- Defining set of Roles for the application (web.xml).
- Defining Security conistraints for every application resource (web.xml).
- Wiring your application to the security module provided by the container (the application server ) like JBoss (jboss-web.xml).
This mix of different controls make it impossible to choose which role to be applied on the whole page. The solution for such case will be either splitting the controls over different resources and using the appropriate Role with it. The Second solution is to make a very low level access role on the resource (Normal Users) and then using java coding you can show and hide controls based on the principal user.
jspx provides a very easy solution for such problem. Every control in jspx is exposing a non-Standard HTML attribute named AllowedRoles . The value of this attribute is a String. This attribute is listing the allowed roles which is cabaple of viewing the control and firing events.
jspx security features are first introduced in build 1.0.4 along with many other security features that listed here.
Assume that there is a button on page that is resetting the password of the user. This button should be allowed only to users of type admin and super. While the whole page is viewable to normal users, they can not view nor invoke such control.
Using standard JAAS will not solve this issue. But using jspx the solution is simply as following:
<input id="resetPAsswrodButton" type="button" onserverclick="doReset" value="reset password" alloweRoles="admin,super" />
The highlighted attribute lists the rolles allowed separated with comma. When jspx parses this control it does the following two actions:
- Renders the control if the current principle in one of the listed roles, else the control is not rendered.
- In case of post back action fired by this control, another check is made to make sure that the current principle is allowed to fire the event, else the event is dropped.
<input id="loginButton" type="button" onserverclick="doLogin" value="signin" alloweRoles="*"/>
The allowed attribtue is also applicable on the level of the jspx page.This is achived through the attribute AllowedRoles in the page tag in the jspx html page.
The Page allowed roles attribute will be available in the upcoming build 1.0.9.