15.6.4. Securing pages
To use page security, you will need a
pages.xml
file. Page security is easy to configure: simply include a <restrict/>
element in the page
elements that you want to secure. If no explicit restriction is specified in the restrict
element, access via a non-Faces (GET) request requires an implied /viewId.xhtml:render
permission, and /viewId.xhtml:restore
permission is required when any JSF postback (form submission) originates from the page. Otherwise, the specified restriction will be evaluated as a standard security expression. Some examples are:
<page view-id="/settings.xhtml"> <restrict/> </page>
This page requires an implied permission of
/settings.xhtml:render
for non-Faces requests, and an implied permission of /settings.xhtml:restore
for Faces requests.
<page view-id="/reports.xhtml"> <restrict>#{s:hasRole('admin')}</restrict> </page>
Both Faces and non-Faces requests to this page require that the user is a member of the
admin
role.