7 Replies Latest reply on May 24, 2011 9:53 AM by erbora00.bora.erbas.gmail.com

    Change commited even if an AuthorizationException is thrown by @Restrict; flushmode = auto

    scatudal
    scatudal Apr 14, 2009 9:20 PM

      I have an unexpected behavior here: an exception is thrown and the entity manager still flushes.  Let me explain the context.


      On a POJO backing bean, I put an @Restrict on the save() method to make sure that the caller has the required permissions.  In the JSF page, it is possible to call the getters and setters in order to modify the entity.  Since the AuthorizationException is only thrown when the save method is invoked, the entity's values can be changed.


      The BIG problem here is that the entity manager will flush the changes made to the entity right after the AuthorizationException is thrown because of the flush-mode = auto.


      Note that if an identity.checkPermission is done inside the save method instead of around by the @Restrict, I get the expected behavior: no flush is done.


      I know that I could simply add this as a workaround :


      @Observer(value = Identity.EVENT_NOT_AUTHORIZED)
public void rollback() {
    entityManager.clear();
}



      Is that worth a JIRA or is it an expected behavior.


      Thanks everyone,
      Sylvain

        • 1. Re: Change commited even if an AuthorizationException is thrown by @Restrict; flushmode = auto
          shane.bryzak
          shane.bryzak Apr 14, 2009 11:05 PM (in response to scatudal)

          That's not expected behaviour, I suspect that it has something to do with interceptor ordering.  Could you please raise this in JIRA?

            • Actions
          • 2. Re: Change commited even if an AuthorizationException is thrown by @Restrict; flushmode = auto
            shane.bryzak
            shane.bryzak Apr 14, 2009 11:11 PM (in response to scatudal)

            Actually, I've just committed a small change to SVN that should address this.  It would be great if you could test this and let me know if it fixes your issue.

              • Actions
            • 3. Re: Change commited even if an AuthorizationException is thrown by @Restrict; flushmode = auto
              scatudal
              scatudal Apr 15, 2009 2:25 PM (in response to scatudal)

              Thanks for the quick answer.  I'll try to find some time to test this today.


              During integrated testing, I would get an EmptyStackException in a situation very similar to this one.  If I put the restrict around the method, I get an AuthorizationException and an EmptyStackException.  If the checkPermission is inside the method, I get the expected behavior.  I suspect that the source of the problem is the same. 


              I'll check this in the mean time.


              Thanks again,
              Sylvain

                • Actions
              • 4. Re: Change commited even if an AuthorizationException is thrown by @Restrict; flushmode = auto
                scatudal
                scatudal Apr 15, 2009 8:50 PM (in response to scatudal)

                It doesn't fix the issue.  Here is the stack trace:


