5 Replies Latest reply on May 18, 2010 10:18 AM by gonzo13

Secure direct access to pageflow pages if no conversation is started

cannyduck Jul 13, 2008 10:28 PM

Hi,

lets look at a snippet of the newUser pageflow definition of the DVD store example.

    ...
    <start-state name="start">
        <transition to="account"/>
    </start-state>
    
    <page name="account" view-id="/newuser/account.xhtml">
        <redirect/>
        <transition name="next" to="checkPassword" />
    </page>

    <decision name="checkPassword" expression="#{editCustomer.validNamePassword}">
        <transition name="true" to="contact"/>
        <transition name="false" to="account">
            <!-- <action name="#{editCustomer.warnPassword}" /> action is never triggered -->
        </transition>
    </decision>


    <page name="contact" view-id="/newuser/contact.xhtml"
          no-conversation-view-id="/newuser/account.xhtml">
        <redirect/>
        <transition name="prev" to="account"/>
        <transition name="next" to="card"/>
    </page>
    ...

It is possible to access the contact view directly via URL, if there is no conversation started. So I can jump in the middle of a conversation, nor there is an acitve conversation.
Is there a way to prevent that?

Best regards

CannyDuck

1. Re: Secure direct access to pageflow pages if no conversation is started

pmuir Jul 14, 2008 12:13 AM (in response to cannyduck)

Use a pages.xml action to check if there is a conversation active, if not redirect elsewhere.
Actions
2. Re: Secure direct access to pageflow pages if no conversation is started

cannyduck Jul 14, 2008 12:20 AM (in response to cannyduck)

I thought that that is the job of the no-conversation-view-id.

I would be great if you can post a snippet what i have to write in the pages.xml.

Much thanks.
Actions
3. Re: Secure direct access to pageflow pages if no conversation is started

admin.admin.email.tld Jul 14, 2008 4:18 AM (in response to cannyduck)

Here is an example from section 7.1.2 of the Seam 2 ref pdf:

In this case, the no-conversation-view-id declaration goes in pages.xml. It tells Seam to redirect to a different
page if a request originates from a page rendered during a conversation, and that conversation no longer exists:
<page view-id="/checkout.xhtml" no-conversation-view-id="/main.xhtml"/>

This is the same syntax/logic as above for "contact".

Not sure why you need to invoke an action method.

Perhaps it's b/c in your case a conversation does not exist to begin with???

I found this in the Seam in Action MEAP:

<page conversation-required="true"
no-conversation-view-id="/CourseList.xhtml"
action="#{courseComparison.validate}">
<navigation from-action="#{courseComparison.validate}">
<rule if-outcome="invalid">
<redirect view-id="/CourseList.xhtml">
<message severity="warn">
You must select at least two courses.
</message>
</redirect>
</rule>
</navigation>
</page>

Perhaps, that's what Pete is talking about...
Actions
4. Re: Secure direct access to pageflow pages if no conversation is started

fshahy Dec 24, 2008 12:45 PM (in response to cannyduck)
Is there a way set

conversation-required="true" no-conversation-view-id="/home.xhtml"

for all pages, I mean not setting it for every page?

By the way when I use this

<page view-id="*" conversation-required="true" no-conversation-view-id="/home.xhtml">

my project does not run and falls in a loop.
Actions
5. Re: Secure direct access to pageflow pages if no conversation is started

gonzo13 May 18, 2010 10:18 AM (in response to cannyduck)

..any ideas or solutions so far???
Actions

Go to original post