3 Replies Latest reply on Dec 11, 2008 2:57 PM by tathagat

org.jboss.seam.security.AuthorizationException not caught

tathagat Dec 10, 2008 2:18 PM

Hi all.
I have a basic seam application with security set up in pages.xml as follows:

<?xml version="1.0" encoding="UTF-8"?>
<pages xmlns="http://jboss.com/products/seam/pages"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://jboss.com/products/seam/pages http://jboss.com/products/seam/pages-2.0.xsd"
       login-view-id="/loginPage.xhtml">

     <page view-id="/members/*" login-required="true"/>
  
     <page view-id="/members/tutor/*">
         <restrict>#{s:hasRole('tutor')}</restrict>
     </page>
     
     <page view-id="/members/student/*">
         <restrict>#{s:hasRole('student')}</restrict>
     </page>


     <!-- other navigations -->

     <exception class="org.jboss.seam.security.NotLoggedInException">
          <redirect view-id="/loginPage.xhtml">
               <message severity="INFO">You must be logged in to perform this action</message>
          </redirect>
     </exception>
     <exception class="org.jboss.seam.security.AuthorizationException">
        <end-conversation/>
        <redirect view-id="/security_error.xhtml">
            <message>You do not have the necessary security privileges to perform this action.</message>
        </redirect>
    </exception>

</pages>

When I am not logged in, I am automatically forwarded to loginPage.xhtml. Good.

I give myself the role tutor.
When I try to access a page members/tutor/test.html - I can access it. No exception thrown.

BUT when I try to access members/student/test.html - (I need role student) - An exception is thrown as follows:

org.jboss.seam.security.AuthorizationException: Authorization check failed for e
xpression [#{s:hasRole('student')}]
        at org.jboss.seam.security.Identity.checkRestriction(Identity.java:216)
        at org.jboss.seam.navigation.Page.checkPermission(Page.java:241)
        at org.jboss.seam.navigation.Page.preRender(Page.java:261)
        at org.jboss.seam.navigation.Pages.preRender(Pages.java:369)
        at org.jboss.seam.jsf.SeamPhaseListener.preRenderPage(SeamPhaseListener.
java:562)
        at org.jboss.seam.jsf.SeamPhaseListener.beforeRenderResponse(SeamPhaseLi
stener.java:473)
        at org.jboss.seam.jsf.SeamPhaseListener.beforeServletPhase(SeamPhaseList
ener.java:146)
        at org.jboss.seam.jsf.SeamPhaseListener.beforePhase(SeamPhaseListener.ja
va:116)
        at org.apache.myfaces.lifecycle.PhaseListenerManager.informPhaseListener
sBefore(PhaseListenerManager.java:73)
        at org.apache.myfaces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:
134)
        at javax.faces.webapp.FacesServlet.service(FacesServlet.java:152)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
icationFilterChain.java:290)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
ilterChain.java:206)
        at org.springframework.web.filter.CharacterEncodingFilter.doFilterIntern
al(CharacterEncodingFilter.java:96)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerR
equestFilter.java:76)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
icationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
ilterChain.java:206)
        at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.j
ava:164)
        at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:14
1)
        at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewri
ter.java:90)
        at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewrit
eFilter.java:406)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
icationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
ilterChain.java:206)
        at net.sf.ehcache.constructs.web.filter.GzipFilter.doFilter(GzipFilter.j
ava:75)
        at net.sf.ehcache.constructs.web.filter.Filter.doFilter(Filter.java:92)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
icationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
ilterChain.java:206)
        at org.springframework.orm.hibernate3.support.OpenSessionInViewFilter.do
FilterInternal(OpenSessionInViewFilter.java:198)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerR
equestFilter.java:76)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
icationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
ilterChain.java:206)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperV
alve.java:233)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextV
alve.java:191)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j
ava:128)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j
ava:102)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal
ve.java:109)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.jav
a:286)
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java
:845)
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.proce
ss(Http11Protocol.java:583)
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:44
7)
        at java.lang.Thread.run(Thread.java:595)

This is not being caught by pages.xml. I am not sure what is happening, cause NotLoggedInException works fine, but AuthorizationException not.

I also tried catching ALL exceptions by doing the following. but it still does not work.

<exception>
        <end-conversation/>
        <redirect view-id="/security_error.xhtml">
            <message>You do not have the necessary security privileges to perform this action.</message>
        </redirect>
    </exception>

Please help.

Thanks in advance.

1. Re: org.jboss.seam.security.AuthorizationException not caught

tathagat Dec 10, 2008 4:06 PM (in response to tathagat)
Found something else. Even if I delete all Exception handling from pages.xml, NotLoggedInException is caught.

So I think it is happening because of

login-view-id="/loginPage.xhtml

in

<pages xmlns="http://jboss.com/products/seam/pages" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://jboss.com/products/seam/pages http://jboss.com/products/seam/pages-2.1.xsd" login-view-id="/loginPage.xhtml">

and

<page view-id="/members/*" login-required="true"/>

So I think that something is wrong in my pages.xml so no Exceptions are being caught. What could it be?

Thanks again!
Actions
2. Re: org.jboss.seam.security.AuthorizationException not caught

mail.micke Dec 11, 2008 2:54 PM (in response to tathagat)

Which JSF implementation are you using? Think I've heard about some issues like this with the myfaces 1.2 implementation, not sure though using Mojarra myself.
Actions
3. Re: org.jboss.seam.security.AuthorizationException not caught

tathagat Dec 11, 2008 2:57 PM (in response to tathagat)

Yup.... that was the problem.... I now use jsf-jars.. and it works.
Thanks!

Cheers
Actions

Go to original post