5 Replies Latest reply on Feb 21, 2013 11:17 AM by nathandennis

Seam 3 Security render restrict page

paulada Dec 27, 2012 3:31 PM

Hi,

I started a new project to learn JSF2, and i have two roles Admin and User, i tried to restrict some admin pages, but if a user login and try to access admin pages, the pages are rendered. This is what i've done:

Restrictions:

import org.jboss.seam.security.Identity;
import org.jboss.seam.security.annotations.Secures;


public class Restricoes
{
          public @Secures
          @Admin
          boolean isAdmin(Identity identity)
          {
               return identity.hasRole("admin", "USERS", "GROUP");
          }
  
          public @Secures
          @User
          boolean isUser(Identity identity)
          {
               return identity.hasRole("user", "USERS", "GROUP");
          }
}

Admin:

@SecurityBindingType
@Retention(RetentionPolicy.RUNTIME)
@Target({ElementType.FIELD, ElementType.METHOD, ElementType.TYPE})
public @interface Admin
{
}

User:

@SecurityBindingType
@Retention(RetentionPolicy.RUNTIME)
@Target({ElementType.TYPE, ElementType.METHOD})
public @interface User
{
}

Pages:

@ViewConfig
public interface Pages {

    static enum Pages1 {

        @FacesRedirect
        @LoggedIn
        @ViewPattern("/pages/*")
        @AccessDeniedView("/accessDenied.xhtml")
        @LoginView("/login.xhtml")
        ALL,

        @ViewPattern("/pages/userAdmin/*")
         @Admin
        ADMIN;
    }
}

The loggedIn restriction is working, but i'd like that if a user login and try to access admin pages the pages were not redered. Is there something that i can do or that i misunderstood?

Thanks.

1. Re: Seam 3 Security render restrict page

rahul22 Jan 29, 2013 8:16 AM (in response to paulada)

hi,

i dont know you found the solution or not but for me following is working :-

pages :

        @ViewPattern("/xyz.xhtml")
        @User
        USER,

        @ViewPattern("/abc.xhtml")
        @Admin
        ADMIN,

        @FacesRedirect
        @ViewPattern("/*")
        @AccessDeniedView("/deniedcheck.xhtml")
        @LoginView("/logincheck.xhtml")
        ALL;

rest same as yours , try this simple if still it didn't worked for you.

hope it helps.

Thanks
Actions
2. Re: Seam 3 Security render restrict page

bya_ Feb 17, 2013 5:29 PM (in response to paulada)

pages -
add:
@RestrictAtPhase(PhaseIdType.RESTORE_VIEW)
Actions
3. Re: Seam 3 Security render restrict page

nathandennis Feb 21, 2013 10:09 AM (in response to paulada)

wildcards are a dangerous thing if not used properly.
Actions
4. Re: Seam 3 Security render restrict page

bya_ Feb 21, 2013 10:14 AM (in response to nathandennis)

please exlpain, I'm pretty new at this.
Actions
5. Re: Seam 3 Security render restrict page

nathandennis Feb 21, 2013 11:17 AM (in response to bya_)

you have overlapping rules because you used a wildcard.

i havent tested this but my first guess would be you need to sperate those rules a little more and have only one rule applied to the admin folder. rewrite the rules so the wildcard rule doesnt preceed the admin rule... if that doesnt work move the admin folder out of the folder you are using the wildcard in or rewrite the rules to not include the admin folder in the wildcard rule.

that is just where i would start.
Actions

Go to original post