ocs46hAgrz4w==quot; />
  34. 34. ViewState Encryption • Turned on by default • Several algorithms, default: DES <context-param> <param-name>org.apache.myfaces.secret</param- name> <param-value>NzY1NDMyMTA=</param-value> </context-param> <context-param> <param-name>org.apache.myfaces.algorithm</param-name> <param-value>Blowfish</param-value> </context-param>
  35. 35. The End • cagatay@apache.org • http://www.prime.com.tr/cagataycivici • PlayStation3 online id: facescontext

×