10 Replies Latest reply on Feb 2, 2007 8:49 AM by gavin.king

    restricting access using pages.xml

    dustismo
    dustismo Feb 1, 2007 4:32 PM

      Hi,

      I am trying to restrict access to all files in /clients to logged in users. I added the following pages.xml to no avail:

      <!DOCTYPE pages PUBLIC
 "-//JBoss/Seam Pages Configuration DTD 1.1//EN"
 "http://jboss.com/products/seam/pages-1.1.dtd">

<pages no-conversation-view-id="/index.xhtml">
 <page view-id="/clients/*">
 <restrict>#{identity.loggedIn}</restrict>
 </page>
</pages>


      nor does it work if I use a navigation rule (not sure if I did this right) 

      <pages no-conversation-view-id="/index.xhtml">

 <page view-id="/clients/*">
 <navigation>
 <rule if="#{not identity.loggedIn}">
 <redirect view-id="/login.xhtml"/>
 </rule>
 </navigation>
 </page>
</pages>


      I'd like the page to be bounced to /login.xhtml if the user is not logged in.
      Is there some other configuration I need to do to get the pages.xml to work?

      thanks,
      Dustin

      • 10317 Views
      • Tags:
        • 1. Re: restricting access using pages.xml
          pmuir
          pmuir Feb 1, 2007 4:38 PM (in response to dustismo)

           

          "dustismo" wrote:
          Hi,

          I am trying to restrict access to all files in /clients to logged in users. I added the following pages.xml to no avail:

          
<!DOCTYPE pages PUBLIC
 "-//JBoss/Seam Pages Configuration DTD 1.1//EN"
 "http://jboss.com/products/seam/pages-1.1.dtd">

<pages no-conversation-view-id="/index.xhtml">
 <page view-id="/clients/*">
 <restrict>#{identity.loggedIn}</restrict>
 </page>
</pages>


          This was a bug in 1.1.5 - its fixed in CVS

            • Actions
          • 2. Re: restricting access using pages.xml
            gavin.king
            gavin.king Feb 1, 2007 4:50 PM (in response to dustismo)

            Is it? Was it?

            Bad. And good.


            Guys, I've scheduled a 1.1.6 release for next Wed, to get a few of these bugfixes out there. There will also be a couple of nice enhancements to the security stuff ;-)

              • Actions
            • 3. Re: restricting access using pages.xml
              dustismo
              dustismo Feb 1, 2007 7:38 PM (in response to dustismo)

              Ok, so now I am running on the cvs version, which seems to help (sort of).. Now when I try to access a page in the clients directory it throws an exception

              19:30:22,185 INFO [Lifecycle] starting up: org.jboss.seam.security.identity
19:30:22,193 ERROR [[/Infofilter3-Main]] Session event listener threw exception
java.lang.NullPointerException
 at org.jboss.seam.core.Selector.getCookieValue(Selector.java:60)
 at org.jboss.seam.security.Identity.initCredentialsFromCookie(Identity.java:84)
 at org.jboss.seam.security.Identity.create(Identity.java:78)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:585)
 at org.jboss.seam.util.Reflections.invoke(Reflections.java:18)
 at org.jboss.seam.util.Reflections.invokeAndWrap(Reflections.java:102)
 at org.jboss.seam.Component.callComponentMethod(Component.java:1826)
 at org.jboss.seam.Component.callCreateMethod(Component.java:1774)
 at org.jboss.seam.Component.newInstance(Component.java:1763)
 at org.jboss.seam.contexts.Lifecycle.startup(Lifecycle.java:164)
 at org.jboss.seam.contexts.Lifecycle.beginSession(Lifecycle.java:224)
 at org.jboss.seam.servlet.SeamListener.sessionCreated(SeamListener.java:41)
 at org.apache.catalina.session.StandardSession.tellNew(StandardSession.java:384)
 at org.apache.catalina.session.StandardSession.setId(StandardSession.java:356)
 at org.apache.catalina.session.ManagerBase.createSession(ManagerBase.java:824)
 at org.apache.catalina.session.StandardManager.createSession(StandardManager.java:290)
 at org.apache.catalina.connector.Request.doGetSession(Request.java:2223)
 at org.apache.catalina.connector.Request.getSession(Request.java:2024)
 at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:831)
 at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:842)
 at com.icesoft.faces.webapp.xmlhttp.PersistentFacesServlet.service(PersistentFacesServlet.java:220)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
 at org.jboss.seam.servlet.SeamExceptionFilter.doFilter(SeamExceptionFilter.java:46)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
 at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
 at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
 at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
 at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:175)
 at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:432)
 at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)
 at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
 at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
 at org.jboss.web.tomcat.tc5.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:156)
 at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
 at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
 at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
 at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
 at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
 at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
 at java.lang.Thread.run(Thread.java:595)
19:30:22,311 INFO [Pages] reading pages.xml
19:30:22,548 ERROR [AbstractSeamPhaseListener] Swallowing exception thrown by page action
org.jboss.seam.security.NotLoggedInException
 at org.jboss.seam.security.Identity.checkRestriction(Identity.java:159)
 at org.jboss.seam.pages.Page.enter(Page.java:186)
 at org.jboss.seam.core.Pages.enterPage(Pages.java:239)
 at org.jboss.seam.jsf.AbstractSeamPhaseListener.enterPage(AbstractSeamPhaseListener.java:241)
 at org.jboss.seam.jsf.AbstractSeamPhaseListener.beforeRender(AbstractSeamPhaseListener.java:192)
 at org.jboss.seam.jsf.SeamPhaseListener.beforePhase(SeamPhaseListener.java:53)
 at org.apache.myfaces.lifecycle.PhaseListenerManager.informPhaseListenersBefore(PhaseListenerManager.java:70)
 at org.apache.myfaces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:373)
 at com.icesoft.faces.webapp.xmlhttp.PersistentFacesServlet.service(PersistentFacesServlet.java:402)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
 at org.jboss.seam.servlet.SeamExceptionFilter.doFilter(SeamExceptionFilter.java:46)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
 at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
 at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
 at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
 at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:175)
 at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:432)
 at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)
 at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
 at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
 at org.jboss.web.tomcat.tc5.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:156)
 at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
 at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
 at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
 at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
 at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
 at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
 at java.lang.Thread.run(Thread.java:595)



