7 Replies Latest reply on Apr 25, 2006 11:02 PM by gavin.king

    deny access to secured pages via get-requests (discuss plz!)

    andy.2003
    andy.2003 Apr 24, 2006 3:08 PM

      Hello,

      I spend the whole day (and night) to find a sollution for a common problem:

      If a client bookmarks a seam page and try to acces this page via get request, the page is rendered and no action/validation is invoked. There is no simple way to redirect the user to the Login page.

      I don't want to use a @Factory annotation, because the user should first be authenticated.

      Is there a simple possibilty to redirect a user to a welcome page, if he is not logged in? (...and entered a page via get request)

      I tried to solve this problem with JAAS and security-constraint in web.xml but it doesn't fit.

      Does anybody solved this problem?

      - Andreas

      • 6825 Views
      • Tags:
        • 1. Re: deny access to secured pages via get-requests (discuss p
          gavin.king
          gavin.king Apr 24, 2006 3:12 PM (in response to andy.2003)

          Use a Seam page action.

            • Actions
          • 2. Re: deny access to secured pages via get-requests (discuss p
            andy.2003
            andy.2003 Apr 24, 2006 3:15 PM (in response to andy.2003)

            so far I tried to setup the following in web.xml:

            <error-page>
 <error-code>403</error-code>
 <location>/login.htm</location>
 </error-page>
 <security-constraint>
 <web-resource-collection>
 <web-resource-name>SSL Pages</web-resource-name>
 <url-pattern>/secure/*</url-pattern>
 <http-method>GET</http-method>
 <http-method>PUT</http-method>
 <http-method>POST</http-method>
 </web-resource-collection>
 <auth-constraint>
 <role-name>AUTH</role-name>
 </auth-constraint>
 <user-data-constraint>
 <transport-guarantee>CONFIDENTIAL</transport-guarantee>
 </user-data-constraint>
 </security-constraint>


            but there is no simple way to set the role ("AUTH") for a logged in User (like in LoginAction), isn't it?

            A seam component to add such a role to a logged in user would be perfect!

            - Andreas

              • Actions
            • 3. Re: deny access to secured pages via get-requests (discuss p
              gavin.king
              gavin.king Apr 24, 2006 3:20 PM (in response to andy.2003)

              Unfortunately the only method the servlet spec provides to add a role is to use the crappy servlet authentication mechanisms. There is no good standard way to get at the underlying JAAS stuff.

              This is basically a total mess and we are looking into what we can do to fix this in JBoss (and eventually fix the stupid servlet spec).

                • Actions
              • 4. Re: deny access to secured pages via get-requests (discuss p
                andy.2003
                andy.2003 Apr 24, 2006 3:33 PM (in response to andy.2003)

                 

                "gavin.king@jboss.com" wrote:
                This is basically a total mess and we are looking into what we can do to fix this in JBoss (and eventually fix the stupid servlet spec).


                This is what I'd discovered.... I thought, that there must be a way to easily add a role to a user, but no way.

                so now I added this to pages.xml: 

                <pages>
 <page view-id="/admin/*" action="#{login.loggedIn}"/>
</pages>


                and I got this action: 

                public String loggedIn() {
 if (sessionContext.get(LOGGED_IN) != null){
 return null;
 }
 return "login";
 }


                this works well (but why there is a conversationId added to the parameters? I didn't start any conversation)

                - Andreas

                  • Actions
                • 5. Re: deny access to secured pages via get-requests (discuss p
                  andy.2003
                  andy.2003 Apr 24, 2006 4:45 PM (in response to andy.2003)

                   

                  "Andy.2003" wrote:
                  ... but why there is a conversationId added to the parameters? I didn't start any conversation


                  It was because of the redirect Filter ;-)

                    • Actions
                  • 6. Re: deny access to secured pages via get-requests (discuss p
                    andy.2003
                    andy.2003 Apr 25, 2006 8:35 PM (in response to andy.2003)

                    I mentioned: if I use pages.xml as shown above (<page view-id="/admin/*" action="#{login.loggedIn}"/>), the loggedIn method is always invoked (not only for get requests).
                    So for a normal action event the login checking code is run twice: in the LoggedInInterceptor and in the loggedIn method specified in pages.xml.
                    Is there a way (-> feature request) to say, that the entry in pages.xml is only used for get requests? like e.g.

                    <page view-id="/admin/*" action="#{login.loggedIn}" scope="get"/>


                    - Andreas

                      • Actions
                    • 7. Re: deny access to secured pages via get-requests (discuss p
                      gavin.king
                      gavin.king Apr 25, 2006 11:02 PM (in response to andy.2003)

                      No, there is no way to do this.

                        • Actions