I recently developed a tomcat web app in JSP that uses declarative security (server.xml/web.xml) tied to the company's Active Directory. I was asked to add JSF support to the fledgling project. It was a simple matter to convert the login form to jsf, and the security model still worked.
An associate asked if I could allow a wider audience to view one of the reports, but render the action buttons only for a smaller group. Being new to JSF, I had to do some research.
I spent about four hours googling things like "jsf button security" and "jsf button permissions" and trying various suggestions that were mostly dead ends. Another associate had suggested using the Spring security model, but I didn't want to deal with a whole bunch of Spring libraries if there was an easier way to do it.
Eventually, I stumbled upon the answer, which was incredibly simple. I only needed to use the HttpServletRequest method: isUserInRole() to determine if the currently logged on user has permission to see the action buttons. I've used HttpServletRequests a LOT over the last ten years, but I don't recall ever learning about that method. With jsf, it's a simple matter to get to that method, as shown below:
public boolean isUserInRole(String role) {
return (FacesContext.getCurrentInstance().getExternalContext().isUserInRole(role));
}
My questions specifically are: are there any gotchas about this approach I should be aware of, and is there another easier way to do it?
If you use Tomahawk as an addon to your JSF implementation most of the controls have a visibleOnUserRole attribute. You can use multiple role names in the value.