8 Replies Latest reply on Aug 3, 2007 10:57 AM by Chris Lowe

    not redirecting to security_error.xhtml

    emerson carara Newbie

      HI,

      I´ve started using seam security in advanced mode.
      In fact I´m using dynamic role as you can see at
      http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4045165#4045165

      I´ve configured my pages.xml with this exceptions

      <exception class="org.jboss.seam.security.NotLoggedInException">
       <redirect view-id="/login.xhtml">
       <message>You must be logged in to perform this action</message>
       </redirect>
       </exception>
      
       <exception class="org.jboss.seam.security.AuthorizationException">
       <end-conversation/>
       <redirect view-id="/security_error.xhtml">
       <message>You do not have the necessary security privileges to perform this action.</message>
       </redirect>
       </exception>


      Then, i´ve configured my components.xml with this events

      <event type="org.jboss.seam.notLoggedIn">
       <action expression="#{redirect.captureCurrentView}"/>
      </event>
      
      <event type="org.jboss.seam.postAuthenticate">
       <action expression="#{redirect.returnToCapturedView}"/>
      </event>


      Finally, i´ve annotated a method (corcontroller seam component) with @Restrict.

      When I do a simple test calling this method in a view (denying authorization) I got an authorization check failed(AuthorizationException). According to pages.xml, it should be redirected to view security_error.xhtml, but what really appears is an error with a stack trace. Looking at the console we can see this message:

      SERV ERROR RENDERING VIEW COR.XTML


      and after,

      Authorization check failed


      seam version: 1.2.1
      jboss version: 4.0.5
      operational system: windows 2003


      tks in advance

      emerson fabiano

        • 1. Re: not redirecting to security_error.xhtml
          Christian Bauer Master

           


          SERV ERROR RENDERING VIEW COR.XTML


          ?! Is this something you typed in or is it really in the log? My guess is that you need to post the real full log excerpt.


          • 2. Re: not redirecting to security_error.xhtml
            emerson carara Newbie

            Hi Christian,

            The complete stack trace is:

