6 Replies Latest reply on Apr 11, 2012 1:55 PM by thor-k

    seam 3.1 security annotations not working

    kgoedert

      Hi,

       

      I am creating a project using seam 3.1 and I would like to create security annotations like @Admin to place on methods and restrict access. But it is not working. The method supposed to handle the annotation is never called. The authentication method is working fine, and the @loggedIn annotation is also working, so I suppose I have seam security set up correctly. I created my annotation like this:

       

       

      {code}

      @SecurityBindingType

      @Retention(RetentionPolicy.RUNTIME)

      @Target({ElementType.TYPE, ElementType.METHOD})

      public @interface Admin {

       

       

      }

      {code}

       

      The class supposed to handle the annotation is:

       

       

      {code}

      public class Authorizer {

                @Secures

                @Admin

                public  boolean isAdmin(Identity identity) {

                    boolean res = identity.hasRole("admin", "USERS", "GROUP");

                   

                    return res;

                  }

      }

       

      {code}

       

      and the bean I am trying to secure

       

       

      {code}

      @Named("userBean")

      @Stateful

      @ConversationScoped

      @LoggedIn

      public class UserBean extends AbstractBean<User, UserManagerBeanLocal, LazyUserDataModel> {

                private static final long serialVersionUID = 1L;

                @EJB

                private UserManagerBeanLocal userController;

                @EJB

                private CompanyManagerBeanLocal companyController;

       

       

                @Inject

                private Conversation conversation;

       

       

                @Inject

                private FacesContext context;

       

       

                private User user;

       

      // other methods

       

                @Admin

                public String create() {

                          return super.create();

                }

       

      {code}

       

      I expected that before the create method is executed the isAdmin method on the Authorizer class was going to be called. But it never is. What am I missing?

       

      Thanks for any help

       

      Kelly

        • 1. Re: seam 3.1 security annotations not working
          thor-k

          Hi Kelly, currently I have a similar issue and I'm curious about your setup. Have you created a @ViewConfig class?

           

          @ViewConfig

          public interface Pages

          {

               static enum Pages0

              {

                    @ViewPattern("/jsf/test.xhtml")

                    @UrlMapping(pattern="/test)

                    @LoginView("/jsf/access/loginRequired.xhtml")

                    @AccessDeniedView("/jsf/access/accessDenied.xhtml")

                    @Admin

                    ADMIN;

              }

          }

           

          In my setup, the Annotation @Admin (with additionalElementType.FIELD) is placed before the class definition (@Named @ViewScoped @Admin). If I'm not @LoggedIn I'm forwarded to loginRequired.xhtml, but never to accessDenied.xhtml. Actually my Authorizer *is* called, but even when *false* is returned, I have access to the page. Perhaps it's related to this warning:

           

          16:38:38,281 WARN  [org.jboss.seam.security.permission.SecurityRuleLoader] (http--127.0.0.1-8080-2) No security rules configured - rule base permissions will be unavailable.

           

          Greetings

          Thor

          • 2. Re: seam 3.1 security annotations not working
            kgoedert

            Exact same situation here. If I add the @viewConfig I have the situation you described. If I remove it, I have the situation I described.

             

            Greetings,

             

            Kelly

            • 3. Re: seam 3.1 security annotations not working
              lightguard

              Do you have the security intercepter enabled?

              • 4. Re: seam 3.1 security annotations not working
                kgoedert

                Like this?

                 

                <beans xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

                          xmlns:s="urn:java:ee" xmlns:security="urn:java:org.jboss.seam.security"

                          xmlns:jaas="urn:java:org.jboss.seam.security.jaas"

                          xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://jboss.org/schema/cdi/beans_1_0.xsd">

                          <interceptors>

                                    <class>org.jboss.seam.security.SecurityInterceptor</class>

                          </interceptors>

                </beans>

                 

                Yes. As I said, the login works perfectly as does the @LoggedIn annotation. So I presume this interceptor is working.

                 

                Kelly

                • 5. Re: seam 3.1 security annotations not working
                  baraber

                  Thor, you could try that in Pages :

                   

                  {code}

                  @ViewConfig

                  public interface Pages

                  {

                       static enum Pages0

                      {

                            @ViewPattern("/jsf/test.xhtml")

                            @UrlMapping(pattern="/test)

                            @LoginView("/jsf/access/loginRequired.xhtml")

                            @AccessDeniedView("/jsf/access/accessDenied.xhtml")

                            @RestrictAtPhase(PhaseIdType.RESTORE_VIEW)

                            @Admin

                            ADMIN;

                      }

                  }

                  {code}

                  Note the line @RestrictAtPhase(PhaseIdType.RESTORE_VIEW)

                   

                   

                  The reason for this is more or less clear to me  in the seam-faces doc, but Jason Porter explain it well in this thread : https://community.jboss.org/message/654232

                  But that doesn't explain why the Autorizer method is not called for kelly.

                  • 6. Re: seam 3.1 security annotations not working
                    thor-k

                    @Richard: Thank you so much, this solved my issue.

                    @Kelly: Sorry for "hijacking" this thread, but your issue was similar to mine

                     

                    BTW: I have no interceptors in my bean.xml:

                     

                    <beans xmlns="http://java.sun.com/xml/ns/javaee"

                       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

                       xmlns:s="urn:java:ee"

                       xmlns:security="urn:java:org.jboss.seam.security"

                       xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://jboss.org/schema/cdi/beans_1_0.xsd">

                       <security:IdentityImpl>

                          <s:modifies/>     

                          <security:authenticatorClass>my.securityPaakcage.MyAuthenticator</security:authenticatorClass>

                       </security:IdentityImpl>     

                    </beans>