If you serve the pdf through an intermediary servlet you should be able to restrict access much easier.
I'm not sure that using pages.xml will work for anything accept .xhtml pages. I'd be curious if you figured out how to do it though.
Thanks for the suggestion. It looks like that is what I will have to do.
I just realized another issue today. Documents that I converted from regular html to xhtml are protected only if they are accessed via their .seam extension. If someone finds the .xhtml document, they can access it without facing any of the security restrictions setup via pages.xml nor the restrictions using the rendered attribute in the pages themselves. Any suggestions on how to lock the content of the xhtml documents down?
Add a security constraint to web.xml:
<!-- servlets and such would be above --> <security-constraint> <display-name>Restrict XHTML Documents</display-name> <web-resource-collection> <web-resource-name>XHTML</web-resource-name> <url-pattern>*.xhtml</url-pattern> </web-resource-collection> <auth-constraint> <description>Only Let 'developer's access XHTML pages</description> <role-name>developer</role-name> </auth-constraint> </security-constraint>
This is the direction I ended up heading down, thanks for the hint. This successfully protects .xhtml content, but is there also a way to do this for static .pdf docs. I was able to protect them, but authorized user's are not able to access them either, no one is. I'm not sure if I'm missing some configuration piece or if I am not correctly integrating with JOSSO to set a user's role in a way understood via the web.xml. I think it may be due to the way i configured the server.xml file in jboss-web to use JOSSO, but I'm not sure.
Thanks for any hints.