                4:16:24,792 ERROR [application] org.jboss.seam.security.AuthorizationException: Authorization check failed for permission[editRole,save]
javax.faces.el.EvaluationException: org.jboss.seam.security.AuthorizationException: Authorization check failed for permission[editRole,save]
     at javax.faces.component.MethodBindingMethodExpressionAdapter.invoke(MethodBindingMethodExpressionAdapter.java:102)
     at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:102)
     at javax.faces.component.UICommand.broadcast(UICommand.java:387)
     at org.ajax4jsf.component.AjaxViewRoot.processEvents(AjaxViewRoot.java:321)
     at org.ajax4jsf.component.AjaxViewRoot.broadcastEvents(AjaxViewRoot.java:296)
     at org.ajax4jsf.component.AjaxViewRoot.processPhase(AjaxViewRoot.java:253)
     at org.ajax4jsf.component.AjaxViewRoot.processApplication(AjaxViewRoot.java:466)
     at com.sun.faces.lifecycle.InvokeApplicationPhase.execute(InvokeApplicationPhase.java:82)
     at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:100)
     at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:118)
     at javax.faces.webapp.FacesServlet.service(FacesServlet.java:265)
     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
     at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:83)
     at org.jboss.seam.web.IdentityFilter.doFilter(IdentityFilter.java:40)
     at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
     at org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:90)
     at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
     at org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:64)
     at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
     at org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45)
     at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
     at org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:177)
     at org.ajax4jsf.webapp.BaseFilter.handleRequest(BaseFilter.java:267)
     at org.ajax4jsf.webapp.BaseFilter.processUploadsAndHandleRequest(BaseFilter.java:380)
     at org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:507)
     at org.jboss.seam.web.Ajax4jsfFilter.doFilter(Ajax4jsfFilter.java:56)
     at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
     at org.jboss.seam.web.LoggingFilter.doFilter(LoggingFilter.java:60)
     at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
     at org.jboss.seam.web.HotDeployFilter.doFilter(HotDeployFilter.java:53)
     at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
     at ca.mcgill.muhc.scn.util.TimingFilter.doFilter(TimingFilter.java:37)
     at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
     at org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158)
     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
     at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
     at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
     at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
     at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
     at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
     at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
     at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
     at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
     at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
     at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
     at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
     at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
     at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
     at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:828)
     at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:601)
     at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
     at java.lang.Thread.run(Unknown Source)
Caused by: org.jboss.seam.security.AuthorizationException: Authorization check failed for permission[editRole,save]
     at org.jboss.seam.security.Identity.checkPermission(Identity.java:590)
     at org.jboss.seam.security.SecurityInterceptor$Restriction.check(SecurityInterceptor.java:147)
     at org.jboss.seam.security.SecurityInterceptor.aroundInvoke(SecurityInterceptor.java:161)
     at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
     at org.jboss.seam.intercept.RootInterceptor.invoke(RootInterceptor.java:107)
     at org.jboss.seam.intercept.JavaBeanInterceptor.interceptInvocation(JavaBeanInterceptor.java:185)
     at org.jboss.seam.intercept.JavaBeanInterceptor.invoke(JavaBeanInterceptor.java:103)
     at ca.mcgill.muhc.scn.user.role.action.EditRoleAction_$$_javassist_seam_16.save(EditRoleAction_$$_javassist_seam_16.java)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
     at java.lang.reflect.Method.invoke(Unknown Source)
     at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:335)
     at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:348)
     at org.jboss.el.parser.AstPropertySuffix.invoke(AstPropertySuffix.java:58)
     at org.jboss.el.parser.AstValue.invoke(AstValue.java:96)
     at org.jboss.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:276)
     at com.sun.facelets.el.TagMethodExpression.invoke(TagMethodExpression.java:68)
     at javax.faces.component.MethodBindingMethodExpressionAdapter.invoke(MethodBindingMethodExpressionAdapter.java:88)
     ... 55 more
14:16:24,792 WARN  [lifecycle] #{editRole.save}: org.jboss.seam.security.AuthorizationException: Authorization check failed for permission[editRole,save]
javax.faces.FacesException: #{editRole.save}: org.jboss.seam.security.AuthorizationException: Authorization check failed for permission[editRole,save]
     at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:118)
     at javax.faces.component.UICommand.broadcast(UICommand.java:387)
     at org.ajax4jsf.component.AjaxViewRoot.processEvents(AjaxViewRoot.java:321)
     at org.ajax4jsf.component.AjaxViewRoot.broadcastEvents(AjaxViewRoot.java:296)
     at org.ajax4jsf.component.AjaxViewRoot.processPhase(AjaxViewRoot.java:253)
     at org.ajax4jsf.component.AjaxViewRoot.processApplication(AjaxViewRoot.java:466)
     at com.sun.faces.lifecycle.InvokeApplicationPhase.execute(InvokeApplicationPhase.java:82)
     at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:100)
     at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:118)
     at javax.faces.webapp.FacesServlet.service(FacesServlet.java:265)
     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
     at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:83)
     at org.jboss.seam.web.IdentityFilter.doFilter(IdentityFilter.java:40)
     at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
     at org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:90)
     at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
     at org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:64)
     at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
     at org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45)
     at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
     at org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:177)
     at org.ajax4jsf.webapp.BaseFilter.handleRequest(BaseFilter.java:267)
     at org.ajax4jsf.webapp.BaseFilter.processUploadsAndHandleRequest(BaseFilter.java:380)
     at org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:507)
     at org.jboss.seam.web.Ajax4jsfFilter.doFilter(Ajax4jsfFilter.java:56)
     at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
     at org.jboss.seam.web.LoggingFilter.doFilter(LoggingFilter.java:60)
     at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
     at org.jboss.seam.web.HotDeployFilter.doFilter(HotDeployFilter.java:53)
     at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
     at ca.mcgill.muhc.scn.util.TimingFilter.doFilter(TimingFilter.java:37)
     at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
     at org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158)
     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
     at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
     at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
     at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
     at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
     at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
     at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
     at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
     at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
     at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
     at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
     at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
     at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
     at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
     at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:828)
     at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:601)
     at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
     at java.lang.Thread.run(Unknown Source)
Caused by: javax.faces.el.EvaluationException: org.jboss.seam.security.AuthorizationException: Authorization check failed for permission[editRole,save]
     at javax.faces.component.MethodBindingMethodExpressionAdapter.invoke(MethodBindingMethodExpressionAdapter.java:102)
     at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:102)
     ... 54 more
Caused by: org.jboss.seam.security.AuthorizationException: Authorization check failed for permission[editRole,save]
     at org.jboss.seam.security.Identity.checkPermission(Identity.java:590)
     at org.jboss.seam.security.SecurityInterceptor$Restriction.check(SecurityInterceptor.java:147)
     at org.jboss.seam.security.SecurityInterceptor.aroundInvoke(SecurityInterceptor.java:161)
     at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
     at org.jboss.seam.intercept.RootInterceptor.invoke(RootInterceptor.java:107)
     at org.jboss.seam.intercept.JavaBeanInterceptor.interceptInvocation(JavaBeanInterceptor.java:185)
     at org.jboss.seam.intercept.JavaBeanInterceptor.invoke(JavaBeanInterceptor.java:103)
     at ca.mcgill.muhc.scn.user.role.action.EditRoleAction_$$_javassist_seam_16.save(EditRoleAction_$$_javassist_seam_16.java)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
     at java.lang.reflect.Method.invoke(Unknown Source)
     at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:335)
     at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:348)
     at org.jboss.el.parser.AstPropertySuffix.invoke(AstPropertySuffix.java:58)
     at org.jboss.el.parser.AstValue.invoke(AstValue.java:96)
     at org.jboss.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:276)
     at com.sun.facelets.el.TagMethodExpression.invoke(TagMethodExpression.java:68)
     at javax.faces.component.MethodBindingMethodExpressionAdapter.invoke(MethodBindingMethodExpressionAdapter.java:88)
     ... 55 more
14:16:24,808 ERROR [lifecycle] JSF1054: (Phase ID: INVOKE_APPLICATION 5, View ID: /user/role/editRole.xhtml) Exception thrown during phase execution: javax.faces.event.PhaseEvent[source=com.sun.faces.lifecycle.LifecycleImpl@1c4f4a1]
14:16:24,808 INFO  [STDOUT] Hibernate: 
    update
        ADMIN_ROLE 
    set
        Name=?,
        type=? 
    where
        role_id=?



