6 Replies Latest reply on Apr 11, 2012 1:55 PM by thor-k

seam 3.1 security annotations not working

kgoedert Apr 11, 2012 7:19 AM

Hi,

I am creating a project using seam 3.1 and I would like to create security annotations like @Admin to place on methods and restrict access. But it is not working. The method supposed to handle the annotation is never called. The authentication method is working fine, and the @loggedIn annotation is also working, so I suppose I have seam security set up correctly. I created my annotation like this:

{code}
@SecurityBindingType
@Retention(RetentionPolicy.RUNTIME)
@Target({ElementType.TYPE, ElementType.METHOD})
public @interface Admin {
 
 
}
{code}

The class supposed to handle the annotation is:

{code}
public class Authorizer {
          @Secures 
          @Admin
          public  boolean isAdmin(Identity identity) {
              boolean res = identity.hasRole("admin", "USERS", "GROUP");
              
              return res;
            }
}
 
{code}

and the bean I am trying to secure

{code}
@Named("userBean")
@Stateful
@ConversationScoped
@LoggedIn
public class UserBean extends AbstractBean<User, UserManagerBeanLocal, LazyUserDataModel> {
          private static final long serialVersionUID = 1L;
          @EJB
          private UserManagerBeanLocal userController;
          @EJB
          private CompanyManagerBeanLocal companyController;
 
 
          @Inject
          private Conversation conversation;
 
 
          @Inject
          private FacesContext context;
 
 
          private User user;
 
// other methods
  
          @Admin
          public String create() {
                    return super.create();
          }
 
{code}

I expected that before the create method is executed the isAdmin method on the Authorizer class was going to be called. But it never is. What am I missing?

Thanks for any help

Kelly

1. Re: seam 3.1 security annotations not working

thor-k Apr 11, 2012 10:42 AM (in response to kgoedert)

Hi Kelly, currently I have a similar issue and I'm curious about your setup. Have you created a @ViewConfig class?

@ViewConfig
public interface Pages
{
     static enum Pages0
    {
          @ViewPattern("/jsf/test.xhtml")
          @UrlMapping(pattern="/test)
          @LoginView("/jsf/access/loginRequired.xhtml")
          @AccessDeniedView("/jsf/access/accessDenied.xhtml")
          @Admin
          ADMIN;
    }
}

In my setup, the Annotation @Admin (with additionalElementType.FIELD) is placed before the class definition (@Named @ViewScoped @Admin). If I'm not @LoggedIn I'm forwarded to loginRequired.xhtml, but never to accessDenied.xhtml. Actually my Authorizer *is* called, but even when *false* is returned, I have access to the page. Perhaps it's related to this warning:

16:38:38,281 WARN [org.jboss.seam.security.permission.SecurityRuleLoader] (http--127.0.0.1-8080-2) No security rules configured - rule base permissions will be unavailable.

Greetings
Thor
Actions
2. Re: seam 3.1 security annotations not working

kgoedert Apr 11, 2012 10:45 AM (in response to thor-k)

Exact same situation here. If I add the @viewConfig I have the situation you described. If I remove it, I have the situation I described.

Greetings,

Kelly
Actions
3. Re: seam 3.1 security annotations not working

lightguard Apr 11, 2012 11:00 AM (in response to kgoedert)

Do you have the security intercepter enabled?
Actions
4. Re: seam 3.1 security annotations not working

kgoedert Apr 11, 2012 11:03 AM (in response to lightguard)

Like this?

<beans xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xmlns:s="urn:java:ee" xmlns:security="urn:java:org.jboss.seam.security"
          xmlns:jaas="urn:java:org.jboss.seam.security.jaas"
          xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://jboss.org/schema/cdi/beans_1_0.xsd">
          <interceptors>
                    <class>org.jboss.seam.security.SecurityInterceptor</class>
          </interceptors>
</beans>

Yes. As I said, the login works perfectly as does the @LoggedIn annotation. So I presume this interceptor is working.

Kelly
Actions

5. Re: seam 3.1 security annotations not working

baraber Apr 11, 2012 1:12 PM (in response to thor-k)

Thor, you could try that in Pages :

{code}
@ViewConfig
public interface Pages
{
     static enum Pages0
    {
          @ViewPattern("/jsf/test.xhtml")
          @UrlMapping(pattern="/test)
          @LoginView("/jsf/access/loginRequired.xhtml")
          @AccessDeniedView("/jsf/access/accessDenied.xhtml")
          @RestrictAtPhase(PhaseIdType.RESTORE_VIEW)
          @Admin
          ADMIN;
    }
}
{code}

Note the line @RestrictAtPhase(PhaseIdType.RESTORE_VIEW)

The reason for this is more or less clear to me in the seam-faces doc, but Jason Porter explain it well in this thread : https://community.jboss.org/message/654232

But that doesn't explain why the Autorizer method is not called for kelly.

6. Re: seam 3.1 security annotations not working

thor-k Apr 11, 2012 1:55 PM (in response to baraber)

@Richard: Thank you so much, this solved my issue.
@Kelly: Sorry for "hijacking" this thread, but your issue was similar to mine

BTW: I have no interceptors in my bean.xml:

<beans xmlns="http://java.sun.com/xml/ns/javaee"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xmlns:s="urn:java:ee"
   xmlns:security="urn:java:org.jboss.seam.security"
   xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://jboss.org/schema/cdi/beans_1_0.xsd">
   <security:IdentityImpl>
      <s:modifies/>
      <security:authenticatorClass>my.securityPaakcage.MyAuthenticator</security:authenticatorClass>
   </security:IdentityImpl>
</beans>
Actions

Go to original post