Home/ Questions/Q 6121063
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T15:44:28+00:00

Currently using: JBoss 6 (Development on GlassFish 3.1), JSF 2.0, form-based authentication with JAAS

  • 0

Currently using: JBoss 6 (Development on GlassFish 3.1), JSF 2.0, form-based authentication with JAAS (no “public” pages, everything needs authentication).

The web application provides two different search pages (like search1.jsf and search2.jsf), accessible from index.jsf, but for users which do not belong to a special role with additional rights, search2.jsf must not be accessible.

The “standard” way to protect search2.jsf would be a configuration in web.xml which requires the special user role for this page. Are there other ways to protect the second search page dynamically, either based on a role or based on user-specific attributes, which do not introduce additional authentication frameworks or container-specific features?

Disabling the link in index.jsf which points to search2.jsf is easy, but users could enter the URL of the second search page in the browser to see it (so for the prototype I will adjust web.xml).

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Are there other ways to protect the second search page dynamically, either based on a role or based on user-specific attributes, which do not introduce additional authentication frameworks or container-specific features?

    You can use EL in <ui:include>. Create a public master search.xhtml page which includes either search1.xhtml or search2.xhtml depending on the user role.

    E.g.

    <ui:include src="/WEB-INF/search#{request.isUserInRole('admin') ? 1 : 2}.xhtml" />

    (Those include files are put in /WEB-INF so that the client cannot request it directly)

    Then open the page by just search.xhtml instead.

    • 0