It would be nice to have the ability to use access-control related JSR-250
security annotations (in the javax.annotation.security package) on managed beans
in JSF the same way you can do it to EJB 3 (JSR-220). These annotations, which
include @RolesAllowed, @PermitAll and @DenyAll, would be very helpful for
programmatic access control in a finer grained fashion (and more straight
forward) than the use of security-constraint in web.xml on directories. While
the javax.annotation.security annotations are allowed at both the class and
method level in JSR-250 and EJB 3, it would be most helpful on action bound
methods (actions and action listeners).
Implementing the @RolesAllowed annotation check could easily done with the
ExternalContext.isUserInRole() method. The other implementations are trivial.
What happens when an access-control constraint is violated is something that I
could not get clear direction on from the JSR-250 or EJB 3 specs. This is
something that the JSF EG needs to discuss.
In addition to annotation support, it would be nice to have a faces-config.xml
way for setting this kind of access control similar to the way they do it in the
EJB 3.0 spec with the method-permission element in the deployment descriptor. In
that case, the ejb-name child element (/method-permission/method/ejb-name) would
best be named managed-bean-name. As in the EJB 3 spec, it would be best for the
deployment descriptor configured access control to trump a JSR-250 annotation
allowing a user to change access control rules in the DD without having to
recompile the source code.
Personally, I am not as anxious to have the JSR-250 @DeclareRoles and @RunAs
annotations supported in the JSF spec, but it might be nice to have for testing
purposes. These annotations also have deployment descriptor analogs in the EJB 3