Reply To: Custom Authorization check in rules

Splash Forums Rewrite Users Custom Authorization check in rules Reply To: Custom Authorization check in rules

#27426

I also tried to handle authorization with Rewrite for some time. But it tends to be very difficult. Especially if you do more fine permission checks on object level.

I usually have a helper class like this:

public class FacesRequests {

  public static void sendForbidden() {
    sendStatusCode( 403, null );
  }

  public static void sendForbidden( String msg ) {
    sendStatusCode( 403, msg );
  }

  public static void sendNotFound() {
    sendStatusCode( 404, null );
  }

  public static void sendNotFound(String msg) {
    sendStatusCode( 404, msg );
  }

  public static void sendStatusCode( int status, String message ) {

    try {

      FacesContext context = FacesContext.getCurrentInstance();

      HttpServletResponse response = (HttpServletResponse) context.getExternalContext().getResponse();

      if( message != null ) {
        response.sendError( status, message );
      }
      else {
        response.sendError( status );
      }

      context.responseComplete();

    }
    catch( IOException e ) {
      throw new IllegalStateException( "Could not send redirect", e );
    }

  }

}

And then I do permission checks in my JSF page actions like this:

@Named
@RequestScoped
public class SomePageBean {

  // page action
  public void load() {

    if( !permissionService.isCanViewThisSpecificPage() ) {
      FacesRequests.sendForbidden();
      return;
    }

    // ....

  }

  // ....

}

This works very well. You can use some service or helper class for permissions checks on object level and then simply use a static method to handle the result in case of failures. Instead of sending a 403, you could also simply send a redirect. This shouldn’t be too hard.