I use this in pages.xml:

<exception class="org.jboss.seam.security.NotLoggedInException">

     <end-conversation/>

     <redirect view-id="/unauthorized.xhtml" />

</exception>


<exception class="org.jboss.seam.security.AuthorizationException">

     <end-conversation/>

     <redirect view-id="/unauthorized.xhtml" />

</exception>

this in components.xml:

<security:identity authenticate-method="#{authenticator.authenticate}" />

and finally this at top of a restricted class:

@Restrict("#{s:hasRole('USER')}")

The authenticator.authenticate method returns true when the user is successfully logged in, false otherwise. Also, it correctly establishes the roles the user belongs to. There is no login form, since I'm using an NTLMSSP filter to do this. Basically authenticator.authenticate returns false if the user doesn't even belong to the USER role (there are four roles). I would like to redirect unauthorized/insufficiently authorized users to a page with instructing them to bother the sysop if they need to use this web app.

When a role-protected method is accessed by an unauthenticated or insufficently authorized user, the org.jboss.seam.security.NotLoggedInException or org.jboss.seam.security.AuthorizationException is fired and correctly logged, but no redirection takes plase.

This happens with both seam-2.0.1.GA and seam-2.0.2.CR1.

Why? How can I fix this?

Thanks.