4 Replies Latest reply on Feb 27, 2014 11:54 PM by marrrck

Some questions about Errai Security in 3.0

marrrck Feb 3, 2014 4:05 PM

I've been testing out the Errai 3.0 branch for an internal project and we've been trying to use Errai Security to secure our application. Two issues have come up so far, so I thought I would ask. I decided to post this to the dev list since the feature isn't released yet, but please let me know if you'd rather I move it to the primary errai forum.

Issue #1

Our specific use case requires users to be authenticated to access our app, but no specific roles are required beyond logging in. So we've annotated our primary page with:

@Templated
@Page(path="home", role = DefaultPage.class)
@RequireAuthentication

The behavior that we're seeing as that the page renders fully and then the user is redirected to the login page, so the home page is briefly visible before the login page is rendered. Also we have a method annotated with @PageShown and that seems to be executed before the login page is displayed, regardless of whether the user is authenticated or not. Is this by design, and if so is there a lifecycle method or workaround for not firing a method until after the security criteria has been satisfied?

Issue #2

The master branch of errai-security right now is build with picketlink 2.5.0.Beta4. Picketlink's current stable release is 2.5.2.Final I believe, and Wildfly 8 CR1 ships with 2.5.1.Final, and it looks like some portions of their IDM api have changed significantly between 2.5.0.Beta4 and 2.5.2.Final. Is there any reason you are sticking with 2.5.0.Beta4, or are their plans to upgrade and no one has gotten around to it? I tried just overriding the version in my project's maven build, but that broke stuff so I'm guessing upgrading isn't trivial...

Any insight anyone could offer would be greatly appreciated!

Marc

1. Re: Some questions about Errai Security in 3.0

csa Feb 5, 2014 4:43 PM (in response to marrrck)

Hi Marc,

Thanks for your feedback!

Issue 1:
This looks like a bug to me. We shouldn't display the page (even briefly) if the user doesn't have the permission (or isn't authenticated). Can you create a JIRA for this?

Issue 2:
Yes, if we stick to the current security approach we will upgrade to whatever WildFly is using. There's currently another issue with this when deploying errai-security to WildFly: https://issues.jboss.org/browse/ERRAI-683

We are currently working towards the 3.0.0.M4 release. After that the plan is to pick up work on Errai Security again. If you want to contribute a fix and send a pull request for any of these issues you're more than welcome!

Also, we're eagerly looking for more feedback on the Errai Security module. So, if you have any ideas/suggestions please let us know as well.

Cheers,
Christian
Actions
2. Re: Some questions about Errai Security in 3.0

marrrck Feb 5, 2014 5:31 PM (in response to csa)

Thanks for the reply Christian, I'll put together some example code that reproduces the issue and submit a Jira issue for it. And if I can figure out any changes that might help I'll definitely submit a pull request.

If I can pull together any constructive feedback on the security module I will definitely share it as well.

Thanks again,

marc
Actions
3. Re: Some questions about Errai Security in 3.0

mbarkley Feb 27, 2014 2:46 PM (in response to marrrck)

Hi Marc,

We've put some more work into Errai Security, and I wanted to let you know that your issue #1 is now fixed on the Errai 3.0-SNAPSHOT.

I will also be looking into your second issue shortly and intend to upgrade the picketlink version before our next release.

Cheers.
Actions
4. Re: Some questions about Errai Security in 3.0

marrrck Feb 27, 2014 11:54 PM (in response to mbarkley)

Thanks Max,

I just tested this and it works like a charm! Thanks a lot!
Actions

Go to original post