javaserverfaces-spec-public
  1. javaserverfaces-spec-public
  2. JAVASERVERFACES_SPEC_PUBLIC-495

Allow access-control related JSR-250 security annotations on managed beans

    Details

    • Issuezilla Id:
      495
    • Status Whiteboard:
      Hide

      cat2 javadoc size_medium importance_medium

      Show
      cat2 javadoc size_medium importance_medium

      Description

      It would be nice to have the ability to use access-control related JSR-250
      security annotations (in the javax.annotation.security package) on managed beans
      in JSF the same way you can do it to EJB 3 (JSR-220). These annotations, which
      include @RolesAllowed, @PermitAll and @DenyAll, would be very helpful for
      programmatic access control in a finer grained fashion (and more straight
      forward) than the use of security-constraint in web.xml on directories. While
      the javax.annotation.security annotations are allowed at both the class and
      method level in JSR-250 and EJB 3, it would be most helpful on action bound
      methods (actions and action listeners).

      Implementing the @RolesAllowed annotation check could easily done with the
      ExternalContext.isUserInRole() method. The other implementations are trivial.
      What happens when an access-control constraint is violated is something that I
      could not get clear direction on from the JSR-250 or EJB 3 specs. This is
      something that the JSF EG needs to discuss.

      In addition to annotation support, it would be nice to have a faces-config.xml
      way for setting this kind of access control similar to the way they do it in the
      EJB 3.0 spec with the method-permission element in the deployment descriptor. In
      that case, the ejb-name child element (/method-permission/method/ejb-name) would
      best be named managed-bean-name. As in the EJB 3 spec, it would be best for the
      deployment descriptor configured access control to trump a JSR-250 annotation
      allowing a user to change access control rules in the DD without having to
      recompile the source code.

      Personally, I am not as anxious to have the JSR-250 @DeclareRoles and @RunAs
      annotations supported in the JSF spec, but it might be nice to have for testing
      purposes. These annotations also have deployment descriptor analogs in the EJB 3
      spec.

        Activity

        Hide
        Ed Burns added a comment -

        Move to unscheduled target milestone

        Show
        Ed Burns added a comment - Move to unscheduled target milestone
        Hide
        Ed Burns added a comment -

        Prepare to delete "spec" subcomponent.

        Show
        Ed Burns added a comment - Prepare to delete "spec" subcomponent.
        Hide
        lincolnbaxter added a comment -

        Categorized as part of Rev 2.0 A prep

        Show
        lincolnbaxter added a comment - Categorized as part of Rev 2.0 A prep
        Hide
        rogerk added a comment -

        cat2 - investigate cdi as alternative

        Show
        rogerk added a comment - cat2 - investigate cdi as alternative
        Hide
        Ed Burns added a comment -

        javadoc

        Show
        Ed Burns added a comment - javadoc
        Hide
        Ed Burns added a comment -

        These are targeted at 2.1.

        Show
        Ed Burns added a comment - These are targeted at 2.1.
        Hide
        Ed Burns added a comment -

        triage

        Show
        Ed Burns added a comment - triage
        Hide
        Ed Burns added a comment -

        edburns

        Show
        Ed Burns added a comment - edburns
        Hide
        Ed Burns added a comment -

        Change target milestone.

        Show
        Ed Burns added a comment - Change target milestone.
        Hide
        rogerk added a comment -

        triage

        Show
        rogerk added a comment - triage
        Hide
        Ed Burns added a comment -

        Managed beans now are the province of CDI.

        Show
        Ed Burns added a comment - Managed beans now are the province of CDI.
        Hide
        Manfred Riem added a comment -

        Closing resolved issue out

        Show
        Manfred Riem added a comment - Closing resolved issue out

          People

          • Assignee:
            Unassigned
            Reporter:
            cdoremus
          • Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: