3 Replies Latest reply on Dec 17, 2008 3:18 PM by vitorsouzabr

    Authorization and web pages

    vitorsouzabr

      Hi there. I know I deserve a RTFM because I probably haven't studied enough, but if anyone is willing to share their experience on this, I'd be really thankful!


      I have a POJO called ManageInstitutionsAction, which is a CRUD for Institution entities. I annotated the whole class with @Restrict("#{s:hasRole('admin')}"), as only administrators can use it.


      Now, if an unidentified user tries to open http://localhost:8080/sigme/core/manageInstitutions/list.seam, none of the resources that refer to the Action class will be available, but the list.xhtml page will render nonetheless (with empty controls, like the data table that shows the existing entities).


      To fix that, I surrounded the whole page with <s:div rendered="#{(s:hasRole('admin'))"> </s:div>. But then it just renders a blank page. Instead, I'd like to redirect the user to a /not-logged-in.seam page? How do I do that?


      Thank you,


      Vitor Souza

        • 1. Re: Authorization and web pages
          abafna.bafna.amit.gmail.com

          Add the restriction on pages.xml and evaluate the role to redirect as necessary.


          Cheers!!!


          Amit

          • 2. Re: Authorization and web pages
            brixtonasias

            Maybe this helps. I'd put this in your .page.xml-file:


            <page view-id="/reports.xhtml">
            
                <restrict>#{s:hasRole('admin')}</restrict>
            
            </page>




            For more info you might check out: Securing pages


            If you're putting

            @Restrict("#{s:hasRole('admin')}

            on your action class - I'm not sure if it will also restrict access to the list, as the list is just reading the data, not editing it. I am a little new to Seam, so please feel free to correct me if I am talking nonsense. Thanks.

            • 3. Re: Authorization and web pages
              vitorsouzabr

              Thank you Amit and Stefan for the replies.


              I forgot to mention, but I was actually trying to avoid configuring every page in pages.xml. Even with wildcards, it may get verbose. But thanks anyways. I will keep searching and decide what's best in the end.


              Vítor Souza