            SEVERE: Error Rendering View[/Cor.xhtml]
            org.jboss.seam.security.AuthorizationException: Authorization check failed for expression [#{s:hasPermission('corcontroller','selecionar', null)}]
             at org.jboss.seam.security.Identity.checkRestriction(Identity.java:160)
             at org.jboss.seam.interceptors.SecurityInterceptor.aroundInvoke(SecurityInterceptor.java:35)
             at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:69)
             at org.jboss.seam.interceptors.RemoveInterceptor.aroundInvoke(RemoveInterceptor.java:40)
             at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:69)
             at org.jboss.seam.interceptors.SynchronizationInterceptor.aroundInvoke(SynchronizationInterceptor.java:31)
             at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:69)
             at org.jboss.seam.intercept.RootInterceptor.invoke(RootInterceptor.java:103)
             at org.jboss.seam.intercept.ClientSideInterceptor.invoke(ClientSideInterceptor.java:50)
             at org.javassist.tmp.java.lang.Object_$$_javassist_101.selecionar(Object_$$_javassist_101.java)
             at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
             at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
             at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
             at java.lang.reflect.Method.invoke(Unknown Source)
             at org.jboss.seam.util.Reflections.invoke(Reflections.java:20)
             at org.jboss.seam.util.Reflections.invokeAndWrap(Reflections.java:123)
             at org.jboss.seam.Component.callComponentMethod(Component.java:1834)
             at org.jboss.seam.Component.getInstanceFromFactory(Component.java:1696)
             at org.jboss.seam.Component.getInstance(Component.java:1633)
             at org.jboss.seam.Component.getInstance(Component.java:1610)
             at org.jboss.seam.jsf.SeamVariableResolver.resolveVariable(SeamVariableResolver.java:53)
             at org.apache.myfaces.config.LastVariableResolverInChain.resolveVariable(LastVariableResolverInChain.java:42)
             at com.sun.facelets.el.LegacyELContext$LegacyELResolver.getValue(LegacyELContext.java:134)
             at com.sun.el.parser.AstIdentifier.getValue(AstIdentifier.java:65)
             at com.sun.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:192)
             at com.sun.facelets.el.TagValueExpression.getValue(TagValueExpression.java:71)
             at com.sun.el.parser.AstIdentifier.getValue(AstIdentifier.java:61)
             at com.sun.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:192)
             at com.sun.facelets.el.TagValueExpression.getValue(TagValueExpression.java:71)
             at com.sun.el.parser.AstIdentifier.getValue(AstIdentifier.java:61)
             at com.sun.el.parser.AstEmpty.getValue(AstEmpty.java:49)
             at com.sun.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:192)
             at com.sun.facelets.el.TagValueExpression.getValue(TagValueExpression.java:71)
             at com.sun.facelets.el.LegacyValueBinding.getValue(LegacyValueBinding.java:56)
             at javax.faces.component.UIComponentBase.isRendered(UIComponentBase.java:1075)
             at org.ajax4jsf.framework.renderer.RendererBase.renderChild(RendererBase.java:246)
             at org.ajax4jsf.framework.renderer.RendererBase.renderChildren(RendererBase.java:232)
             at org.ajax4jsf.renderkit.html.AjaxOutputPanelRenderer.encodeChildren(AjaxOutputPanelRenderer.java:79)
             at javax.faces.component.UIComponentBase.encodeChildren(UIComponentBase.java:524)
             at org.ajax4jsf.framework.renderer.RendererBase.renderChild(RendererBase.java:252)
             at org.ajax4jsf.framework.renderer.RendererBase.renderChildren(RendererBase.java:232)
             at org.ajax4jsf.framework.renderer.RendererBase.renderChild(RendererBase.java:254)
             at org.ajax4jsf.framework.renderer.RendererBase.renderChildren(RendererBase.java:232)
             at org.ajax4jsf.framework.renderer.AjaxContainerRenderer.encodeChildren(AjaxContainerRenderer.java:100)
             at javax.faces.component.UIComponentBase.encodeChildren(UIComponentBase.java:524)
             at org.ajax4jsf.ajax.UIAjaxRegion.encodeChildren(UIAjaxRegion.java:119)
             at com.sun.facelets.tag.jsf.ComponentSupport.encodeRecursive(ComponentSupport.java:244)
             at com.sun.facelets.tag.jsf.ComponentSupport.encodeRecursive(ComponentSupport.java:249)
             at com.sun.facelets.FaceletViewHandler.renderView(FaceletViewHandler.java:573)
             at org.ajax4jsf.framework.ViewHandlerWrapper.renderView(ViewHandlerWrapper.java:108)
             at org.ajax4jsf.framework.ajax.AjaxViewHandler.renderView(AjaxViewHandler.java:229)
             at org.apache.myfaces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:384)
             at javax.faces.webapp.FacesServlet.service(FacesServlet.java:138)
             at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
             at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
             at org.ajax4jsf.framework.ajax.xmlfilter.BaseFilter.doFilter(BaseFilter.java:234)
             at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
             at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
             at org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:57)
             at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
             at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
             at org.jboss.seam.web.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:63)
             at org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45)
             at org.jboss.seam.web.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:49)
             at org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:57)
             at org.jboss.seam.web.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:49)
             at org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:79)
             at org.jboss.seam.web.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:49)
             at org.jboss.seam.web.SeamFilter.doFilter(SeamFilter.java:84)
             at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
             at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
             at org.ajax4jsf.framework.ajax.xmlfilter.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:96)
             at org.ajax4jsf.framework.ajax.xmlfilter.BaseFilter.doFilter(BaseFilter.java:220)
             at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
             at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
             at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
             at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
             at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
             at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
             at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
             at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:175)
             at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)
             at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
             at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
             at org.jboss.web.tomcat.tc5.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:156)
             at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
             at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
             at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
             at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
             at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
             at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
             at java.lang.Thread.run(Unknown Source)



            This is what apears on my screen (where should be security_error.xhtml):

            An Error Occurred:
            Authorization check failed for expression [#{s:hasPermission('corcontroller','selecionar', null)}]
            +- Stack Trace


            An important thing is that the same method I´ve annotated with @Restrict is annotated with @Factory as you can see here:

