springsecurity+JSF角色驱动的页面组件呈现(链接等)最佳实践
【腾讯云】亏本大甩卖,服务器4核16G 1年370元(带宽12M,系统盘120GB SSD盘,月流量2000GB)!!!!!!
云产品 配置 价格
服务器 1核2G,带宽5M,系统盘50GB SSD盘,月流量500GB 38元/年
MySQL 1核1G 19元/年
服务器 16核32G,带宽18M,系统盘250GB SSD盘,月流量5000GB 1197元/年
点我进入腾讯云,查看更多详情

Usign JSF+Spring Security.

Solution 1 - UI oriented:
JSF page displays panel with users if authenticated person has ROLE_ADMIN authority only.

<p:panel rendered="#{facesContext.externalContext.isUserInRole('ROLE_ADMIN')}">
...

Solution 2 - backend oriented (annotate appropriate DAO method):

@Transactional
@PreAuthorize("hasRole('ROLE_ADMIN')")
public List<User> getUsers() {
    return sessionFactory.getCurrentSession().createCriteria(User.class)
            .list();
}

Resume:
Looks like JSF rendered attribute is not flexible solution and DAO annotated methods are not user-friendly,because of redirecting to 403.

What is the gracefull solution,that allows me NOT to display panel or link,that are not corresponded to specific authorities?

#0

You don't want to show the enduser panels or any kind of functionality which the enduser isn't allowed to see/use anyway. That would only result in general confusion and frustration. So role checking in the rendered attribute is the way to go.

The expression can only be more simplified in this form:

<p:panel rendered="#{request.isUserInRole('ROLE_ADMIN')}">

The ExternalContext#isUserInRole() delegates to HttpServletRequest#isUserInRole(), but the HttpServletRequest is by itself also present in EL scope as #{request}.

#1

Spring Security, depending on how it is configured will return 403 or redirect in the event that a user is not authorized to access a specific resource.

Solution 1 is the appropriate way to do what you are trying to achieve but you are essentially creating a dependency between FacesContext and your view which I think is bad practice. A better solution would be to encapsulate this authorization logic within a managed bean property. The benefit of doing this is that your view is no longer dependent on your authorization implementation, and your managed bean now appropriately contains that dependency.

推荐文章

应用程序生成后RemoteObject的奇怪行为,没有错误没有结果

应用程序生成后RemoteObject的奇怪行为,没有错误没有结果

推荐文章

在应用程序启动之间保存数据

在应用程序启动之间保存数据

推荐文章

重复删除问题

重复删除问题

推荐文章

接口/抽象类编码标准

接口/抽象类编码标准

推荐文章

文本视图中的链接

文本视图中的链接

推荐文章

错误LNK2019:未解析的外部符号“public:

错误LNK2019:未解析的外部符号“public:

推荐文章

确定当前脚本是在开发服务器上运行还是在生产服务器上运行

确定当前脚本是在开发服务器上运行还是在生产服务器上运行

推荐文章

GWT+GAE错误:运行gwtttecase JUnit失败的org.mortbay.jetty.nio.SelectChannelConnector

GWT+GAE错误:运行gwtttecase JUnit失败的org.mortbay.jetty.nio.SelectChannelConnector

推荐文章

在WP7中以编程方式创建弹出窗口

在WP7中以编程方式创建弹出窗口

推荐文章

增强现实iphone

增强现实iphone

推荐文章

返回添加日期的DB2 UDF?

返回添加日期的DB2 UDF?

推荐文章

在C虚拟机中实现寄存器

在C虚拟机中实现寄存器

推荐文章

C允许使用双分号吗?如果允许,有什么特别的方法吗?

C允许使用双分号吗?如果允许,有什么特别的方法吗?

推荐文章

将“我自己”从C#转换为VB.NET

将“我自己”从C#转换为VB.NET

推荐文章

当使用暴露于VB6的组件时,何时设置ThreadApartmentState

当使用暴露于VB6的组件时,何时设置ThreadApartmentState

推荐文章

有没有一种简单的方法可以从Java类中提取接口,包括超级类的公共方法?

有没有一种简单的方法可以从Java类中提取接口,包括超级类的公共方法?