                I'm finally setup to build and test with different versions of Seam so if there's something you want me to do, go ahead and ask! ;)

                  • Actions
                • 5. Re: Change commited even if an AuthorizationException is thrown by @Restrict; flushmode = auto
                  erbora00.bora.erbas.gmail.com
                  erbora00.bora.erbas.gmail.com May 18, 2011 2:16 PM (in response to scatudal)

                  Have you managed to resolve this?
                  I am having exactly the same problem with Seam 2.2.1 Final..
                  Even though the method execution is not permitted based on the permissions (and an AuthorizationException is thrown) the entity is updated in the database.


                  What would be the correct way to handle this? Any ideas?


                  Thanks...

                    • Actions
                  • 6. Re: Change commited even if an AuthorizationException is thrown by @Restrict; flushmode = auto
                    scatudal
                    scatudal May 18, 2011 2:24 PM (in response to scatudal)

                    To my knowledge, the issue has not been resolved.  I created an observer as suggested above.  Here is what my class looks like:




                    import javax.persistence.EntityManager;

import org.jboss.seam.annotations.In;
import org.jboss.seam.annotations.Name;
import org.jboss.seam.annotations.Observer;
import org.jboss.seam.security.Identity;

@Name("notAuthorizedObserver")
public class NotAuthorizedObserver {

     @In
     EntityManager entityManager;

     @Observer(value = Identity.EVENT_NOT_AUTHORIZED)
     public void rollback() {
          entityManager.clear();
     }
}



                      • Actions
                    • 7. Re: Change commited even if an AuthorizationException is thrown by @Restrict; flushmode = auto
                      erbora00.bora.erbas.gmail.com
                      erbora00.bora.erbas.gmail.com May 24, 2011 9:53 AM (in response to scatudal)

                      Thanks for the information.
                      I will go with your suggestion.

                        • Actions