Menu
To prevent a user role from performing an action.
In a real case, I have this:
public String delete() {
if(FacesContext.getCurrentInstance().getExternalContext().isUserInRole("administrator"){
//.....the action to perform
}
return "Denied";
}
I wish I could use the annotation @RolesAllowed() of EJB yet I am not using EJB but ManagedBeans.
So the question is: Is there any way to use many roles at the same time? Some workaround!
Example: If an action must be allowed to 3 roles (administrator, moderator, manager). I am obliged to do :
if (FacesContext.getCurrentInstance().getExternalContext().isUserInRole("administrator")
|| FacesContext.getCurrentInstance().getExternalContext().isUserInRole("manager")
|| .....) {
//....
}
And it is a pain to reproduce on all the methods. Something like hundreds of methods :(
989
This needs to be controlled in the view side. Don't you find it by yourself very annoying when you see on some site a button for which you don't have sufficient rights to press and thus get an intimidating error page when you do so?
Just render the button in the view side only when the user has the required role, else hide it altogether.
<h:commandButton value="Delete" action="#{bean.delete}"
rendered="#{request.isUserInRole('administrator')}" />
This is not sensitive to (CSRF) hacks as JSF checks the condition once again during apply request values phase.
As to using multiple conditions and repeating the same over and over in a single view, consider using <c:set> to give it a short alias. You could even place it in the top of some master template so that it's available to all child templates.
<c:set var="isPowerUser" value="#{request.isUserInRole('manager') or request.isUserInRole('administrator')}" scope="request" />
...
<h:commandButton rendered="#{isPowerUser}" />
...
<h:commandButton rendered="#{isPowerUser}" />
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