              So I tried to catch the NotLoggedInException in exceptions.xml 

              <!DOCTYPE exceptions PUBLIC
 "-//JBoss/Seam Exceptions Configuration DTD 1.1//EN"
 "http://jboss.com/products/seam/exceptions-1.1.dtd">

<exceptions>
 <exception class="org.jboss.seam.security.NotLoggedInException">
 <redirect view-id="../login.xhtml">Please Log In</redirect>
 <end-conversation/>
 </exception>
</exceptions>


              Doesn't work.. What am I doing wrong and is this the suggested way to require a login for a directory?

              thanks,
              Dustin

                • Actions
              • 4. Re: restricting access using pages.xml
                svadu Feb 1, 2007 7:42 PM (in response to dustismo)

                I fixed that bug locally and the patch is ready to be sent to Gavin.

                  • Actions
                • 5. Re: restricting access using pages.xml
                  shane.bryzak
                  shane.bryzak Feb 1, 2007 8:42 PM (in response to dustismo)

                  This is fixed in CVS now.

                    • Actions
                  • 6. Re: restricting access using pages.xml
                    cavani
                    cavani Feb 2, 2007 7:52 AM (in response to dustismo)


                    I am trying use page restriction with #{identity.loggedIn} but I am getting this (from CVS version):

                    10:36:00,554 ERROR [AbstractSeamPhaseListener] Swallowing exception thrown by page action
org.jboss.seam.security.NotLoggedInException
 at org.jboss.seam.security.Identity.checkRestriction(Identity.java:160)
 at org.jboss.seam.pages.Page.enter(Page.java:186)
 at org.jboss.seam.core.Pages.enterPage(Pages.java:239)
 at org.jboss.seam.jsf.AbstractSeamPhaseListener.enterPage(AbstractSeamPhaseListener.java:241)
 at org.jboss.seam.jsf.AbstractSeamPhaseListener.beforeRender(AbstractSeamPhaseListener.java:192)
 at org.jboss.seam.jsf.SeamPhaseListener.beforePhase(SeamPhaseListener.java:53)


                    Because this in AbstractSeamPhaseListener.beforeRender: 

                     try
 {
 actionsWereCalled = Pages.instance().enterPage( event.getFacesContext() );
 return actionsWereCalled;
 }
 catch (RuntimeException re)
 {
 //we have to handle exceptions here because of
 //how JSF defines exception handling from
 //PhaseListener.beforePhase()
 log.error("Swallowing exception thrown by page action", re);
 return actionsWereCalled;
 }
 finally
 {
 Lifecycle.setPhaseId( PhaseId.RENDER_RESPONSE );
 if (actionsWereCalled)
 {
 FacesMessages.afterPhase();
 handleTransactionsAfterPageActions(event); //TODO: does it really belong in the finally?
 }
 }


                    Then, exceptions.xml seems to be ignored here....

                      • Actions
                    • 7. Re: restricting access using pages.xml
                      cavani
                      cavani Feb 2, 2007 8:33 AM (in response to dustismo)

                      Well.... this is a dirty fix..... works to me but is very indecent :)

                      in org.jboss.seam.pages.Page.enter(Page.java:186) from:

                       Identity.instance().checkRestriction(expr);



                       try
 {
 Identity.instance().checkRestriction(expr);
 }
 catch (Exception e)
 {
 try
 {
 Exceptions.instance().handle(e);
 }
 catch (Exception ex)
 {
 }

 return true;
 }


                        • Actions
                      • 8. Re: restricting access using pages.xml
                        gavin.king
                        gavin.king Feb 2, 2007 8:39 AM (in response to dustismo)

                        Would you please create an issue in JIRA for this, and assign to me.

                        Thanks.

                          • Actions
                        • 9. Re: restricting access using pages.xml
                          cavani
                          cavani Feb 2, 2007 8:46 AM (in response to dustismo)

                          http://jira.jboss.org/jira/browse/JBSEAM-762

                          Thanks,

                            • Actions
                          • 10. Re: restricting access using pages.xml
                            gavin.king
                            gavin.king Feb 2, 2007 8:49 AM (in response to dustismo)

                            thanks

                              • Actions