I have a JSF2 based web-application secured with Apache Shiro. In my application I have some links like
<h:link outcome="someOutcome" value="my Link"/>
or action-links like
<h:commandLink action="#{myBean.someAction}" value="my Action" />
The JSF outcome "someOutcome" might be configured in a JSF navigation-rule to redirect to /some/url.xhtml.
My shiro configuration (shiro.ini) contains an entry for the corresponding URL:
/some/url.xhtml = perms[someRight]
And my backing-bean myBean is annotated like this:
@Named
@ConversationScoped
public class MyBean {
@RequiresPermissions('someRight')
public String someAction()
{
// do something
return null;
}
}
My requirement now is to disabled the links, if the permissions of current user are not sufficient.
Of course, I could add something like disabled="#{subject.isPermitted('someRight')}" to the <h:link>/<h:commandLink> components, but this way I would duplicate configuration which is already available via shiro.ini respectively annotations.
I'm thinking of something like
<h:link outcome="someOutcome"
disabled="#{security.isOutcomeAllowed('someOutcome')}"
value="my Link" />
which I could wrap in a composite-component to only specify someOutcome once. But how could the security-bean look like? Or is this the wrong approach?
Does anybody know a smart way for obtaining my goals?