JAAS on JSPX control

September 23, 2009

JAAS is a very commonly used standard for Security in J2EE applications. Using JAAS in a web appliction is requiring the following:

jspx security

jspx security

  1. Defining set of Roles for the application (web.xml).
  2. Defining Security conistraints for every application resource (web.xml).
  3. Wiring your application to the security module provided by the container (the application server ) like JBoss (jboss-web.xml).

As noticed from the above configurations, the security constraints are applied over the whole resource; a page for example. In practical applications, the page may be a mix of controls that have a different role based functionality. For example, a page my have controls that is visible to normal user. Other controls will be only visible to a moderators, while the rest are only visible to super/admin users.

This mix of different controls make it impossible to choose which role to be applied on the whole page. The solution for such case will be either splitting the controls over different resources and using the appropriate Role with it. The Second solution is to make a very low level access role on the resource (Normal Users) and then using java coding you can show and hide controls based on the principal user.

jspx provides a very easy solution for such problem. Every control in jspx is exposing a non-Standard HTML attribute named AllowedRoles . The value of this attribute is a String. This attribute is listing the allowed roles which is cabaple of viewing the control and firing events.

jspx security features are first introduced in build 1.0.4 along with many other security features that listed here.

Assume that there is a button on page that is resetting the password of the user. This button should be allowed only to users of type admin and super. While the whole page is viewable to normal users, they can not view nor invoke such control. Using standard JAAS will not solve this issue. But using jspx the solution is simply as following:

<input id=“resetPAsswrodButton” type=“button” onserverclick=“doReset” value=“reset password” alloweRoles=“admin,super” />

The highlighted attribute lists the rolles allowed separated with comma.

When jspx parses this control it does the following two actions:

  1. Renders the control if the current principle in one of the listed roles, else the control is not rendered.
  2. In case of post back action fired by this control, another check is made to make sure that the current principle is allowed to fire the event, else the event is dropped.

The value of this attribute can be set * to allow all roles to access the control, this would be like this

<input id=“loginButton” type=“button” onserverclick=“doLogin” value=“signin” alloweRoles=“*”/>

The allowed attribtue is also applicable on the level of the jspx page.This is achived through the attribute AllowedRoles in the page tag in the jspx html page.

<page master=“/pages/master/site.html” controller=“eg.java.jspx.demo.controller.MyPage” alloweRoles=“*”>

The Page allowed roles attribute will be avialable in the upcoming build 1.0.9.


JSPX Press

September 22, 2009


All over 20 months we been working very hard on the technical side of jspx putting it to more advanced state. We figured out that need more talk about what we already have, given that what we already have is very,very much large to be covered in the currently provided documentations and demos.

Personally I believe in short direct articles that are targeting certain issues and presenting immediate solutions.

In the upcoming series of events we would post different articles and posts for jspx exploring new aspects, features and advantages of such framework.

As the official website is giving much details for an introduction of jspx, we will start from the point after. Spotting lights on more miscellaneous hidden features.

We hope that jspx would be you favorite java webframework for your development.

See you! logo

Hello world!

September 22, 2009

Welcome to WordPress.com. This is your first post. Edit or delete it and start blogging!