A AdminFaces sample project using JavaEE/JakartaEE 8 security API.
The application has two users configured via Custom IdentityStore
, see here.
-
admin@faces.com/admin
-
user@faces.com/user
admin@faces.com
user has role admin
.
user@faces.com
user has role user
.
Admin user with role admin
can access any page while role user
can access only pages under /pages
path (only car-list page). See url security constraints.
Users without access to restricted pages (car-form) will be redirected to Access Denied
page:
Admin have permissions for all CRUD operations on top of Car entity while common user can only view/list cars.
At page level buttons (like delete) are disabled using following EL:
disabled="#{not externalContext.isUserInRole('ADMIN')"
At method level @RolesAllowed("ADMIN")
annotation is used.
💡
|
Try using uncommenting finById rolesAllowed on carService here and use find by ID on car-list page with non admin user, it should redirect to Access Denied page.
|
It should run in any JavaEE/JakartaEE 8 application server.
It was tested with WildFly 16.0.0
and Glassfish/Payara 5
.
Or using docker:
docker run -it --rm -p 8080:8080 rmpestano/admin-starter-security
The application is available at http://localhost:8080/admin-starter