10 Replies Latest reply on Feb 15, 2012 4:59 PM by lightguard

    How to make ViewConfig work

    jf321023

      Hi, everyone:

            

           I have a demand on Seam Security ViewConfig.  If the user has logged in that a request for the views  on  /pages/*  would be granted.  if not , the user will be redirected to the login view  /login.xhtml.

       

      my @ViewConfig interface as follows:

       

      @ViewConfig
      public interface Pages {
      
                static enum page{
      
              @ViewPattern("/*")
              @LoginView("/login.xhtml")
              @AccessDeniedView("/item/list.xhtml")
              ALL,
      
              @ViewPattern("/pages/*")
              @LoginView("/login.xhtml")
              @User
               User;
                }
      }
      

       

      the User annotation create by @SecurityBindingType

       

      @SecurityBindingType
      @Retention(RetentionPolicy.RUNTIME)
      @Target({ElementType.FIELD, ElementType.METHOD, ElementType.TYPE})
      public @interface User {
      }
      

       

      The authorization method annotated with @Secure

       

      public class SecurityRules {
      
                public @Secures @User boolean userChecker(Identity identity) {
                     if (identity.getUser() == null) {
                               return false;
                     } else {
                               return true;
                     }
                }
      }
      

       

      Now there are some problem. When i request the view /pages/test.xhtml , the authorization method userChecker will be invoked , but whether false or true it return .  The  access also be granted.

       

      How would i to do with the ViewConfig?

       

      I used the seam 3.1.0.final and jboss as 7.0.2.final

        • 1. Re: How to make ViewConfig work
          lightguard

          Set the checks to be done in the RESTORE_VIEW phase.

          • 2. Re: How to make ViewConfig work
            jf321023

            Hi Jason,

                 

                 I tried your solution,but seems does not work  .

               

                 I changed the @ViewConfig annotationed interface and added the @RestrictAtPhase(PhaseIdType.RESTORE_VIEW)   in the enum.

                

            @ViewConfig

            public interface Pages {

                      static enum page {

                                @ViewPattern("/*")

                                @LoginView("/login.xhtml")

                                @AccessDeniedView("/item/list.xhtml")

                                ALL,

             

                                @RestrictAtPhase(PhaseIdType.RESTORE_VIEW)

                                @ViewPattern("/pages/*")

                                @LoginView("/login.xhtml")

                                @User

                                User;

                      }

            }

             

             

            The authorization method also invoked, whether true or false in returned, access also was granted. 

             

            public @Secures @User boolean userChecker(Identity identity) {

                                System.out.println(FacesContext.getCurrentInstance().getCurrentPhaseId());

                                if (identity.getUser() == null) {

                                          return false;

                                } else {

                                          return true;

                                }

            }

             


             


            • 3. Re: How to make ViewConfig work
              lightguard

              This is odd, there may have been a fix for this since 3.1.0.Final, but I thought that at least worked.

              • 4. Re: How to make ViewConfig work
                jf321023

                  I also find it very strange and helpless. I hope there are some examples or some other way to achieve this.

                • 5. Re: How to make ViewConfig work
                  clerum

                  I've had success with

                   

                   @RestrictAtPhase({PhaseIdType.RESTORE_VIEW, PhaseIdType.INVOKE_APPLICATION})
                  
                  • 6. Re: How to make ViewConfig work
                    jf321023

                      Let me try ~~

                    • 7. Re: How to make ViewConfig work
                      jf321023

                      Oh no , i was hurt !!!   why my ViewConfig does not work?   The authorization method invoked, and it return , but whether ture or false, request always be granted. 

                      • 8. Re: How to make ViewConfig work
                        jf321023

                          I made a mistake .    My login page is not named login.xthml but Login.xhtml...   

                        If your @LoginView page is not exist , and then the request will be granted. No matter the authorization method returned what or user whether logged in with @LoggIn .

                              

                              I think it is not reasonable .

                         

                             Thank Jason and Cody for answer my question .


                             

                        1 of 1 people found this helpful
                        • 9. Re: How to make ViewConfig work
                          blabno

                          Well, this qualifies for JIRA then.

                          • 10. Re: How to make ViewConfig work
                            lightguard

                            A pull request would be better

                             

                            Seems like a good way to get involved, probably not that difficult of an issue.