AdminFaces starter project using JavaEE 8 security API
Switch branches/tags
Nothing to show
Clone or download

README.adoc

AdminFaces Starter Security

A AdminFaces sample project using JavaEE 8 security API.

Login page

starter1

Car list

starter2

Car form

starter3

Car form responsive

starter4

Authentication

The application has two users configured via Custom IdentityStore, see here.

email/password

admin@faces.com user has role admin.

user@faces.com user has role user.

Authorization

Admin user with role admin can access any page while role user can access only pages under /pages path (only car-list page). See url security constraints.

Users without access to restricted pages (car-form) will be redirected to Access Denied page:

AccessDenied

403

Admin have permissions for all CRUD operations on top of Car entity while common user can only view/list cars.

At page level buttons (like delete) are disabled using following EL:

disabled="#{not externalContext.isUserInRole('ADMIN')"

At method level @RolesAllowed("ADMIN") annotation is used.

Tip
Try using uncommenting finById rolesAllowed on carService here and use find by ID on car-list page with non admin user, it should redirect to Access Denied page.

Running

It should run in any JavaEE 8 application server.

It was tested with WildFly 13.0.0 using ee8-preview mode and Glassfish/Payara 5.

Or using docker:

docker run -it -p 8080:8080 rmpestano/admin-starter-security

The application is available at http://localhost:8080/admin-starter