CODEWITHSUNDEEP
securityjsf-2java-ee-6shiro
czetsuya
czetsuya

Reputation: 5083

Can a JSF Page level permission be set using Shiro

I'm just wondering if we have a page level permission settings in Shiro? For example I have a jsf page that I only want to show in user with role staff and permission delete.

In JBoss we have something like:

<page xmlns="http://jboss.com/products/seam/pages"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://jboss.com/products/seam/pages http://jboss.com/products/seam/pages-2.1.xsd">
    <restrict>#{persistentPermissionResolver.hasPermission('staff','delete')}</restrict>
</page>

Is this functionality also available in JavaEE6 + Shiro + JSF? It seems the JSP and JSF plugin only supports enabling a certain portion of a webpage being accessible to a certain role with a certain permission.

Thanks,
czetsuya

Upvotes: 2

Views: 916

Answers (2)

BalusC
BalusC

Reputation: 1109372

If you configure your project to use Shiro annotations as answered in Shiro annotation not working on JavaEE6 project, then you should be able to set page-level restriction by just putting the desired Shiro annotation at class level of the request scoped managed bean.

@Named
@RequestScoped
@ShiroSecured
@RequiresPermissions("staff:delete")
public class SomeBean {
    // ...
}

Upvotes: 1

czetsuya
czetsuya

Reputation: 5083

After fiddling with it for sometime I concluded that having the same functionality as that of Seam is impossible, but Apache Shiro offers the same fine-grained control through permission. Wherein you can control who access/what. As to how I integrate Apache Shiro with JavaEE6, here's how I did it: http://czetsuya-tech.blogspot.com/2012/10/how-to-integrate-apache-shiro-with.html.

Upvotes: 0

Related Questions