I have my own realm classes extends AppservPasswordLoginModule and AppservRealm where I get user and roles from my own table in database. In web.xml I defined access to pages and it works. I have some mechanism to read main menu from my menu.xml file in my bean with @SessionScoped annotation. I want to use rules from web.xml to display only this items, which user has acces to (defined in web.xml), without repeating configuration in my menu.xml file. I imagine that the solution might be to check the access to the page when I create menu item for this page in my SessionScoped bean, but I don't know how it could be checked easily. What is the best solution for this situation? I'm using glassfish 4.1 and jsf 2.2.
I solved this by the following method:
In my ServletListener
@WebListener
public class implements ServletListener ServletContextListener {...}
I read security-constraint from web.xml, parsing them and store it in my @ApplicationScoped bean.
In @SessionScoped bean, in @PostConstruct annotated method I get all roles stored in @ApplicationScoped bean and checked each individual by
FacesContext.getCurrentInstance().GetExternalContext().IsUserInRole(role);
method.
So I have all current user roles. Then, in my @SessionScoped bean, for each menu item I check whether the resource represented by the url of this menu item is available for roles that current user has.
EDIT: The bad side of this solution is that I analyzing the web.xml file only, without annotations