            @Factory("cores")
             @Restrict
             public String selecionar() {
             cores = dao.selecionarTodos(Cor.class);
             return super.selecionar();
             }


            tks in advance

            emerson fabiano

            • 3. Re: not redirecting to security_error.xhtml
              Damian Harvey Master

              Hi,

              I'm also seeing this behaviour. As with Efabiano I have annotated a method with

              @Restrict("#{s:hasPermission('vesselHome','persist',vesselHome.instance)}")

              And have the Exception in pages.xml
              <exception class="org.jboss.seam.security.AuthorizationException">
               <redirect view-id="/secure/home.xhtml">
               <message>#{messages['org.jboss.seam.security.AuthorizationException']}</message>
               </redirect>
               </exception>
              

              Trying to perform that operation with a user without the correct auth results in a org.jboss.seam.security.AuthorizationException, but the redirect never occurs and the browser displays the HTTP Status 500 and stack trace.

              This is using a Seam Gen project and the Restriction is in an EntityHome object.

              Cheers,

              Damian.

              • 4. Re: not redirecting to security_error.xhtml
                Carlos Zaniolo Newbie

                Hi,

                Seam documentation says that "Redirect does not work for exceptions which occur during the render phase of the JSF lifecycle."

                Maybe these errors are occurring in the render phase!

                • 5. Re: not redirecting to security_error.xhtml
                  Damian Harvey Master

                  From IBM's JSF article (http://www-128.ibm.com/developerworks/java/library/j-jsf2/)
                  The six phases of the JSF application lifecycle are as follows (note the event processing at each phase):
                  1. Restore view
                  2. Apply request values; process events
                  3. Process validations; process events
                  4. Update model values; process events
                  5. Invoke application; process events
                  6. Render response

                  I should have mentioned that my method is persist(). This puts it in phase #5 I think, so not in the render phase.

                  I'm sure it's just a config issue as the Wiki example uses something similar in the AdminHome, DirectoryHome, NodeHome and UserHome classes.

                  Regards,

                  Damian.[/url]

                  • 6. Re: not redirecting to security_error.xhtml
                    Shane Bryzak Master

                    Can you raise this issue in JIRA and assign it to me, that way it will get looked at.

                    • 7. Re: not redirecting to security_error.xhtml
                      Damian Harvey Master

                      Thanks Shane. JBSEAM-1333

                      Regards,

                      Damian.

                      • 8. Re: not redirecting to security_error.xhtml
                        Chris Lowe Apprentice

                        I just came across this issue and managed to figure out a workaround.

                        I had a class level @Restrict defined for a bean. The bean had two functions: 1) to provide a @DataModel with its associated @Factory; and 2) to define an action method for my persistence logic. From the JIRA reference above it seams that exception trapping does not work if the exception occurs during the RENDER_RESPONSE phase. The button action should be fine since the action would be called as part of the INVOKE_APPLICATION phase.

                        However, the problem comes from the @DataModel (or any other data binding for that matter) which will only be called during the RENDER_RESPONSE phase. Therefore when the page that uses the data model is first accessed, it is the point when the bindings/data model are first accessed that cause the problem. The workaround comes from the fact that we need to somehow get the bean to be accessed during an earlier phase. Fortunately for us, this is really easy to do in Seam using a page action:

                        Add a dummy method to your bean...
                        
                        @Name("permissionsHome")
                        @Scope(ScopeType.CONVERSATION)
                        @Restrict("#{s:hasRole('administration')}")
                        public class PermissionsHome {
                        
                         ...
                        
                         public void forceEarlySecurityCheck() {
                         // this page action ensures that the class level @Restrict() rules are run before RENDER_RESPONSE
                         }
                        }
                        
                        
                        ...and invoke from your XXX.pages.xml
                        
                        <page ... action="#{permissionsHome.forceEarlySecurityCheck}" >
                        </page>


                        This results in an invocation attempt against the action before RENDER_RESPONSE thus allows the AuthorizationException be handled correctly by Seam.

                        I'm sure you lot had already figured this out, but I thought I'd post my solution just in case it's useful to someone else.

                        Cheers,

                        Chris.