Apache Shiro tags for Facelets - Securing your JSF pages

1 Nov 2010

Apache Shiro tags for Facelets - Securing your JSF pages

First, a little introduction. You can skip it and go straight to the source code, if you want.

I started working with Apache Shiro when it was still called JSecurity, and I have to say that it really rocks! I tried to use Spring Security (Acegi) in some projects, but the easiness and lean approach of Shiro is unbeatable. For a quick introduction, here's a quote from the project's site:

Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. With Shiro’s easy-to-understand API, you can quickly and easily secure any application – from the smallest mobile applications to the largest web and enterprise applications.

I've used it in Java and Grails projects, and recently I've even been experimenting it with Google App Engine. It fits very well in almost any Java platform project that needs security.

Shiro already works great in a JSF/Facelets project. You can use it's filters to grant and deny access to some parts of your application and to force authentication (redirect to login).

The only functionality missing is the power of it's JSP taglib, that are used to conditionally render some parts of your HTML, based on user's authorization, roles and permissions (you can learn how to use them with this simple example project). The problem is that this conditional rendering is not totally compatible with JSF's phases. Better than trying to fit a cube in a spherical hole, I decided to rewrite Shiro's JSP tags into a Facelets taglib, totally compatible with JSF.

All original tags are available as their Facelets equivalents, and I have introduced two new ones:

<shiro:hasAnyPermission> - Displays body content only if the current user has one of the specified permissions from a comma-separated list of permission strings.

<shiro:remembered> - Displays body content only if the current user has a known identity that has been obtained from 'RememberMe' services. Note that this is semantically different from the 'authenticated' tag, which is more restrictive.

I've already submitted a patch to Shiro's development team, but they're very busy at the moment packaging the new 1.1 version for release. So I decided to share the taglib on GitHub, and host the artifacts in my personal maven repository, as I need to use the tags in an on-going project.

If you want to try it in your maven project, add my repository to your pom.xml:

and add the jar dependency:

Now you can declare Shiro's namespace in your xhtml pages and use the tags like this:

That's it! Just keep in mind that as soon as this lib gets incorporated officially in Shiro, I'll stop updating it in GitHub and all future enhancements will only be available in the official version. If you want to see the tags incorporated officially into Shiro sooner than later, you can vote here: https://issues.apache.org/jira/browse/SHIRO-206

And if you have any suggestion, please leave a comment.

Enjoy ;)

Comments 16 Comments

Nov 02, 2010

Les Hazlewood said...

Hi Deluan,

Great writeup! Thanks for sharing. We'll do our best to try and support this in Shiro as an added support module as soon as we can.

Cheers,

Les

Deluan Quintão said...

Thanks Les. Good to hear that. Let me know if I can be of any help.

Nov 04, 2010

Shawn said...

I've done something similar to this in the past. When you go to use it I find only allowing a comma seperated static list to be somewhat limiting. You should allow attributes to be JSF EL expressions so you can dynamically generate your list of permission strings using a backing bean. This also prevents you from hard coding the same everywhere and alows for reuse for components that need the same access.

Hi Shawn,

Thanks for the suggestion. I'll take a look at it as soon as I can.

Nov 08, 2010

My Java Tutorials said...

This is really a great contribution
adding the power of Shiro to JSF will make the development of JSPs much easier for security purposes

icarus said...

Hello, thanks for creating this!

I voted for your Task in the Apache JIRA. I'm wondering, does this also work with JSF 2.0 and the build in facletes? Because i'm already working in a JEE6 Enviroment

Nov 09, 2010

neo said...

good suggestion

Thanks "My Java Tutorials", but I'd like to reinforce that the tags that I've developed only works with Facelets. And it seems that the original Shiro's JSP tags don't work in a JSP page when used with JSF. So if you want to use JSPs with JSF, I think you don't have (currently) any choice.

Thanks for the vote, Icarus. Unfortunately, the packages for Facelets were renamed in JSF 2.0, so this library won't work with it... Nevertheless I'm thinking of packaging a version of this library for JSF 2.0. I'll keep you posted.

Mar 05, 2011

mangelo said...

I downloaded the tag lib jar (shiro-faces-1.0.SNAPSHOT.jar) and included it in my project along with Shrio. I my build path I put the shiro-faces jar in front of Shiro, but I'm still getting the actual text of the tags (<shiro:hasany>

What am I not doing correctly?

Mar 11, 2011

Hi Michael, sorry for the delay.

Did you added the Shiro's namespace to your html page, like this:

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"

xmlns:ui="http://java.sun.com/jsf/facelets"

xmlns:shiro="http://shiro.apache.org/tags">

If that is not the problem, are you using JSF 1.2 or JSF 2.0? Can you send me a small test program showcasing this problem?

Regards

May 18, 2011

Sergio Ordoñez said...

I need help! And integrating the repositories and dependencies in the pom.xml.
However, I can not use the tags. In my xhtml file I added xmlns: shiro = "http://shiro.apache.org/tags" but netbeans sends me an error that says: No library found for this namespace. What I can do?

May 19, 2011

Hi Sergio, thanks for trying this library.

Did NetBeans downloaded the dependencies? Can you successfully build the project outside NB, using `mvn clean package`? Also, I recently publish version 1.0 final to the repository. Try using that version. If you have any further questions, please ask on the Shiro User List: http://shiro-user.582556.n2.nabble.com/ (I'll answer your questions there), so more people can benefit from the solution.

Regards,

Deluan.

Aug 10, 2011

NidalP said...

Great work Deluan!

One thing to notice: please put somewhere in the article that shiro-faces taglib only works with JSF 1.2.
I have spent almost hour and a half trying to weed out strange errors until I found on some forum your post that says taglib only works with JSF 1.2 for now. (No, I don't have a habit of looking into pom files to see what the dependencies are :o)

Regards,
Nidal

Oct 05, 2011

John said...

please release a jsf 2.0 version, so we can use shiro for our application

@John: I published a 2.0-SNAPSHOT version today, that works with JSF 2.0. Please give it a try. Any feedback is welcome!

@NidalP: Now it works with JSF 2 :) Anyway, thanks for noticing.

Tech Beats

Apache Shiro tags for Facelets - Securing your JSF pages

Comments 16 Comments

Leave a Comment

Deluan Quintão's Posterous

My Other Sites

Search