1 2 Previous Next 15 Replies Latest reply on Oct 15, 2010 8:00 AM by Benjamin Mark

    Seam vs Spring Security - How to restrict http path without using pages xml

    infinity2heaven Novice

      I need to restrict http paths via database rather than an xml file since its so much easier to test, develop and manage. Currently Seam's page restriction seems to be tied <restrict/> tags all over pages.xml. How do I override this default behavior by adding my own database lookup?


      Spring Security has the same problem of xml configuration hell and we override this by adding our own http filter in the interceptor chain. For ex, the following can be overriden in spring:


       <http auto-config='true'>
          <intercept-url pattern="/**" access="ROLE_USER" />
        </http>
      



      What's the alternative in Seam?

        • 1. Re: Seam vs Spring Security - How to restrict http path without using pages xml
          Shane Bryzak Master

          You can set the restrictions programatically using Page.setRestriction().  To get the page, use Pages.getPage().

          • 2. Re: Seam vs Spring Security - How to restrict http path without using pages xml
            infinity2heaven Novice

            getPage() is not a static method. How do I get hold of the Pages reference loaded at startup?

            • 4. Re: Seam vs Spring Security - How to restrict http path without using pages xml
              infinity2heaven Novice

              this doesn't work. (added in seam jpa hotel booking example)


              @Name("initHttp")
              @Scope(ScopeType.APPLICATION) @Startup
              public class InitHttpPathRoles {
                   
                    public void init() {
                         Pages pages = Pages.instance();
                         Page page = pages.getPage("//main.xhtml");
                         page.setRestriction("#{s:hasRole('rewardsuser')");
                    }
              }



              Suggestions

              • 5. Re: Seam vs Spring Security - How to restrict http path without using pages xml
                Adrien Orsier Newbie

                Try that:


                @Startup(depends="org.jboss.seam.navigation.pages")



                So your Component wait for the Pages to be created first.

                • 6. Re: Seam vs Spring Security - How to restrict http path without using pages xml
                  infinity2heaven Novice

                  I did the same. init() method never gets called (checked with my logger)


                  Any suggestions?

                  • 7. Re: Seam vs Spring Security - How to restrict http path without using pages xml
                    Adrien Orsier Newbie

                    Well, as far as I can see on your code, this can't work, you'd need to annotate your init() method with @Create if you want it to be called automatically at Component's creation.

                    • 8. Re: Seam vs Spring Security - How to restrict http path without using pages xml
                      infinity2heaven Novice

                      component is created now, however this line - page.setRestriction("#{s:hasRole('rewardsuser')"); doesn't seem to restrict the page main.html.


                      What am I missing?

                      • 9. Re: Seam vs Spring Security - How to restrict http path without using pages xml
                        Eduard Correa Newbie

                        Hi, Priya


                        Have you able to resolve this error?


                        I have the same problem and I have tried several things but ever with the same results..:(


                        I see that sharp symbol don't works correctly in the restriction string.


                        Thanks for some help!!!

                        • 10. Re: Seam vs Spring Security - How to restrict http path without using pages xml
                          Francisco Jose Peredo Noguez Master

                          Priya M wrote on Mar 05, 2009 22:02:


                          I need to restrict http paths via database rather than an xml file since its so much easier to test, develop and manage. Currently Seam's page restriction seems to be tied <restrict/> tags all over pages.xml. How do I override this default behavior by adding my own database lookup?

                          What's the alternative in Seam?


                          It is really quite simple, the <restrict/> tag does not really restrict things, it just means that you want seam to verify if the currently logged-in user has permission to access the resources. You can restrict every page under a folder by writing:


                               <page view-id="/restrictedArea/*" login-required="true" >
                                    <restrict/>
                               </page>     
                          



                          But actual restriction happens at the permission resolver components when the particular pages inside that folder are accessed, if you want to check against the database (like me) just define your own permission resolver, Seam will automatically detect it and it will automatically call its methods to verify if the current user has access:


                          @Name("myPermissionResolver ")
                          public class MyPermissionResolver implements
                                    org.jboss.seam.security.permission.PermissionResolver {
                          
                               public void filterSetByAction(Set<Object> targets, String action) {
                                    Identity identity = Identity.instance();
                                    if (!identity.isLoggedIn())
                                         return;
                          
                                    Iterator<Object> iter = targets.iterator();
                                    while (iter.hasNext()) {
                                         Object target = iter.next();
                                         if (hasPermission(target, action)) {
                                              iter.remove();
                                         }
                                    }
                               }
                          
                               public boolean hasPermission(Object target, String action) {
                                  //Write here the code to check access against the database
                               }
                          
                          }
                          

                          • 11. Re: Seam vs Spring Security - How to restrict http path without using pages xml
                            Eduard Correa Newbie

                            Thanks Francisco!


