4 Replies Latest reply on Apr 1, 2008 7:31 PM by geej15

    Static pdf docs in Seam application with authentication & authorization

    geej15 Newbie

      Hello,


      I am trying to include some static pdf and html pages in a Seam application I have.  Including them and accessing them is not an issue, but restricting access is.  I am using JBoss 4.2 and Seam 2.0 and have setup SSO between three Seam applications using JOSSO.  Everything works fine for xhtml pages, but anytime I access the static pdf and html pages, no authentication or authorization restrictions are applied.  I'm wondering what the best way to handle this is.  An example url that contains one of the pdf documents:



      https://localhost:8443/webapp/techpapers/paper.pdf




      an excerpt from my pages.xml configuration file:



          <page view-id="/techpapers/*" login-required="true" action="#{docsAuth.checkLogin}">
            <restrict>#{s:hasRole('admin')}</restrict>
          </page>



      Any help/suggestions would be appreciated.


      Geoff

        • 1. Re: Static pdf docs in Seam application with authentication & authorization
          Dustin Norlander Apprentice

          If you serve the pdf through an intermediary servlet you should be able to restrict access much easier.


          I'm not sure that using pages.xml will work for anything accept .xhtml pages.  I'd be curious if you figured out how to do it though.


          good luck,


          Dustin

          • 2. Re: Static pdf docs in Seam application with authentication & authorization
            geej15 Newbie

            Thanks for the suggestion.  It looks like that is what I will have to do.


            I just realized another issue today.  Documents that I converted from regular html to xhtml are protected only if they are accessed via their .seam extension.  If someone finds the .xhtml document, they can access it without facing any of the security restrictions setup via pages.xml nor the restrictions using the rendered attribute in the pages themselves.  Any suggestions on how to lock the content of the xhtml documents down?


            Thanks,
            Geoff

            • 3. Re: Static pdf docs in Seam application with authentication & authorization
              Pete Muir Master

              Add a security constraint to web.xml:


                <!-- servlets and such would be above -->
              
                <security-constraint>      
                  <display-name>Restrict XHTML Documents</display-name>
                  <web-resource-collection>
                    <web-resource-name>XHTML</web-resource-name>
                    <url-pattern>*.xhtml</url-pattern>
                  </web-resource-collection>
                  <auth-constraint>
                    <description>Only Let 'developer's access XHTML pages</description>
                    <role-name>developer</role-name>
                  </auth-constraint>
                </security-constraint>

              • 4. Re: Static pdf docs in Seam application with authentication & authorization
                geej15 Newbie

                This is the direction I ended up heading down, thanks for the hint.  This successfully protects .xhtml content, but is there also a way to do this for static .pdf docs.  I was able to protect them, but authorized user's are not able to access them either, no one is.  I'm not sure if I'm missing some configuration piece or if I am not correctly integrating with JOSSO to set a user's role in a way understood via the web.xml.  I think it may be due to the way i configured the server.xml file in jboss-web to use JOSSO, but I'm not sure.


                Thanks for any hints.


                Geoff