10 Replies Latest reply on Feb 2, 2007 8:49 AM by Gavin King

    restricting access using pages.xml

    Dustin Norlander Apprentice

      Hi,

      I am trying to restrict access to all files in /clients to logged in users. I added the following pages.xml to no avail:

      <!DOCTYPE pages PUBLIC
       "-//JBoss/Seam Pages Configuration DTD 1.1//EN"
       "http://jboss.com/products/seam/pages-1.1.dtd">
      
      <pages no-conversation-view-id="/index.xhtml">
       <page view-id="/clients/*">
       <restrict>#{identity.loggedIn}</restrict>
       </page>
      </pages>
      


      nor does it work if I use a navigation rule (not sure if I did this right)

      <pages no-conversation-view-id="/index.xhtml">
      
       <page view-id="/clients/*">
       <navigation>
       <rule if="#{not identity.loggedIn}">
       <redirect view-id="/login.xhtml"/>
       </rule>
       </navigation>
       </page>
      </pages>
      


      I'd like the page to be bounced to /login.xhtml if the user is not logged in.
      Is there some other configuration I need to do to get the pages.xml to work?

      thanks,
      Dustin

        • 1. Re: restricting access using pages.xml
          Pete Muir Master

           

          "dustismo" wrote:
          Hi,

          I am trying to restrict access to all files in /clients to logged in users. I added the following pages.xml to no avail:

          
          <!DOCTYPE pages PUBLIC
           "-//JBoss/Seam Pages Configuration DTD 1.1//EN"
           "http://jboss.com/products/seam/pages-1.1.dtd">
          
          <pages no-conversation-view-id="/index.xhtml">
           <page view-id="/clients/*">
           <restrict>#{identity.loggedIn}</restrict>
           </page>
          </pages>
          


          This was a bug in 1.1.5 - its fixed in CVS

          • 2. Re: restricting access using pages.xml
            Gavin King Master

            Is it? Was it?

            Bad. And good.


            Guys, I've scheduled a 1.1.6 release for next Wed, to get a few of these bugfixes out there. There will also be a couple of nice enhancements to the security stuff ;-)

            • 3. Re: restricting access using pages.xml
              Dustin Norlander Apprentice

              Ok, so now I am running on the cvs version, which seems to help (sort of).. Now when I try to access a page in the clients directory it throws an exception

              19:30:22,185 INFO [Lifecycle] starting up: org.jboss.seam.security.identity
              19:30:22,193 ERROR [[/Infofilter3-Main]] Session event listener threw exception
              java.lang.NullPointerException
               at org.jboss.seam.core.Selector.getCookieValue(Selector.java:60)
               at org.jboss.seam.security.Identity.initCredentialsFromCookie(Identity.java:84)
               at org.jboss.seam.security.Identity.create(Identity.java:78)
               at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
               at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
               at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
               at java.lang.reflect.Method.invoke(Method.java:585)
               at org.jboss.seam.util.Reflections.invoke(Reflections.java:18)
               at org.jboss.seam.util.Reflections.invokeAndWrap(Reflections.java:102)
               at org.jboss.seam.Component.callComponentMethod(Component.java:1826)
               at org.jboss.seam.Component.callCreateMethod(Component.java:1774)
               at org.jboss.seam.Component.newInstance(Component.java:1763)
               at org.jboss.seam.contexts.Lifecycle.startup(Lifecycle.java:164)
               at org.jboss.seam.contexts.Lifecycle.beginSession(Lifecycle.java:224)
               at org.jboss.seam.servlet.SeamListener.sessionCreated(SeamListener.java:41)
               at org.apache.catalina.session.StandardSession.tellNew(StandardSession.java:384)
               at org.apache.catalina.session.StandardSession.setId(StandardSession.java:356)
               at org.apache.catalina.session.ManagerBase.createSession(ManagerBase.java:824)
               at org.apache.catalina.session.StandardManager.createSession(StandardManager.java:290)
               at org.apache.catalina.connector.Request.doGetSession(Request.java:2223)
               at org.apache.catalina.connector.Request.getSession(Request.java:2024)
               at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:831)
               at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:842)
               at com.icesoft.faces.webapp.xmlhttp.PersistentFacesServlet.service(PersistentFacesServlet.java:220)
               at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
               at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
               at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
               at org.jboss.seam.servlet.SeamExceptionFilter.doFilter(SeamExceptionFilter.java:46)
               at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
               at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
               at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
               at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
               at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
               at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
               at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
               at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:175)
               at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:432)
               at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)
               at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
               at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
               at org.jboss.web.tomcat.tc5.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:156)
               at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
               at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
               at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
               at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
               at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
               at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
               at java.lang.Thread.run(Thread.java:595)
              19:30:22,311 INFO [Pages] reading pages.xml
              19:30:22,548 ERROR [AbstractSeamPhaseListener] Swallowing exception thrown by page action
              org.jboss.seam.security.NotLoggedInException
               at org.jboss.seam.security.Identity.checkRestriction(Identity.java:159)
               at org.jboss.seam.pages.Page.enter(Page.java:186)
               at org.jboss.seam.core.Pages.enterPage(Pages.java:239)
               at org.jboss.seam.jsf.AbstractSeamPhaseListener.enterPage(AbstractSeamPhaseListener.java:241)
               at org.jboss.seam.jsf.AbstractSeamPhaseListener.beforeRender(AbstractSeamPhaseListener.java:192)
               at org.jboss.seam.jsf.SeamPhaseListener.beforePhase(SeamPhaseListener.java:53)
               at org.apache.myfaces.lifecycle.PhaseListenerManager.informPhaseListenersBefore(PhaseListenerManager.java:70)
               at org.apache.myfaces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:373)
               at com.icesoft.faces.webapp.xmlhttp.PersistentFacesServlet.service(PersistentFacesServlet.java:402)
               at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
               at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
               at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
               at org.jboss.seam.servlet.SeamExceptionFilter.doFilter(SeamExceptionFilter.java:46)
               at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
               at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
               at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
               at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
               at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
               at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
               at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
               at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:175)
               at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:432)
               at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)
               at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
               at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
               at org.jboss.web.tomcat.tc5.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:156)
               at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
               at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
               at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
               at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
               at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
               at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
               at java.lang.Thread.run(Thread.java:595)
              



