JSF Security Comparison – EL vs Component Approach
April 6, 2006 8 Comments
After finalizing the release of Acegi-JSF’s new version, I’ve come across to a presentation of Duncan Mills about his JSF Security Project. We’ve already discussed our views with him here, however I really would like to hear your thoughts on this. His presentation contains the following slide that I cannot agree much.
The idea of jsf security project is to provide an EL approach using a variable resolver like;
Well, I have no problem with the EL approach, actually like it, for example I’ve created a hibernate persistent object lookup resolver that brings all the records in the db when bind to components like combos, listboxes, radio and checkbox groups. Works like this;
Anyway when comparing these two approaches; EL vs Security Components, these come up to my mind;
1) For example to secure some components on page, one must write the same thing to every single one of the components.
Same with component approach;
Imagine a requirement has changed, then you must change it for all the components, component approach provides a more centralized solution. What if a secured component has already a value binding to it’s rendered attribute? EL way brings complexity here.
2) What if there is a need to secure static HTML not just jsf components? The component approach can do it as well.
3) For instance, you have grouped your roles and the role lists are not hardcoded in the jsp but defined in a bean, the component approach allows valuebinding to get the role list from a bean.
4) Since acegi wraps HttpServletRequest, there is no dependency to acegi or spring. You can use it with a servlet container security as well.(Tested with tomcat).
5) The component approach is likely to secure data-based security. I’ve not implemented this one but surrounding a jsf datatable with an acegijsf component will filter the list of the datatable and allow only the records that the given user can see.(ACL).
6) Finally and my favorite, the component way provides an abstraction between the ui components used for business and the security context of the application. The secured components do not know their position in the security context and do not depend on anything. This brings flexibility, maintainability and decoupling. Wait! aren’t those some of the principals of good software design?
Above are the advantages of the component way I can think of at first glance. Acegi project team also favor this way and informed the users about acegi-jsf components at their home sourceforge site.(http://acegisecurity.org/articles.html).
So, as I mentioned, I am wondering about your thoughts on the comparison, what do you think about these approaches to the JSF Security, any more pros and cons?