-
1. Re: seam security authorization with 3rd party authentication
sean.tozer Jun 29, 2010 1:41 PM (in response to gebuh)I'm a little confused.... you made authenticator.authenticate a page action for EVERY page? So every time it hits a page, it's going to try to log the user in? Authenticate should really only be called when the user is logging in, not constantly.
<page view-id="/*" action="#{authenticator.authenticate}" login-required="false"/> seems very wrong. Especially in components.xml, there shouldn't be page descriptors in there at all. What that line basically says is
every time a user accesses any page, try to log them in, but don't require logins for any page
.--
To keep a user from a page, you can specify
<page ... login-required="true">
on that page's .page.xml file. Or, if you need more fine-grained control, you can do something more like
<restrict>#{s:hasRole('person_visitor')}</restrict>
What was the
some restrict logic
that you tried to no effect?--
Components.xml should have something more like this:
<security:rule-based-permission-resolver security-rules="#{securityRules}"/> <security:identity authenticate-method="#{authenticator.authenticate}" remember-me="true"/> <factory name="currentSession" scope="stateless" value="#{facesContext.externalContext.request.session}" /> <event type="org.jboss.seam.security.notLoggedIn"> <action execute="#{redirect.captureCurrentView}"/> </event> <event type="org.jboss.seam.security.loginSuccessful"> <action execute="#{redirect.returnToCapturedView}"/> <action execute="#{currentSession.setMaxInactiveInterval(3600)}"/> </event>
That's just more or less what seam-gen should give you, incidentally.