1 2 Previous Next 16 Replies Latest reply on Feb 22, 2012 2:26 PM by zeeman

    Seam security and Pretty Faces

    zeeman Novice

      Using latest Seam 3 and AS7 7.1 beta.


      I have a page that uses seam security, it has a url param, the page needs to render only if seam security says it can (true from @secure method). The page backing bean produces an object injected into seam security @Secure method. But seam security is not being invoked, page is always rendering.
      My view config enum:



      @ViewPattern("/homes/eventHome.xhtml")
                      @UrlMapping(pattern = "/event/#{eventId}")
                      @AccessDeniedView("/home.xhtml")
                      @Authorized
                      EVENT_HOME,
      
                      @FacesRedirect
                      @ViewPattern("/*")
                      @AccessDeniedView("/home.xhtml")
                      @LoginView("/login.xhtml")
                      ALL;




      Seam security method:



      public @Secures
              @Authorized
              boolean isPublicEvent(final SecurityObj event) {
                      if (event == null || SportivityVisibilityEnum.PRIVATE_SPORTIVITY.equals(event.getSportivityVisiblity())) {
                              log.warn("event was null");
                              return false;
                      }
                      return true;
              }




      backing bean, @ViewScoped:


      @Inject
              @RequestParam("eventId")
              private Instance<Long> eventId;
      
              @Produces
              public SecurityObj getEvent() {
                      if (eventId.get() == null) {
                              log.warn("event id was null");
                              return null;
                      }
                      event = entityManager.find(SecurityObj.class, eventId);
                      return event;
      
              }





      Does my config look right? Am I missing anything? How to get pretty faces to work with seam security?


      Also I wanted to use

      @RestrictAtPhase(PhaseIdType.RESTORE_VIEW)

      for @Authorized but prettyfaces cannot deal with url param. I had to leave the default phases.

        • 1. Re: Seam security and Pretty Faces
          zeeman Novice

          I forgot to add, I want to have @Authorized annotated enums (in Viewconfig) apply to non logged in users. I understand @AccessDeniedView only works for logged in users.


          So my use case is this: for non logged in users, they can access a page, depending on how security is setup for an object used in this page users will be allowed to access the page or not. If the user cannot access the page they need to be redirected to a home page. This is where I'm stuck. I might not have been clear enough in my original post.


          Thanks!

          • 2. Re: Seam security and Pretty Faces
            Juan Francisco Navarrete Newbie

            I am having the same problem, it doesen't matter what the method annotated with @Secures returns, the page is always rendered.


            Have you managed to solve the problem?

            • 3. Re: Seam security and Pretty Faces
              Jason Porter Master

              Do you have a sample project or arquillian test case we can use?

              • 4. Re: Seam security and Pretty Faces
                Juan Francisco Navarrete Newbie

                Sure, what's your email address?

                • 5. Re: Seam security and Pretty Faces
                  Jason Porter Master

                  If you have a github account, that works. If not you can use my redhat email: jporter at redhat dot com

                  • 6. Re: Seam security and Pretty Faces
                    Juan Francisco Navarrete Newbie

                    I just sent you the sample project, thanks in advance.

                    • 7. Re: Seam security and Pretty Faces
                      zeeman Novice

                      Thank you Juan and Jason, please keep this thread updated. This issue is blocking me. I see some strange behavior especially when using PrettyFaces URL Mapping in ViewConfig.


                      Juan, Can you please send me your sample project? I want to run it and check few things in it.  hamzah0 at fastmail.us

                      • 8. Re: Seam security and Pretty Faces
                        Jason Porter Master

                        I fixed an issue I believe was the problem a few days ago, please try a SNAPSHOT version of faces (maybe even security). If that does NOT fix the problem get back to me ASAP with a simple test case so we can get this fixed for the 3.1.0.Final release in a few days.


                        Also, if you're using Glassfish note it has a bug (which is still outstanding) where interceptors are sporadically applied. Because security uses an interceptor things may work one deploy and not work on a different deploy. There is no work around for this, save redeploying the app until it does work.

                        • 9. Re: Seam security and Pretty Faces
                          zeeman Novice

                          Thanks for the update.


                          I'll try with the snapshot of Faces.


                          I get strange behavior on AS7.1 beta. It works on first deployment but not on redeployment when URL mapping annotation is used in ViewConfig. I have to delete my AS empty, data, and standalone config history, and deploy a clean build for things to work. Something iffy.


                          I have posted my config on prettyface forum, Lincol said my config look ok, mostly a Seam/security issue. I'm blocked on this. Also, what complicates this more, in my project we don't use a context root, the app is accessed as http://localhost:8080
                          so URL mapping and security are broken in Seam.


                          Is this an AS7 or a Seam issue?


                          To reproduce, If you just make a simple Seam project with one xhtml page, backed by an action class, use a security annotation to access from UI on action class, and use URLMapping in Viewconfig. you should reproduce the issue that way.  Don't use a context root in AS7.


                          Try to access the app via the mapped url defined in URLMapping. You'll not be able to hit the page.


                          • 10. Re: Seam security and Pretty Faces
                            Jason Porter Master

                            I just tried the viewconfig example from faces using a snapshot of faces and security (I don't think the snapshot of security matters) on AS 7.1Beta1b and redeployed multiple times, everything seems to be running just fine.

                            • 11. Re: Seam security and Pretty Faces
                              zeeman Novice

                              Jason, your fix helped with redeploy issue. But I'm still having issues with URL mapping and security.


                              In pretty-config.xml I have:


                                      <url-mapping id="eventHome">
                                              <pattern value="/event/#{eventHomepage.eventId}" />
                                              <view-id value="/homes/eventHome.xhtml" />
                                      </url-mapping>
                              



                              in @ViewConfig annotated enum:


                                              @FacesRedirect
                                              @ViewPattern("/homes/eventHome.xhtml")
                                              @Authorized
                                              @AccessDeniedView("/home.xhtml")
                                              @LoginView("/login.xhtml")
                                              EVENT



                              In viewPattern above, should I use /event or /homes/eventHome.xhtml? I think it should be  /event/ because that's the URL users will be using. is any event's Id.

                              /event
                              does not work. When I use /homes/eventHome.xhtml, security gets invoked, but I get redirected to login view, which is right, but after that I should be redirected to access denied view. Seam security is not working or am I doing something wrong?


                              My workflow is the following: a user needs to access an event's page.


                              The event can be private or public. if private, the user needs to be in event's allowed group, if a user not logged in, needs to login, then user is checked to be in event's allowed group, if true grant access, else redirect to access denied view. How to accomplish this with seam security and mapped URLs with pretty faces?


                              An event object has a flag for isPrivate, and a list of allowed users to access it.

                              • 12. Re: Seam security and Pretty Faces
                                Jason Porter Master

                                You have mappings in both pretty-config.xml and in @ViewConfig?

                                • 13. Re: Seam security and Pretty Faces
                                  zeeman Novice

                                  No, just in pretty-config.xml. I got strange behaviour when I put URL mappings in ViewConfig so I took them out and kept them in pretty-config.xml



                                  Jason Porter wrote on Dec 19, 2011 15:59:


                                  You have mappings in both pretty-config.xml and in @ViewConfig?


                                  Click HELP for text formatting instructions. Then edit this text and check the preview.

                                  • 14. Re: Seam security and Pretty Faces
                                    Jason Porter Master

                                    Any chance you can get me a stack dump? My initial thought is that because you're using PrettyFaces exclusively, it's not going through the Seam Faces NavigationHandler, so none of the auth checks are being performed.


                                    You could probably debug it and see if that's the case. If navigation is going through there and auth checks are happening then we'll have to dig further.

                                    1 2 Previous Next