Help restrict access to pages before login
rmemoria Feb 13, 2007 2:23 PMHi all,
I've upgraded SEAM from 1.1.5 to 1.1.6.
All I want is to restrict access to some pages before the user login (in this example, restrict access to /admin.xhtml page). This is my config
components.xml
<security:identity authenticate-method="#{authenticator.login}"/> <event type="org.jboss.seam.notLoggedIn"> <action expression="#{redirect.captureCurrentView}"/> </event> <event type="org.jboss.seam.postAuthenticate"> <action expression="#{redirect.returnToCapturedView}"/> </event>
pages.xml
<pages> <page view-id="/admin.xhtml" > <restrict /> </page> <page view-id="*"> <navigation> <rule if-outcome="home"> <redirect view-id="/index.xhtml"/> </rule> </navigation> </page> <page view-id="/login.xhtml"> <navigation from-action="#{identity.login}"> <rule if-outcome="success"> <redirect view-id="/index.xhtml"/> </rule> </navigation> </page> <exception class="javax.persistence.EntityNotFoundException"> <redirect view-id="/error.xhtml"> <message>Not found</message> </redirect> </exception> <exception class="javax.persistence.OptimisticLockException"> <end-conversation/> <redirect view-id="/error.xhtml"> <message>Another user changed the same data, please try again</message> </redirect> </exception> <exception class="org.jboss.seam.security.AuthorizationException"> <redirect> <message>You don't have permission to do this</message> </redirect> </exception> <exception class="org.jboss.seam.security.NotLoggedInException"> <redirect view-id="/pub/login.xhtml"> <message>Please log in first</message> </redirect> </exception> <exception> <redirect view-id="/error.xhtml"> <message>Unexpected error, please try again</message> </redirect> </exception> </pages>
and part of my login.xhtml
<tr><td colSpan="2"><h:messages styleClass="erro" layout="table"/> </td></tr> <tr> <td>#{messages.user_login}: </td> <td><h:inputText id="nome" value="#{identity.username}" ></h:inputText></td> </tr> <tr> <td>#{messages.password}: </td> <td><h:inputSecret value="#{identity.password}" /></td> </tr> <tr> <td></td> <td><h:commandButton id="btnOk" value="#{messages.enter}" action="#{identity.login}"></h:commandButton></td> </tr>
If I try to access /admin.xhtml before login, the system redirects to /login.xhtml. That's ok!
After a successful login nothing happens but if I check JBOSS console I see the same exception being raised in an infinite loop forcing me to stop the server:
18:08:04,765 ERROR [SeamPhaseListener] uncaught exception org.jboss.seam.security.AuthorizationException: Authorization check failed for expression [#{s:hasPermission('/admin.xhtml', 'render', null)}] at org.jboss.seam.security.Identity.checkRestriction(Identity.java:174) at org.jboss.seam.pages.Page.enter(Page.java:186) at org.jboss.seam.core.Pages.enterPage(Pages.java:239) at org.jboss.seam.jsf.AbstractSeamPhaseListener.enterPage(AbstractSeamPhaseListener.java:242) at org.jboss.seam.jsf.AbstractSeamPhaseListener.beforeRender(AbstractSeamPhaseListener.java:193) at org.jboss.seam.jsf.SeamPhaseListener.beforePhase(SeamPhaseListener.java:57)
I guess the reason is the <restrict/ tag inside the /admin.xhtml page in pages.xml, but it was the only way I found to redirect to the login page if the user isn't logged.
Any help????
Ricardo Memória