Issue Details (XML | Word | Printable)

Type: Improvement Improvement
Status: Resolved Resolved
Resolution: Won't Fix
Priority: Critical Critical
Assignee: Unassigned
Reporter: cdoremus
Votes: 1
Watchers: 1

If you were logged in you would be able to see more operations.

Allow access-control related JSR-250 security annotations on managed beans

Created: 14/Oct/08 09:10 AM   Updated: 24/Jan/14 09:10 PM   Resolved: 24/Jan/14 09:10 PM
Component/s: Platform Integration (except for Bean Validator)
Affects Version/s: 2.0
Fix Version/s: 2.2

Time Tracking:
Not Specified


Operating System: All
Platform: All

Issuezilla Id: 495
Status Whiteboard:

cat2 javadoc size_medium importance_medium

Participants: cdoremus, Ed Burns, lincolnbaxter and rogerk

 Description  « Hide

It would be nice to have the ability to use access-control related JSR-250
security annotations (in the package) on managed beans
in JSF the same way you can do it to EJB 3 (JSR-220). These annotations, which
include @RolesAllowed, @PermitAll and @DenyAll, would be very helpful for
programmatic access control in a finer grained fashion (and more straight
forward) than the use of security-constraint in web.xml on directories. While
the annotations are allowed at both the class and
method level in JSR-250 and EJB 3, it would be most helpful on action bound
methods (actions and action listeners).

Implementing the @RolesAllowed annotation check could easily done with the
ExternalContext.isUserInRole() method. The other implementations are trivial.
What happens when an access-control constraint is violated is something that I
could not get clear direction on from the JSR-250 or EJB 3 specs. This is
something that the JSF EG needs to discuss.

In addition to annotation support, it would be nice to have a faces-config.xml
way for setting this kind of access control similar to the way they do it in the
EJB 3.0 spec with the method-permission element in the deployment descriptor. In
that case, the ejb-name child element (/method-permission/method/ejb-name) would
best be named managed-bean-name. As in the EJB 3 spec, it would be best for the
deployment descriptor configured access control to trump a JSR-250 annotation
allowing a user to change access control rules in the DD without having to
recompile the source code.

Personally, I am not as anxious to have the JSR-250 @DeclareRoles and @RunAs
annotations supported in the JSF spec, but it might be nice to have for testing
purposes. These annotations also have deployment descriptor analogs in the EJB 3