User based authorization for CDI and JSF 2

Question

I need to implement a authorization system where permission is individual, so each user can access specific pages and specific functions, eg .:

User A -> Customer page (Read, Create, Update, Delete), Products page (Read, Create, Update, Delete)

User B -> Customer page (Read, Create), Products page (Read,Delete)

User C -> Manufacturers page (Read,Create)

Admin User -> ALL

Also I would like to have profiles with pre-determined permissions but the user could have more permissions than these profiles. I'm trying to use JAAS for this, but it is complicated to understand where the roles and groups would, also I need to control access to screens via database, every tutorial I see for JAAS uses the web.xml and Roles like Groups(ADMIN, USER, GUEST, ETC) so I can not do this dynamically and individual for the user.

Any suggestions or example?

score 0 · Accepted Answer · answered Jan 28 '15 at 22:31

What you need is Permission based Security. But Java EE knows only the Role based Security.

Every user has one or more Roles. What you need is that one Role or also one User can have one or more Permissions.

Java EE does not help here. So you need 3rd Party libraries or implement it at your own.

I know the following 3rd Party Libs to achieve this:

Spring Security (http://docs.spring.io/spring-security/site/docs/4.0.0.RC1/reference/htmlsingle/)
Apache Shiro (https://shiro.apache.org)

There are even a lot more out there...

User based authorization for CDI and JSF 2

1 Answers1