Downshifting JSF Security

Thorsten Kisner and Helge Hemmer


Web application, security, framework


Security concepts are an inherent component of web applications. A security module is required to authenticate users and to authorize access to available functions and information of the system, following a set of permission rules defining users and user groups. There are many existing mechanisms for authenticating users in web applications to be included, but the process of authorizing users depends highly on the business processes of the application. In most cases it is not enough to grant or deny access to individual web pages of the applications frontend. Depending on the role based access control model most applications require a permission control on individual User Interface (UI) components such as menu items or action buttons. For more complex applications a single level role model is not able to depict the business processes needs and therefore a multi level orthogonal role model is required which is not provided by many common security concepts. The security module presented in this paper includes such a model and is designed for web applications with a presentation layer implemented in Java Server Faces (JSF) with an Enterprise Java Bean (EJB) backend, both part of the Java Enterprise Edition (EE) standard specification, and utilizes the Context and Dependency Injection (CDI) of Java EE 6. A high customizable and fine granular multi level role based access model is provided with additional features out of the box. The security module provides a seamless integration with tools and concepts for different scopes ranging from page authorization, menu creation and UI component authorization. Complex enterprise applications can also benefit from the documentation tools provided for the security concept itself as well as different reports about the role based access control model. The concept is implemented in a GPL-licensed Java library available for free download and via Maven dependency management and is currently used in several enterprise web applications.

Important Links:

Go Back