Seam Security 3 Authorization Restricted View Renders on first request, but not subsequent

bwilly Jan 11, 2012 3:46 PM

The first request for a restricted view will always render. But actions on that page will result in a @AccessDeniedView outcome -- the proper outcome.

And the cycle is endless. For example, if in,say, the nav, I have a link to myRestrictedView.xhtml and I click it, the restricted view will render (when it should not). But, now that I am on the restricted view page, if I click from the nav myRestrictedView.xhtml, I will be routed to a denied view page. Now that I am no longer on a restricted view, if i click the very same link in the nav, the myRestrictedView.xhtml will render.

I have a theory the the PhaseIdType.RESTOREVIEW is honoring the authorization restricted view, but not the PhaseIdType.RENDERRESPONSE. Thus, when on the restricted page and an action is clicked, I am bounced from the page b/c PhaseIdType.RESTOREVIEW kicks me out, but when PhaseIdType.RESTOREVIEW does not execute for this page, then the view is rendered.

This seems like a bug to me. Thoughts?

Thanks,
Brian

1. Re: Seam Security 3 Authorization Restricted View Renders on first request, but not subsequent

lightguard Jan 11, 2012 3:56 PM (in response to bwilly)

That does sound like a bug to me Brian. Also sounds like you've done quite a bit of looking into the problem. Please create a JIRA for this, and if you have a patch or pull request please submit that along with the JIRA.
Actions
2. Re: Seam Security 3 Authorization Restricted View Renders on first request, but not subsequent

bwilly Jan 17, 2012 1:10 PM (in response to bwilly)

Thanks. Did so: https://issues.jboss.org/browse/SEAMSECURITY-140
Actions

Go to original post