-
1. Re: deny access to secured pages via get-requests (discuss p
gavin.king Apr 24, 2006 3:12 PM (in response to andy.2003)Use a Seam page action.
-
2. Re: deny access to secured pages via get-requests (discuss p
andy.2003 Apr 24, 2006 3:15 PM (in response to andy.2003)so far I tried to setup the following in web.xml:
<error-page> <error-code>403</error-code> <location>/login.htm</location> </error-page> <security-constraint> <web-resource-collection> <web-resource-name>SSL Pages</web-resource-name> <url-pattern>/secure/*</url-pattern> <http-method>GET</http-method> <http-method>PUT</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>AUTH</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
but there is no simple way to set the role ("AUTH") for a logged in User (like in LoginAction), isn't it?
A seam component to add such a role to a logged in user would be perfect!
- Andreas -
3. Re: deny access to secured pages via get-requests (discuss p
gavin.king Apr 24, 2006 3:20 PM (in response to andy.2003)Unfortunately the only method the servlet spec provides to add a role is to use the crappy servlet authentication mechanisms. There is no good standard way to get at the underlying JAAS stuff.
This is basically a total mess and we are looking into what we can do to fix this in JBoss (and eventually fix the stupid servlet spec). -
4. Re: deny access to secured pages via get-requests (discuss p
andy.2003 Apr 24, 2006 3:33 PM (in response to andy.2003)"gavin.king@jboss.com" wrote:
This is basically a total mess and we are looking into what we can do to fix this in JBoss (and eventually fix the stupid servlet spec).
This is what I'd discovered.... I thought, that there must be a way to easily add a role to a user, but no way.
so now I added this to pages.xml:<pages> <page view-id="/admin/*" action="#{login.loggedIn}"/> </pages>
and I got this action:public String loggedIn() { if (sessionContext.get(LOGGED_IN) != null){ return null; } return "login"; }
this works well (but why there is a conversationId added to the parameters? I didn't start any conversation)
- Andreas -
5. Re: deny access to secured pages via get-requests (discuss p
andy.2003 Apr 24, 2006 4:45 PM (in response to andy.2003)"Andy.2003" wrote:
... but why there is a conversationId added to the parameters? I didn't start any conversation
It was because of the redirect Filter ;-) -
6. Re: deny access to secured pages via get-requests (discuss p
andy.2003 Apr 25, 2006 8:35 PM (in response to andy.2003)I mentioned: if I use pages.xml as shown above (<page view-id="/admin/*" action="#{login.loggedIn}"/>), the loggedIn method is always invoked (not only for get requests).
So for a normal action event the login checking code is run twice: in the LoggedInInterceptor and in the loggedIn method specified in pages.xml.
Is there a way (-> feature request) to say, that the entry in pages.xml is only used for get requests? like e.g.<page view-id="/admin/*" action="#{login.loggedIn}" scope="get"/>
- Andreas -
7. Re: deny access to secured pages via get-requests (discuss p
gavin.king Apr 25, 2006 11:02 PM (in response to andy.2003)No, there is no way to do this.