                            Another favor, could you tell me how to define Custom Permission Resolver in Components.xml or in Seam app?


                            • 12. Re: Seam vs Spring Security - How to restrict http path without using pages xml
                              Francisco Jose Peredo Noguez Master

                              Eduard Leandro Correa A. wrote on Sep 28, 2009 18:23:


                              Thanks Francisco!

                              Another favor, could you tell me how to define Custom Permission Resolver in Components.xml or in Seam app?




                              Alredy told you how, there is no need to add anything into components.xml, all  you have to have is a class in your project that is a Seam component (has a @Name annotation) and inherits from org.jboss.seam.security.permission.PermissionResolver like the one I posted in my previous post...

                              • 13. Re: Seam vs Spring Security - How to restrict http path without using pages xml
                                Benjamin Mark Newbie

                                Tried your example with return true at the hasPermission() function and got these error




                                Exception sending context initialized event to listener instance of class org.jboss.seam.servlet.SeamListener
                                java.lang.RuntimeException: Could not create Component: myPermissionResolver 
                                     at org.jboss.seam.init.Initialization.addComponent(Initialization.java:1202)
                                     at org.jboss.seam.init.Initialization.installComponents(Initialization.java:1118)
                                     at org.jboss.seam.init.Initialization.init(Initialization.java:733)
                                     at org.jboss.seam.servlet.SeamListener.contextInitialized(SeamListener.java:36)
                                     at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3910)
                                     at org.apache.catalina.core.StandardContext.start(StandardContext.java:4393)
                                     at org.jboss.web.tomcat.service.deployers.TomcatDeployment.performDeployInternal(TomcatDeployment.java:310)
                                     at org.jboss.web.tomcat.service.deployers.TomcatDeployment.performDeploy(TomcatDeployment.java:142)
                                     at org.jboss.web.deployers.AbstractWarDeployment.start(AbstractWarDeployment.java:461)
                                     at org.jboss.web.deployers.WebModule.startModule(WebModule.java:118)
                                     at org.jboss.web.deployers.WebModule.start(WebModule.java:97)
                                     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                                     at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
                                     at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
                                     at java.lang.reflect.Method.invoke(Unknown Source)
                                     at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:157)
                                     at org.jboss.mx.server.Invocation.dispatch(Invocation.java:96)
                                     at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
                                     at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
                                     at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:668)
                                     at org.jboss.system.microcontainer.ServiceProxy.invoke(ServiceProxy.java:206)
                                     at $Proxy38.start(Unknown Source)
                                     at org.jboss.system.microcontainer.StartStopLifecycleAction.installAction(StartStopLifecycleAction.java:42)
                                     at org.jboss.system.microcontainer.StartStopLifecycleAction.installAction(StartStopLifecycleAction.java:37)
                                     at org.jboss.dependency.plugins.action.SimpleControllerContextAction.simpleInstallAction(SimpleControllerContextAction.java:62)
                                     at org.jboss.dependency.plugins.action.AccessControllerContextAction.install(AccessControllerContextAction.java:71)
                                     at org.jboss.dependency.plugins.AbstractControllerContextActions.install(AbstractControllerContextActions.java:51)
                                     at org.jboss.dependency.plugins.AbstractControllerContext.install(AbstractControllerContext.java:348)
                                     at org.jboss.system.microcontainer.ServiceControllerContext.install(ServiceControllerContext.java:286)
                                     at org.jboss.dependency.plugins.AbstractController.install(AbstractController.java:1631)
                                     at org.jboss.dependency.plugins.AbstractController.incrementState(AbstractController.java:934)
                                     at org.jboss.dependency.plugins.AbstractController.resolveContexts(AbstractController.java:1082)
                                     at org.jboss.dependency.plugins.AbstractController.resolveContexts(AbstractController.java:984)
                                     at org.jboss.dependency.plugins.AbstractController.change(AbstractController.java:822)
                                     at org.jboss.dependency.plugins.AbstractController.change(AbstractController.java:553)
                                     at org.jboss.system.ServiceController.doChange(ServiceController.java:688)
                                     at org.jboss.system.ServiceController.start(ServiceController.java:460)
                                     at org.jboss.system.deployers.ServiceDeployer.start(ServiceDeployer.java:163)
                                     at org.jboss.system.deployers.ServiceDeployer.deploy(ServiceDeployer.java:99)
                                     at org.jboss.system.deployers.ServiceDeployer.deploy(ServiceDeployer.java:46)
                                     at org.jboss.deployers.spi.deployer.helpers.AbstractSimpleRealDeployer.internalDeploy(AbstractSimpleRealDeployer.java:62)
                                     at org.jboss.deployers.spi.deployer.helpers.AbstractRealDeployer.deploy(AbstractRealDeployer.java:50)
                                     at org.jboss.deployers.plugins.deployers.DeployerWrapper.deploy(DeployerWrapper.java:171)
                                     at org.jboss.deployers.plugins.deployers.DeployersImpl.doDeploy(DeployersImpl.java:1439)
                                     at org.jboss.deployers.plugins.deployers.DeployersImpl.doInstallParentFirst(DeployersImpl.java:1157)
                                     at org.jboss.deployers.plugins.deployers.DeployersImpl.doInstallParentFirst(DeployersImpl.java:1178)
                                     at org.jboss.deployers.plugins.deployers.DeployersImpl.doInstallParentFirst(DeployersImpl.java:1210)
                                     at org.jboss.deployers.plugins.deployers.DeployersImpl.install(DeployersImpl.java:1098)
                                     at org.jboss.dependency.plugins.AbstractControllerContext.install(AbstractControllerContext.java:348)
                                     at org.jboss.dependency.plugins.AbstractController.install(AbstractController.java:1631)
                                     at org.jboss.dependency.plugins.AbstractController.incrementState(AbstractController.java:934)
                                     at org.jboss.dependency.plugins.AbstractController.resolveContexts(AbstractController.java:1082)
                                     at org.jboss.dependency.plugins.AbstractController.resolveContexts(AbstractController.java:984)
                                     at org.jboss.dependency.plugins.AbstractController.change(AbstractController.java:822)
                                     at org.jboss.dependency.plugins.AbstractController.change(AbstractController.java:553)
                                     at org.jboss.deployers.plugins.deployers.DeployersImpl.process(DeployersImpl.java:781)
                                     at org.jboss.deployers.plugins.main.MainDeployerImpl.process(MainDeployerImpl.java:702)
                                     at org.jboss.system.server.profileservice.repository.MainDeployerAdapter.process(MainDeployerAdapter.java:117)
                                     at org.jboss.system.server.profileservice.hotdeploy.HDScanner.scan(HDScanner.java:362)
                                     at org.jboss.system.server.profileservice.hotdeploy.HDScanner.run(HDScanner.java:255)
                                     at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
                                     at java.util.concurrent.FutureTask$Sync.innerRunAndReset(Unknown Source)
                                     at java.util.concurrent.FutureTask.runAndReset(Unknown Source)
                                     at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$101(Unknown Source)
                                     at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.runPeriodic(Unknown Source)
                                     at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source)
                                     at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
                                     at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
                                     at java.lang.Thread.run(Unknown Source)
                                Caused by: java.lang.IllegalStateException: not a valid Seam component name: myPermissionResolver 
                                     at org.jboss.seam.Component.checkName(Component.java:266)
                                     at org.jboss.seam.Component.<init>(Component.java:220)
                                     at org.jboss.seam.Component.<init>(Component.java:205)
                                     at org.jboss.seam.init.Initialization.addComponent(Initialization.java:1186)
                                     ... 68 more
                                12:42:28,171 ERROR [StandardContext] Error listenerStart



