authorization in JSF2

what is 开发者_JAVA技巧the best way to implement authorization in JSF2? through, servlet filter, phase listener or ther is something new that I am not aware of?

---

There are two pieces to this: Authentication, and Authorisation.

First Authentication: You can configure your web.xml to perform JAAS-based authentication according to a url pattern. Alternatively, if url-based authentication is too coarse-grained for you, you could do this manually with a PhaseListener or page actions using the HttpServletRequest login() method (new in Servlet 3.0). You can access this method through the FacesContext.getCurrentInstance().getExternalContext().

Once you are authenticated to a JASS realm, you can consider role based authorisation. Again there are a number of options:

1. You can restrict page access to specified roles in the web.xml according to a url-pattern
2. You can use the FacesContext.getCurrentInstance().getExternalContext().isUserInRole("role") to programmatically access the current role in your backing beans.
3. You can conditionally render components in the view using Expression Language, based on the user role. (Seam has the s:hasRole EL expression, IceFaces has the renderedOnUserRole attribute, or you can expose the role from your own backing bean).