org.jboss.seam.security.AuthorizationException not caught
tathagat Dec 10, 2008 2:18 PMHi all.
I have a basic seam application with security set up in pages.xml as follows:
<?xml version="1.0" encoding="UTF-8"?> <pages xmlns="http://jboss.com/products/seam/pages" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://jboss.com/products/seam/pages http://jboss.com/products/seam/pages-2.0.xsd" login-view-id="/loginPage.xhtml"> <page view-id="/members/*" login-required="true"/> <page view-id="/members/tutor/*"> <restrict>#{s:hasRole('tutor')}</restrict> </page> <page view-id="/members/student/*"> <restrict>#{s:hasRole('student')}</restrict> </page> <!-- other navigations --> <exception class="org.jboss.seam.security.NotLoggedInException"> <redirect view-id="/loginPage.xhtml"> <message severity="INFO">You must be logged in to perform this action</message> </redirect> </exception> <exception class="org.jboss.seam.security.AuthorizationException"> <end-conversation/> <redirect view-id="/security_error.xhtml"> <message>You do not have the necessary security privileges to perform this action.</message> </redirect> </exception> </pages>
When I am not logged in, I am automatically forwarded to loginPage.xhtml
. Good.
I give myself the role tutor
.
When I try to access a page members/tutor/test.html
- I can access it. No exception thrown.
BUT when I try to access members/student/test.html
- (I need role student
) - An exception is thrown as follows:
org.jboss.seam.security.AuthorizationException: Authorization check failed for e xpression [#{s:hasRole('student')}] at org.jboss.seam.security.Identity.checkRestriction(Identity.java:216) at org.jboss.seam.navigation.Page.checkPermission(Page.java:241) at org.jboss.seam.navigation.Page.preRender(Page.java:261) at org.jboss.seam.navigation.Pages.preRender(Pages.java:369) at org.jboss.seam.jsf.SeamPhaseListener.preRenderPage(SeamPhaseListener. java:562) at org.jboss.seam.jsf.SeamPhaseListener.beforeRenderResponse(SeamPhaseLi stener.java:473) at org.jboss.seam.jsf.SeamPhaseListener.beforeServletPhase(SeamPhaseList ener.java:146) at org.jboss.seam.jsf.SeamPhaseListener.beforePhase(SeamPhaseListener.ja va:116) at org.apache.myfaces.lifecycle.PhaseListenerManager.informPhaseListener sBefore(PhaseListenerManager.java:73) at org.apache.myfaces.lifecycle.LifecycleImpl.render(LifecycleImpl.java: 134) at javax.faces.webapp.FacesServlet.service(FacesServlet.java:152) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl icationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF ilterChain.java:206) at org.springframework.web.filter.CharacterEncodingFilter.doFilterIntern al(CharacterEncodingFilter.java:96) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerR equestFilter.java:76) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl icationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF ilterChain.java:206) at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.j ava:164) at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:14 1) at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewri ter.java:90) at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewrit eFilter.java:406) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl icationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF ilterChain.java:206) at net.sf.ehcache.constructs.web.filter.GzipFilter.doFilter(GzipFilter.j ava:75) at net.sf.ehcache.constructs.web.filter.Filter.doFilter(Filter.java:92) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl icationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF ilterChain.java:206) at org.springframework.orm.hibernate3.support.OpenSessionInViewFilter.do FilterInternal(OpenSessionInViewFilter.java:198) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerR equestFilter.java:76) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl icationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF ilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperV alve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextV alve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j ava:128) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j ava:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal ve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.jav a:286) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java :845) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.proce ss(Http11Protocol.java:583) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:44 7) at java.lang.Thread.run(Thread.java:595)
This is not being caught by pages.xml. I am not sure what is happening, cause NotLoggedInException works fine, but AuthorizationException not.
I also tried catching ALL exceptions by doing the following. but it still does not work.
<exception> <end-conversation/> <redirect view-id="/security_error.xhtml"> <message>You do not have the necessary security privileges to perform this action.</message> </redirect> </exception>
Please help.
Thanks in advance.
T