4 Replies Latest reply on Apr 1, 2008 7:31 PM by geej15

    Static pdf docs in Seam application with authentication & authorization

    geej15
    geej15 Mar 23, 2008 2:02 PM

      Hello,


      I am trying to include some static pdf and html pages in a Seam application I have.  Including them and accessing them is not an issue, but restricting access is.  I am using JBoss 4.2 and Seam 2.0 and have setup SSO between three Seam applications using JOSSO.  Everything works fine for xhtml pages, but anytime I access the static pdf and html pages, no authentication or authorization restrictions are applied.  I'm wondering what the best way to handle this is.  An example url that contains one of the pdf documents:



      https://localhost:8443/webapp/techpapers/paper.pdf




      an excerpt from my pages.xml configuration file:



          <page view-id="/techpapers/*" login-required="true" action="#{docsAuth.checkLogin}">
      <restrict>#{s:hasRole('admin')}</restrict>
    </page>



      Any help/suggestions would be appreciated.


      Geoff

        • 1. Re: Static pdf docs in Seam application with authentication & authorization
          dustismo
          dustismo Mar 23, 2008 7:24 PM (in response to geej15)

          If you serve the pdf through an intermediary servlet you should be able to restrict access much easier.


          I'm not sure that using pages.xml will work for anything accept .xhtml pages.  I'd be curious if you figured out how to do it though.


          good luck,


          Dustin

            • Actions
          • 2. Re: Static pdf docs in Seam application with authentication & authorization
            geej15
            geej15 Mar 29, 2008 4:35 PM (in response to geej15)

            Thanks for the suggestion.  It looks like that is what I will have to do.


            I just realized another issue today.  Documents that I converted from regular html to xhtml are protected only if they are accessed via their .seam extension.  If someone finds the .xhtml document, they can access it without facing any of the security restrictions setup via pages.xml nor the restrictions using the rendered attribute in the pages themselves.  Any suggestions on how to lock the content of the xhtml documents down?


            Thanks,
            Geoff

              • Actions
            • 3. Re: Static pdf docs in Seam application with authentication & authorization
              pmuir
              pmuir Mar 31, 2008 12:24 PM (in response to geej15)

              Add a security constraint to web.xml:


                <!-- servlets and such would be above -->

  <security-constraint>      
    <display-name>Restrict XHTML Documents</display-name>
    <web-resource-collection>
      <web-resource-name>XHTML</web-resource-name>
      <url-pattern>*.xhtml</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <description>Only Let 'developer's access XHTML pages</description>
      <role-name>developer</role-name>
    </auth-constraint>
  </security-constraint>

                • Actions
              • 4. Re: Static pdf docs in Seam application with authentication & authorization
                geej15
                geej15 Apr 1, 2008 7:31 PM (in response to geej15)

                This is the direction I ended up heading down, thanks for the hint.  This successfully protects .xhtml content, but is there also a way to do this for static .pdf docs.  I was able to protect them, but authorized user's are not able to access them either, no one is.  I'm not sure if I'm missing some configuration piece or if I am not correctly integrating with JOSSO to set a user's role in a way understood via the web.xml.  I think it may be due to the way i configured the server.xml file in jboss-web to use JOSSO, but I'm not sure.


                Thanks for any hints.


                Geoff

                  • Actions