>There is a subtle but important issue. Container managed security only >operates on the original URL to which a GET or POST was directed ... it does >*not* apply to RequestDispatcher.forward() calls. In JSF terms, that means you can protect the form submit, >but it is up to the application to decide whether or not navigation to a particular page is allowed. > >The RFE being discussed here could do something like a custom navigation handler with a pluggable strategy for >choosing whether or not navigation (according to the navigation rules) is actually going to be permitted or >not. One implementation of this strategy could be based on user roles, but you could also do something more >fine grained or context sensitive (since the strategy implementation would have access to FacesContext, it can >do whatever it needs). > >Craig
I think I understand: if I use an action method to forward a user to a different page based on its String name in my Faces-Config.xml, I'm basically employing RequestDispatcher.forward(), which circumvents the container managed security. Did I get it? In theory, couldn't I set a role property for each page in its <managed-bean> element and then conditionally render the page, or redirect elsewhere, based on my user's role stored in session? If so, should this evaluation take place in the init() method of every page's bean, or is there a better way to handle it globally? Thanks --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
