3 Replies Latest reply on Dec 11, 2008 2:57 PM by tathagat

    org.jboss.seam.security.AuthorizationException not caught

    tathagat

      Hi all.
      I have a basic seam application with security set up in pages.xml as follows:



      <?xml version="1.0" encoding="UTF-8"?>
      <pages xmlns="http://jboss.com/products/seam/pages"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://jboss.com/products/seam/pages http://jboss.com/products/seam/pages-2.0.xsd"
             login-view-id="/loginPage.xhtml">
      
           <page view-id="/members/*" login-required="true"/>
        
           <page view-id="/members/tutor/*">
               <restrict>#{s:hasRole('tutor')}</restrict>
           </page>
           
           <page view-id="/members/student/*">
               <restrict>#{s:hasRole('student')}</restrict>
           </page>
      
      
           <!-- other navigations -->
      
           <exception class="org.jboss.seam.security.NotLoggedInException">
                <redirect view-id="/loginPage.xhtml">
                     <message severity="INFO">You must be logged in to perform this action</message>
                </redirect>
           </exception>
           <exception class="org.jboss.seam.security.AuthorizationException">
              <end-conversation/>
              <redirect view-id="/security_error.xhtml">
                  <message>You do not have the necessary security privileges to perform this action.</message>
              </redirect>
          </exception>
      
      </pages>
      



      When I am not logged in, I am automatically forwarded to loginPage.xhtml. Good.


      I give myself the role tutor.
      When I try to access a page members/tutor/test.html - I can access it. No exception thrown.


      BUT when I try to access members/student/test.html - (I need role student) - An exception is thrown as follows:



      org.jboss.seam.security.AuthorizationException: Authorization check failed for e
      xpression [#{s:hasRole('student')}]
              at org.jboss.seam.security.Identity.checkRestriction(Identity.java:216)
              at org.jboss.seam.navigation.Page.checkPermission(Page.java:241)
              at org.jboss.seam.navigation.Page.preRender(Page.java:261)
              at org.jboss.seam.navigation.Pages.preRender(Pages.java:369)
              at org.jboss.seam.jsf.SeamPhaseListener.preRenderPage(SeamPhaseListener.
      java:562)
              at org.jboss.seam.jsf.SeamPhaseListener.beforeRenderResponse(SeamPhaseLi
      stener.java:473)
              at org.jboss.seam.jsf.SeamPhaseListener.beforeServletPhase(SeamPhaseList
      ener.java:146)
              at org.jboss.seam.jsf.SeamPhaseListener.beforePhase(SeamPhaseListener.ja
      va:116)
              at org.apache.myfaces.lifecycle.PhaseListenerManager.informPhaseListener
      sBefore(PhaseListenerManager.java:73)
              at org.apache.myfaces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:
      134)
              at javax.faces.webapp.FacesServlet.service(FacesServlet.java:152)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
      icationFilterChain.java:290)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
      ilterChain.java:206)
              at org.springframework.web.filter.CharacterEncodingFilter.doFilterIntern
      al(CharacterEncodingFilter.java:96)
              at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerR
      equestFilter.java:76)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
      icationFilterChain.java:235)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
      ilterChain.java:206)
              at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.j
      ava:164)
              at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:14
      1)
              at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewri
      ter.java:90)
              at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewrit
      eFilter.java:406)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
      icationFilterChain.java:235)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
      ilterChain.java:206)
              at net.sf.ehcache.constructs.web.filter.GzipFilter.doFilter(GzipFilter.j
      ava:75)
              at net.sf.ehcache.constructs.web.filter.Filter.doFilter(Filter.java:92)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
      icationFilterChain.java:235)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
      ilterChain.java:206)
              at org.springframework.orm.hibernate3.support.OpenSessionInViewFilter.do
      FilterInternal(OpenSessionInViewFilter.java:198)
              at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerR
      equestFilter.java:76)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
      icationFilterChain.java:235)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
      ilterChain.java:206)
              at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperV
      alve.java:233)
              at org.apache.catalina.core.StandardContextValve.invoke(StandardContextV
      alve.java:191)
              at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j
      ava:128)
              at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j
      ava:102)
              at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal
      ve.java:109)
              at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.jav
      a:286)
              at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java
      :845)
              at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.proce
      ss(Http11Protocol.java:583)
              at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:44
      7)
              at java.lang.Thread.run(Thread.java:595)
      



      This is not being caught by pages.xml. I am not sure what is happening, cause NotLoggedInException works fine, but AuthorizationException not.


      I also tried catching ALL exceptions by doing the following. but it still does not work.


      <exception>
              <end-conversation/>
              <redirect view-id="/security_error.xhtml">
                  <message>You do not have the necessary security privileges to perform this action.</message>
              </redirect>
          </exception>



      Please help.


      Thanks in advance.


      T