              So I tried to catch the NotLoggedInException in exceptions.xml

              <!DOCTYPE exceptions PUBLIC
               "-//JBoss/Seam Exceptions Configuration DTD 1.1//EN"
               "http://jboss.com/products/seam/exceptions-1.1.dtd">
              
              <exceptions>
               <exception class="org.jboss.seam.security.NotLoggedInException">
               <redirect view-id="../login.xhtml">Please Log In</redirect>
               <end-conversation/>
               </exception>
              </exceptions>
              


              Doesn't work.. What am I doing wrong and is this the suggested way to require a login for a directory?

              thanks,
              Dustin

              • 4. Re: restricting access using pages.xml
                Siarhei Dudzin Apprentice

                I fixed that bug locally and the patch is ready to be sent to Gavin.

                • 5. Re: restricting access using pages.xml
                  Shane Bryzak Master

                  This is fixed in CVS now.

                  • 6. Re: restricting access using pages.xml
                    Ciro Cavani Novice


                    I am trying use page restriction with #{identity.loggedIn} but I am getting this (from CVS version):

                    10:36:00,554 ERROR [AbstractSeamPhaseListener] Swallowing exception thrown by page action
                    org.jboss.seam.security.NotLoggedInException
                     at org.jboss.seam.security.Identity.checkRestriction(Identity.java:160)
                     at org.jboss.seam.pages.Page.enter(Page.java:186)
                     at org.jboss.seam.core.Pages.enterPage(Pages.java:239)
                     at org.jboss.seam.jsf.AbstractSeamPhaseListener.enterPage(AbstractSeamPhaseListener.java:241)
                     at org.jboss.seam.jsf.AbstractSeamPhaseListener.beforeRender(AbstractSeamPhaseListener.java:192)
                     at org.jboss.seam.jsf.SeamPhaseListener.beforePhase(SeamPhaseListener.java:53)
                    


                    Because this in AbstractSeamPhaseListener.beforeRender:

                     try
                     {
                     actionsWereCalled = Pages.instance().enterPage( event.getFacesContext() );
                     return actionsWereCalled;
                     }
                     catch (RuntimeException re)
                     {
                     //we have to handle exceptions here because of
                     //how JSF defines exception handling from
                     //PhaseListener.beforePhase()
                     log.error("Swallowing exception thrown by page action", re);
                     return actionsWereCalled;
                     }
                     finally
                     {
                     Lifecycle.setPhaseId( PhaseId.RENDER_RESPONSE );
                     if (actionsWereCalled)
                     {
                     FacesMessages.afterPhase();
                     handleTransactionsAfterPageActions(event); //TODO: does it really belong in the finally?
                     }
                     }
                    


                    Then, exceptions.xml seems to be ignored here....

                    • 7. Re: restricting access using pages.xml
                      Ciro Cavani Novice

                      Well.... this is a dirty fix..... works to me but is very indecent :)

                      in org.jboss.seam.pages.Page.enter(Page.java:186) from:

                       Identity.instance().checkRestriction(expr);
                      


                       try
                       {
                       Identity.instance().checkRestriction(expr);
                       }
                       catch (Exception e)
                       {
                       try
                       {
                       Exceptions.instance().handle(e);
                       }
                       catch (Exception ex)
                       {
                       }
                      
                       return true;
                       }
                      


                      • 8. Re: restricting access using pages.xml
                        Gavin King Master

                        Would you please create an issue in JIRA for this, and assign to me.

                        Thanks.