                                My Class




                                package ch.bemar.creditfriend.action.helper.permission;
                                
                                import java.util.Iterator;
                                import java.util.Set;
                                
                                import org.jboss.seam.annotations.Name;
                                import org.jboss.seam.security.Identity;
                                
                                @Name("myPermissionResolver ")
                                public class MyPermissionResolver implements org.jboss.seam.security.permission.PermissionResolver
                                {
                                
                                    public void filterSetByAction(Set<Object> targets, String action)
                                    {
                                        Identity identity = Identity.instance();
                                        if (!identity.isLoggedIn())
                                            return;
                                
                                        Iterator<Object> iter = targets.iterator();
                                        while (iter.hasNext())
                                        {
                                            Object target = iter.next();
                                            if (hasPermission(target, action))
                                            {
                                                iter.remove();
                                            }
                                        }
                                    }
                                
                                    public boolean hasPermission(Object target, String action)
                                    {
                                        System.out.println("Checking target: " + target.toString());
                                        return true;
                                    }
                                
                                }







                                Any idea what the reason could be?


                                Thx for your help


                                Ben

                                • 14. Re: Seam vs Spring Security - How to restrict http path without using pages xml
                                  Leo van den berg Master

                                  Hi,


                                  The Permission resolver should have a Session or Application scope (Seam documentation Writing your own permission resolver)


                                  Leo

                                  1 2 Previous Next