4 Replies Latest reply on Apr 3, 2007 9:17 AM by Bradley Smith

    Q:  Seam Security - <restrict>..</...>

    Bradley Smith Master

      Hello,

      I was trying to make us of the tag in pages.xml to restrict access to a page based on whether or not a user has a role as reported by the Servlet container (instead of using Seam security):

      <restrict>#{isUserInRole['Admin']}"</restrict>
      


      Is this even possible? If not, is it possible to somehow make this check before allowing access to a page? Also, is there an equivalent to @Restrict that can work with the isUserInRole component?

      Thanks

        • 1. Re: Q:  Seam Security - <restrict>..</...>
          Shane Bryzak Master

          As far as I know this should work - there's nothing special about the EL expressions used for restrictions, i.e. they are not required to contain only Seam Security-related expressions. As long as the expression evaluates to a boolean it should be fine.

          • 2. Re: Q:  Seam Security - <restrict>..</...>
            Bradley Smith Master

             

            "shane.bryzak@jboss.com" wrote:
            As far as I know this should work - there's nothing special about the EL expressions used for restrictions, i.e. they are not required to contain only Seam Security-related expressions. As long as the expression evaluates to a boolean it should be fine.


            I have, in pages.xml, the following usage:

             <page view-id="/edit_mail_configuration.xhtml">
             <restrict>#{isUserInRole['Admin']}</restrict>
             </page>
            


            When I invoke this page from the browser, I get the following exception:

            08:11:12,294 ERROR org.jboss.seam.jsf.SeamPhaseListener - uncaught exception
            org.jboss.seam.security.NotLoggedInException
             at org.jboss.seam.security.Identity.checkRestriction(Identity.java:156)
             at org.jboss.seam.pages.Page.enter(Page.java:206)
             at org.jboss.seam.core.Pages.enterPage(Pages.java:276)
             at org.jboss.seam.jsf.AbstractSeamPhaseListener.enterPage(AbstractSeamPhaseListener.java:276)
             at org.jboss.seam.jsf.AbstractSeamPhaseListener.beforeRender(AbstractSeamPhaseListener.java:214)
             at org.jboss.seam.jsf.SeamPhaseListener.beforePhase(SeamPhaseListener.java:56)
             at org.apache.myfaces.lifecycle.PhaseListenerManager.informPhaseListenersBefore(PhaseListenerManager.java:70)
             at org.apache.myfaces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:373)
             at javax.faces.webapp.FacesServlet.service(FacesServlet.java:138)
             at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
             at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
             at org.apache.myfaces.webapp.filter.ExtensionsFilter.doFilter(ExtensionsFilter.java:97)
             at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
             at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
             at org.apache.myfaces.webapp.filter.ExtensionsFilter.doFilter(ExtensionsFilter.java:144)
             at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
             at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
             at org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:57)
             at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
             at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
             at org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45)
             at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
             at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
             at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
             at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
             at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
             at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
             at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
             at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:175)
             at com.evergreen.fastpass.catalina.CASSSOAuthenticatorValve.invoke(CASSSOAuthenticatorValve.java:373)
             at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)
             at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
             at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
             at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
             at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
             at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
             at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
             at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
             at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
             at java.lang.Thread.run(Thread.java:595)


            I have not configured the Identity component - I am not using it. It looks like the restrict tag does require the Identity component be configured for restrict checks....



            • 3. Re: Q:  Seam Security - <restrict>..</...>
              Shane Bryzak Master

              If you are not using Identity to authenticate then you need to override Identity.checkRestriction() with your own implementation that doesn't check isLoggedIn().

              • 4. Re: Q:  Seam Security - <restrict>..</...>
                Bradley Smith Master

                 

                If you are not using Identity to authenticate then you need to override Identity.checkRestriction() with your own implementation that doesn't check isLoggedIn().


                This is what I suspected - that <restrict\> and @Restrict require the Identity component. And so it sounds like the answer to my original question is - no, you can't just put

                <restrict>#{isUserInRole['Admin']}</restrict>


                on a page in pages.xml or

                @Restrict("#{isUserInRole['Admin']}")


                on a class or a method and have it 'just work' as you would expect in Seam. The combination of Identity and and/or @Restrict is an all-or-nothing component.

                Thanks