3 Replies Latest reply on Oct 8, 2012 6:53 AM by gotamo

    How to make ViewConfig redirecting on access deny

    gotamo

      Hi, everyone: I have a problem in managing the access denied redirection using Seam Security ViewConfig.

       

      My @ViewConfig interface as follows:

       

      {code}

      @ViewConfig

      public interface Pages

      {

          static enum AllPages

          {   

              @FacesRedirect

              @ViewPattern("/public/*")

              @LoginView("/public/login.xhtml")

              @AccessDeniedView("/public/login.xhtml")

              PUBLIC,

       

       

              @ViewPattern("/private/*")

              @LoginView("/public/login.xhtml")

              @AccessDeniedView("/public/accessdeny.xhtml")

              @Private

              PRIVATE,

       

              //------------------------------------------------------------

              // SAFE

              //------------------------------------------------------------

       

       

              @ViewPattern("/private/safe/safeList.xhtml")

              @LoginView("/public/login.xhtml")

              @AccessDeniedView("/public/accessdeny.xhtml")

              @SafeList

              SAFELIST

           }

      }

      {code}

       

      and annotations created by @SecurityBindingType

       

      {code}

      @SecurityBindingType

      @Retention(RetentionPolicy.RUNTIME)

      @Target({ElementType.FIELD, ElementType.METHOD, ElementType.TYPE})

      public @interface Private {}

       

      @SecurityBindingType

      @Retention(RetentionPolicy.RUNTIME)

      @Target({ElementType.FIELD, ElementType.METHOD, ElementType.TYPE})

      public @interface SafeList {}

       

       

      {code}

       

      finally the rescrictionmethods are:

       

       

      {code}

      public class SecurityRules

      {

          @Inject

          Logger log;

         

          public @Secures @Private boolean authenticatedCheck(Identity identity)

          {

              boolean perm =     identity != null &&

                              identity.getUser() != null &&

                              identity.isLoggedIn();

             

              log.debugv( "Private permission for user {0} is {1}", identity.getUser(), perm );

             

              return perm;

          }

         

          public @Secures @SafeList boolean safeList(LoggedUser loggedUser)

          {

              boolean perm =     false;

             

              log.debugv( "SafeList permission for user {0} is {1}", loggedUser.getUser(), perm );

             

              return perm;

          }

      }

       

      {code}

       

      Anytime I tri to access to any pages in the path /private/* I'm correctly redirected to the login page (very good).

       

      But if I tri to access the pafe /private/safe/safeList.xhtml I'm not redirected to the accessdeny.xhtm as expected since the security rescriction for @SafeList is always false.

       

      If i check the logs i see:

       

      17:06:35,610 DEBUG [it.redev.sibc.core.view.ViewChain] (http-localhost-127.0.0.1-8080-2) NEXT TO [null]: /private/safe/safeList.xhtml

      17:06:35,610 DEBUG [it.redev.sibc.core.view.ViewChain] (http-localhost-127.0.0.1-8080-2) NEXT TO [null]: /private/safe/safeList.xhtml

      17:06:35,612 DEBUG [it.redev.sibc.core.resctictions.SecurityRules] (http-localhost-127.0.0.1-8080-2) Private permission for user SimpleUser{id='Test '} is true

      17:06:35,612 DEBUG [it.redev.sibc.core.resctictions.SecurityRules] (http-localhost-127.0.0.1-8080-2) Private permission for user SimpleUser{id='Test '} is true

      17:06:35,613 DEBUG [it.redev.sibc.core.resctictions.SecurityRules] (http-localhost-127.0.0.1-8080-2) SafeList permission for user Test  Test  (test) is false

      17:06:35,613 DEBUG [it.redev.sibc.core.resctictions.SecurityRules] (http-localhost-127.0.0.1-8080-2) SafeList permission for user Test  Test  (test) is false

      17:06:35,647 DEBUG [it.redev.sibc.core.view.ViewChain] (http-localhost-127.0.0.1-8080-2) START [null]: /private/safe/safeList.xhtml

      17:06:35,647 DEBUG [it.redev.sibc.core.view.ViewChain] (http-localhost-127.0.0.1-8080-2) START [null]: /private/safe/safeList.xhtml

      17:06:35,648 DEBUG [it.redev.sibc.core.view.ViewChain] (http-localhost-127.0.0.1-8080-2) BEGIN [1]: /private/safe/safeList.xhtml

      17:06:35,648 DEBUG [it.redev.sibc.core.view.ViewChain] (http-localhost-127.0.0.1-8080-2) BEGIN [1]: /private/safe/safeList.xhtml

       

      so the two restriction are fired but even if the second one is FALSE I can access the page, moreover if I try to click to a button in the page I finally have the redirection to the accessdeny page.

       

      Anyone can hel me???

       

      MR