Nice use case!  Currently there is not way to achieve that.  Perhaps we could look for a false attribute value in the annotation.  Or maybe the redirect to login should be smart enough to figure out you are trying to redirect to itself, and skip the redirect.

Come to think of it, both of these solutions are independent, and should be further explored.  Would you mind filing a Jira?

Cheers,
Brain Leathem

We are facing the same problem. That was easy with Seam 2, however with Seam 3 there seems no out-of-box solution.
It turns out that instead of relieving a developer from daunting task to find all bits and pieces we have to do exactly that.
It seems too early for any serious project based on CDI/Seam3...  

@Andy, please keep pointing out where we need improvements, your feedback is much appreciated.

@Miguel, for this to work, we need to think of a way of having the AllPages enum wildcard pattern "/*" not include the /login.xhmtl page.

Another possibility would be to include a @Not annotation, that provides exclusions for any annotations associated with that enum property.  One would have to then have a seperate enum property for the positive annotation associations.  For instance, one could have:

@ViewConfig
public interface Pages {
     
    static enum Pages1 {

        @ViewPattern("/login.xhtml")
        @Not
        @LoggedIn
        LOGIN_N,

        @ViewPattern("/login.xhtml")
        @UrlRewrite("...");
        LOGIN,


        @ViewPattern("*")        
        @FacesRedirect
        @LoggedIn
        @LoginView("/login.xhtml")
        ALL;

    }
}

Which says that the @ViewPattern("/login.xhtml") should not have the @LoggedIn annotation associated with it, but should have the @UrlRewrite annotation associated with it. 

What do you think?  I'd love to hear any ideas you guys have as to the best way to achieve this.

I like this approach.  It seems fairly intuitive and could be easily inserted into user documentation.

Well we had the same problem and we decided to use different folders for public stuff and for 'private' stuff.

So for example out login page, and error page etc can be found at:

/public/login.xhtml, /public/error.xhtml etc.

and all the rest of our pages are in the
/private/ directory.

My pages enum looks something like this:

@ViewPattern("/private/*")
          @LoginView("/public/login.xhtml")
          @LoggedIn
          PRIVATE

The only downside of this workarround is that you get unneeded directory prefix in your urls.
But since seam-faces is integrated with url rewritting you can remove that directory quite easily.
Its not perfect but it works. ;)

Cheers.

I migrated my Seam 2 project to Seam 3. I'm stuck on this issue, the project has hundred of pages and about half need to be secured with @LoggedIn.

Any idea when seam faces would support a good out-of-box solution?

My only option now is to use either prefix on each page or put secured pages in in their own folder. Both require unneeded work and complicate things.

Not sure how a common use case such as this slipped through, but I hope that Seam team will provide a fix for this ASAP.

Is there any update for this "issue"?

Using subfolders is not a "clean" workaround in my case.

Thanks

It should just take a regexp, if you can create that for your pages you should be good.

Interesting. There is no where telling that @ViewPattern accepts regexp's.

But I'm trying to do it, but it doesn't work (I'm working with Seam version 3.1.0.Beta4).

Watching out the code (I had to work hard to find where this things where checked), in org.jboss.seam.faces.view.config.ViewConfigStoreImpl#findViewsWithPatternsThatMatch(), the code doesn't uses java.util.regex.Pattern, it only checks if ViewPattern ends with "*". Latests code at github also does the same.

Is this is a bug?

I thought it took a rexegp. It would be a good feature request for sure.

if @ViewPattern accept rexegp, adding two other attributes(includes, excludes) to the @ViewPattern is more simple.

For example:

  @ViewPattern(value="*",  excludes={"/login.xhtml", "error.xhtml"})

  @LoginView("/login.xhtml")
  @LoggedIn
  ALL

And the I think it is better to add extra configuration to detetmine redirect view after login, Spring security provides a defaultTargetUrl in configuration.

My last thought on this was that it would be handy to unify @LoggedIn and @LoginView in one annotation like:

@IsLoggedIn(notloggedinview="/login.xhtml")

This new smart annotation would automatically exclude the /login.xhtml from the check of an existing login because it's obvious that a login page (or every other type of notloggedinview) wouldn't need a login. The same behaviour could be even achieved with the two existing annotations.

In general it would be nice to have full wildcard and regexp matching for @ViewPattern e.g. @ViewPattern("/app/*Edit.xhtml")

Hoping for some update on this matter. Not really finding anything that indicates this has or will be incorporated.

The lack of flexibility in matching is awkward. I'd like to be able to have everything except a home.xhtml and login.xhtml require login. I thought that the " If conflicting annotations are found, the annotation paired with the most specific matching view pattern takes precedence."

but alas, that seems to be broken: https://issues.jboss.org/browse/SEAMFACES-244

Separately frustrated with the difficulty in redirecting after login (in the case where they werent redirected there, but navigated to login directly).  None of the solutions at http://stackoverflow.com/questions/9299023/how-does-seam-3-handles-the-redirect-to-capture-view-feature-after-login seem to be fully working.

Perhaps it's still early to be trying to use seam security to do resource protection with JSF? Any alternatives to reccomend?