1 Reply Latest reply on Jun 29, 2010 1:41 PM by sean.tozer

    seam security authorization with 3rd party authentication

    gebuh

      I'm having a lot of trouble with security.  I have a 3rd party authenticator, but I need to be able to prevent users from directly accessing pages(currently you can type a url with a cid in the address bar and go dirctly to any page).  I tried using


      <restrict>some restrict logic</restrict>



      in somepage.page.xml, but it has absolutely no effect.  I created an Authenticator class, it locks users out, but won't allow anyone in.  I have this:



      <page view-id="/*" action="#{authenticator.authenticate}" login-required="false"/>



      on pages.xml and components.xml (not sure why it's in both places) and this:



      security-enabled="false"



      in components.xml.  I've tried a bunch of different combinations,


      security-enabled=true



      ,


      login-required=true



      , etc. I'm getting nowhere.  What is the purpose of the security-enabled switch?  I'm using Seam 2.2.0 with jboss 5.1.0.  Is there some configuration setting I'm missing?

        • 1. Re: seam security authorization with 3rd party authentication
          sean.tozer

          I'm a little confused.... you made authenticator.authenticate a page action for EVERY page? So every time it hits a page, it's going to try to log the user in? Authenticate should really only be called when the user is logging in, not constantly.


          <page view-id="/*" action="#{authenticator.authenticate}" login-required="false"/> seems very wrong. Especially in components.xml, there shouldn't be page descriptors in there at all. What that line basically says is every time a user accesses any page, try to log them in, but don't require logins for any page.


          --


          To keep a user from a page, you can specify


          <page ... login-required="true">


          on that page's .page.xml file. Or, if you need more fine-grained control, you can do something more like


          <restrict>#{s:hasRole('person_visitor')}</restrict>


          What was the some restrict logic that you tried to no effect?


          --


          Components.xml should have something more like this:


             <security:rule-based-permission-resolver security-rules="#{securityRules}"/>
          
             <security:identity authenticate-method="#{authenticator.authenticate}" remember-me="true"/>
          
             <factory name="currentSession" scope="stateless" value="#{facesContext.externalContext.request.session}" />
          
             <event type="org.jboss.seam.security.notLoggedIn">
                <action execute="#{redirect.captureCurrentView}"/>
             </event>
             <event type="org.jboss.seam.security.loginSuccessful">
                <action execute="#{redirect.returnToCapturedView}"/>
                <action execute="#{currentSession.setMaxInactiveInterval(3600)}"/>
             </event>



          That's just more or less what seam-gen should give you, incidentally.