1. javaserverfaces-spec-public

Allow access-control related JSR-250 security annotations on managed beans


    • Issuezilla Id:
    • Status Whiteboard:

      cat2 javadoc size_medium importance_medium

      cat2 javadoc size_medium importance_medium


      It would be nice to have the ability to use access-control related JSR-250
      security annotations (in the package) on managed beans
      in JSF the same way you can do it to EJB 3 (JSR-220). These annotations, which
      include @RolesAllowed, @PermitAll and @DenyAll, would be very helpful for
      programmatic access control in a finer grained fashion (and more straight
      forward) than the use of security-constraint in web.xml on directories. While
      the annotations are allowed at both the class and
      method level in JSR-250 and EJB 3, it would be most helpful on action bound
      methods (actions and action listeners).

      Implementing the @RolesAllowed annotation check could easily done with the
      ExternalContext.isUserInRole() method. The other implementations are trivial.
      What happens when an access-control constraint is violated is something that I
      could not get clear direction on from the JSR-250 or EJB 3 specs. This is
      something that the JSF EG needs to discuss.

      In addition to annotation support, it would be nice to have a faces-config.xml
      way for setting this kind of access control similar to the way they do it in the
      EJB 3.0 spec with the method-permission element in the deployment descriptor. In
      that case, the ejb-name child element (/method-permission/method/ejb-name) would
      best be named managed-bean-name. As in the EJB 3 spec, it would be best for the
      deployment descriptor configured access control to trump a JSR-250 annotation
      allowing a user to change access control rules in the DD without having to
      recompile the source code.

      Personally, I am not as anxious to have the JSR-250 @DeclareRoles and @RunAs
      annotations supported in the JSF spec, but it might be nice to have for testing
      purposes. These annotations also have deployment descriptor analogs in the EJB 3


        cdoremus created issue -
        kenaiadmin made changes -
        Field Original Value New Value
        issue.field.bugzillaimportkey 495 20100
        Ed Burns made changes -
        Assignee Ed Burns [ edburns ]
        Ed Burns made changes -
        Status Open [ 1 ] Resolved [ 5 ]
        Resolution Won't Fix [ 2 ]
        Manfred Riem made changes -
        Status Resolved [ 5 ] Closed [ 6 ]


          • Assignee:
          • Votes:
            1 Vote for this issue
            2 Start watching this issue


            • Created: