A AdminFaces sample project using JavaEE 8 security API.
The application has two users configured via Custom IdentityStore, see here.
-
admin@faces.com/admin
-
user@faces.com/user
admin@faces.com user has role admin.
user@faces.com user has role user.
Admin user with role admin can access any page while role user can access only pages under /pages path (only car-list page). See url security constraints.
Users without access to restricted pages (car-form) will be redirected to Access Denied page:
Admin have permissions for all CRUD operations on top of Car entity while common user can only view/list cars.
At page level buttons (like delete) are disabled using following EL:
disabled="#{not externalContext.isUserInRole('ADMIN')"
At method level @RolesAllowed("ADMIN") annotation is used.
|
Tip
|
Try using uncommenting finById rolesAllowed on carService here and use find by ID on car-list page with non admin user, it should redirect to Access Denied page.
|
It should run in any JavaEE 8 application server.
It was tested with WildFly 13.0.0 using ee8-preview mode and Glassfish/Payara 5.
Or using docker:
docker run -it -p 8080:8080 rmpestano/admin-starter-security
The application is available at http://localhost:8080/admin-starter