Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>Well, this is a pretty broad subject. As you're starting off with homebrewed authentication, I'll target the answer on homebrewed authorization.</p> <hr> <p>Role checking in Java/JSF is at its own relatively simple if the model is sensibly designed. Assuming that a single user can have multiple roles (as is often the case in real world applications), you'd ultimately like to end up having something like:</p> <pre><code>public class User { private List&lt;Role&gt; roles; // ... public boolean hasRole(Role role) { return roles.contains(role); } } </code></pre> <pre class="lang-java prettyprint-override"><code>public enum Role { EMPLOYEE, MANAGER, ADMIN; } </code></pre> <p>so that you can check it as follows in your JSF views:</p> <pre class="lang-html prettyprint-override"><code>&lt;h:selectManyCheckbox value="#{user.roles}" disabled="#{not user.hasRole('ADMIN')}"&gt; &lt;f:selectItems value="#{Role}" /&gt; &lt;/h:selectManyCheckbox&gt; </code></pre> <pre class="lang-html prettyprint-override"><code>&lt;h:commandButton value="Delete" rendered="#{user.hasRole('ADMIN')}" /&gt; </code></pre> <p>and in your filter:</p> <pre class="lang-java prettyprint-override"><code>String path = req.getRequestURI().substring(req.getContextPath().length()); if (path.startsWith("/integra/user/admin/") &amp;&amp; !user.hasRole(Role.ADMIN)) { res.sendError(HttpServletResponse.SC_UNAUTHORIZED); } </code></pre> <hr> <p>The hardest part is translating this Java model to a sane DB model. There are several different ways depending on the concrete business requirements, each with its own (dis)advantages. Or perhaps you already have a DB model on which you have to base your Java model (thus, you need to design bottom-up)?</p> <p>Anyway, assuming that you're using JPA 2.0 (your question history at least confirms this) and that you can design top-down, one of the easiest ways would be to map the <code>roles</code> property as an <a href="http://docs.oracle.com/javaee/6/api/javax/persistence/ElementCollection.html" rel="noreferrer"><code>@ElementCollection</code></a> against an <code>user_roles</code> table. As we're using a <code>Role</code> enum, a second <code>role</code> table isn't necessary. Again, that depends on the concrete functional and business requirements.</p> <p>In generic SQL terms, the <code>user_roles</code> table can look like this:</p> <pre class="lang-sql prettyprint-override"><code>CREATE TABLE user_roles ( user_id BIGINT REFERENCES user(id), role VARCHAR(16) NOT NULL, PRIMARY KEY(user_id, role) ) </code></pre> <p>Which is then to be mapped as follows:</p> <pre><code>@ElementCollection(targetClass=Role.class, fetch=FetchType.EAGER) @Enumerated(EnumType.STRING) @CollectionTable(name="user_roles", joinColumns={@JoinColumn(name="user_id")}) @Column(name="role") private List&lt;Role&gt; roles; </code></pre> <p>That's basically all you'd need to change in your <code>User</code> entity.</p> <hr> <p>Next to homebrewed authentication (login/logout) and authorization (role checking), there is also Java EE provided <a href="http://docs.oracle.com/javaee/6/tutorial/doc/bncas.html" rel="noreferrer">container managed authentication</a> with which you can <a href="https://stackoverflow.com/questions/2206911/best-way-for-user-authentication-on-javaee-6-using-jsf-2-0/2207147#2207147">login by <code>j_security_check</code> or <code>HttpServletRequest#login()</code></a>, <a href="https://stackoverflow.com/questions/6079469/java-ee-login-page-problem/6079648#6079648">filter HTTP requests by <code>&lt;security-constraint&gt;</code> in <code>web.xml</code></a>, <a href="https://stackoverflow.com/questions/8374368/how-to-check-if-is-user-logged-in/8375301#8375301">check the logged-in user by <code>#{request.remoteUser}</code></a> and <a href="https://stackoverflow.com/questions/6524788/how-to-properly-use-isuserinrolerole/6526525#6526525">its roles by <code>#{request.isUserInRole('ADMIN')}</code></a>, etc. </p> <p>Then there are several 3rd party frameworks such as <a href="http://picketlink.org" rel="noreferrer">PicketLink</a>, <a href="http://static.springsource.org/spring-security/site/" rel="noreferrer">Spring Security</a>, <a href="http://shiro.apache.org/" rel="noreferrer">Apache Shiro</a>, etc. But this is all out of the question :)</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload