I forgot to mention that the method i showed is in the SecurityPhaseListener.
I also forgot to mention that application is being deployed to tomcat 7 (I do not beleive that it has anything to do with this).
I use primeface,richfaces,pretyfaces (3.3.2).
I'm having similar problems. As a workaround I add
to each page I have security binding annotation, but I would prefer not have to do it. I consider this as a bug.
Let's see what Jason says.
Thanks for the hint. Documentation mentions
annotation, but i think that that should be
(as you said).
It also seems to say that it is possible to put that annotation on top of the interface, and then all of the pages would be checked at that particular phase.
I still wonder why is there a problem redirecting in the render response phase??? And even more so, why is that a problem only with redirection to access denied page, and not login page too?
Why it isn't a problem redirecting to the login page: Because I missed it :)
Why it's a problem in the RENDER_RESPONSE phase? Because headers have already been sent to the browser for the page and we can't redirect. At least we shouldn't be able to redirect. If someone has a patch for checking to see if headers have been sent to the browser we could send the redirect if they haven't otherwise it's too late.
OK, if it's impossible to always restrict access before RENDERRESPONSE then I suggest that by default RestrictAtPhase is RESTOREVIEW.
I think there's a JIRA for that actually.