4 Replies Latest reply on Nov 3, 2010 6:30 AM by upstream

    Restriction on wizard pages created with 'include'

    upstream

      I have an application wizard in my code, using the a4j:include-tag to fetch other xhtml-documents for various steps in the application/wizard. I refer to the files I include as 'include-files', and the main site with the wizard for the 'containing page'.

       

      When accessing the include-files directly in the browser, the include-files are rendered just the same as any non-restricted xhtml-file. My issues are that:

      1. some of these include-files should have restricted access

      2. none of the include-files should render outside the containing page of the wizard.

       

      Can any one help me with what my options are to restrict and preferably disable rendering the include-files when not opened from within the containing page?

       

      Thanks for any help!

        • 1. Re: Restriction on wizard pages created with 'include'
          ilya_shaikovsky
          1. some of these include-files should have restricted access

          something like

           

          <a:include... rendered="#{rich:isUserInRole('e.g. access by role')}">

          2. none of the include-files should render outside the containing page of the wizard.

          https://facelets.dev.java.net/nonav/docs/dev/docbook.html#config-webapp-security

          • 2. Re: Restriction on wizard pages created with 'include'
            upstream

            Thank you for such fast help

            Ilya Shaikovsky wrote:

            1. some of these include-files should have restricted access

            something like

             

            <a:include... rendered="#{rich:isUserInRole('e.g. access by role')}">

            This solution only deals with rendering, not access to the file. For example, I don't want someone to be able to access the include-file by typing in the path in the browser. In other words, I was thinking more along the lines of how I use the <restrict>-tag in *.page.xml sites in my project. I am unsure if I should create a seperate *.page.xml page per include file, and add the restriction there (or define the same in pages.xml) or if there are other ways to deal with this.

            2. none of the include-files should render outside the containing page of the wizard.

            https://facelets.dev.java.net/nonav/docs/dev/docbook.html#config-webapp-security

            I must have been inclear when describing my problem. We already have restricted acces to all our xhtml-files using <security constraint>. However, if writing in the path of an xhtml-file, a rendered page will be returned to the user. I don't wish include-files to be accessable outside their containing-page. I want include-files only to be rendered when included in another page. As it is now, the include-files can also rendered by themselves, as a separate page.

             

            I want the include-files only to be rendered (and accessible) when appearing inside a containing page, and also only be accessible to defined user roles (as in #{identity.hasRole('ADMIN')} ).

            • 3. Re: Restriction on wizard pages created with 'include'
              upstream

              Is adding include-files to /web-INF/somefoldername/ a possibility to accomplish the above? Are there issues one should keep in mind with such a solution?

              • 4. Re: Restriction on wizard pages created with 'include'
                upstream

                I solved my issues by simply adding rendered="identity.hasRole('ADMIN')}" to all vital components on the included pages (as s:fragment around all content did not work). That way no vital information or functions should be rendered without proper authorization. Also added @Restrict-annotation to certain key functions in the java-code as well.

                 

                Reading more I see that my problem revolves around how page navigation works. In my pages.xml page (using seam) I have page navigation using redirect for most pages, but when creating the wizard with the include-tag, I use the render-tag for the view-id I want incldued in the containing page. I think the restrictions I wanted to add at a page-level cannot be implemented due to how 'render' acts in the lifecycle of JSF and Seam.

                 

                <page view-id="/wizard.xhtml">
                        <navigation>
                            <rule if-outcome="success">
                                <render view-id="/wizardStep1.xhtml"/>

                VS

                <page view-id="/wizardStep3.xhtml">
                        <navigation>
                            <rule if-outcome="success">
                                <redirect view-id="/confirmation.xhtml"/>

                 

                The bottom works well with its own confirmation.page.xml site defining restrictions and require login. The former on the other side will not render if a wizardStep1.page.xml page is created. I am assuming this has to do with how redirect and render works, but I don't know what the reason is. Any information or links with some more information on how render/redirect work would be appreciated