7 Replies Latest reply on May 24, 2011 9:53 AM by bora bora

    Change commited even if an AuthorizationException is thrown by @Restrict; flushmode = auto

    Sylvain Catudal Newbie

      I have an unexpected behavior here: an exception is thrown and the entity manager still flushes.  Let me explain the context.


      On a POJO backing bean, I put an @Restrict on the save() method to make sure that the caller has the required permissions.  In the JSF page, it is possible to call the getters and setters in order to modify the entity.  Since the AuthorizationException is only thrown when the save method is invoked, the entity's values can be changed.


      The BIG problem here is that the entity manager will flush the changes made to the entity right after the AuthorizationException is thrown because of the flush-mode = auto.


      Note that if an identity.checkPermission is done inside the save method instead of around by the @Restrict, I get the expected behavior: no flush is done.


      I know that I could simply add this as a workaround :


      @Observer(value = Identity.EVENT_NOT_AUTHORIZED)
      public void rollback() {
          entityManager.clear();
      }
      



      Is that worth a JIRA or is it an expected behavior.


      Thanks everyone,
      Sylvain

        • 1. Re: Change commited even if an AuthorizationException is thrown by @Restrict; flushmode = auto
          Shane Bryzak Master

          That's not expected behaviour, I suspect that it has something to do with interceptor ordering.  Could you please raise this in JIRA?

          • 2. Re: Change commited even if an AuthorizationException is thrown by @Restrict; flushmode = auto
            Shane Bryzak Master

            Actually, I've just committed a small change to SVN that should address this.  It would be great if you could test this and let me know if it fixes your issue.

            • 3. Re: Change commited even if an AuthorizationException is thrown by @Restrict; flushmode = auto
              Sylvain Catudal Newbie

              Thanks for the quick answer.  I'll try to find some time to test this today.


              During integrated testing, I would get an EmptyStackException in a situation very similar to this one.  If I put the restrict around the method, I get an AuthorizationException and an EmptyStackException.  If the checkPermission is inside the method, I get the expected behavior.  I suspect that the source of the problem is the same. 


              I'll check this in the mean time.


              Thanks again,
              Sylvain

              • 4. Re: Change commited even if an AuthorizationException is thrown by @Restrict; flushmode = auto
                Sylvain Catudal Newbie

                It doesn't fix the issue.  Here is the stack trace:


                4:16:24,792 ERROR [application] org.jboss.seam.security.AuthorizationException: Authorization check failed for permission[editRole,save]
                javax.faces.el.EvaluationException: org.jboss.seam.security.AuthorizationException: Authorization check failed for permission[editRole,save]
                     at javax.faces.component.MethodBindingMethodExpressionAdapter.invoke(MethodBindingMethodExpressionAdapter.java:102)
                     at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:102)
                     at javax.faces.component.UICommand.broadcast(UICommand.java:387)
                     at org.ajax4jsf.component.AjaxViewRoot.processEvents(AjaxViewRoot.java:321)
                     at org.ajax4jsf.component.AjaxViewRoot.broadcastEvents(AjaxViewRoot.java:296)
                     at org.ajax4jsf.component.AjaxViewRoot.processPhase(AjaxViewRoot.java:253)
                     at org.ajax4jsf.component.AjaxViewRoot.processApplication(AjaxViewRoot.java:466)
                     at com.sun.faces.lifecycle.InvokeApplicationPhase.execute(InvokeApplicationPhase.java:82)
                     at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:100)
                     at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:118)
                     at javax.faces.webapp.FacesServlet.service(FacesServlet.java:265)
                     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
                     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
                     at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:83)
                     at org.jboss.seam.web.IdentityFilter.doFilter(IdentityFilter.java:40)
                     at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
                     at org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:90)
                     at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
                     at org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:64)
                     at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
                     at org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45)
                     at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
                     at org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:177)
                     at org.ajax4jsf.webapp.BaseFilter.handleRequest(BaseFilter.java:267)
                     at org.ajax4jsf.webapp.BaseFilter.processUploadsAndHandleRequest(BaseFilter.java:380)
                     at org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:507)
                     at org.jboss.seam.web.Ajax4jsfFilter.doFilter(Ajax4jsfFilter.java:56)
                     at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
                     at org.jboss.seam.web.LoggingFilter.doFilter(LoggingFilter.java:60)
                     at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
                     at org.jboss.seam.web.HotDeployFilter.doFilter(HotDeployFilter.java:53)
                     at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
                     at ca.mcgill.muhc.scn.util.TimingFilter.doFilter(TimingFilter.java:37)
                     at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
                     at org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158)
                     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
                     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
                     at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
                     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
                     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
                     at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
                     at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
                     at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
                     at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
                     at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
                     at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
                     at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
                     at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
                     at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
                     at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
                     at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
                     at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
                     at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:828)
                     at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:601)
                     at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
                     at java.lang.Thread.run(Unknown Source)
                Caused by: org.jboss.seam.security.AuthorizationException: Authorization check failed for permission[editRole,save]
                     at org.jboss.seam.security.Identity.checkPermission(Identity.java:590)
                     at org.jboss.seam.security.SecurityInterceptor$Restriction.check(SecurityInterceptor.java:147)
                     at org.jboss.seam.security.SecurityInterceptor.aroundInvoke(SecurityInterceptor.java:161)
                     at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
                     at org.jboss.seam.intercept.RootInterceptor.invoke(RootInterceptor.java:107)
                     at org.jboss.seam.intercept.JavaBeanInterceptor.interceptInvocation(JavaBeanInterceptor.java:185)
                     at org.jboss.seam.intercept.JavaBeanInterceptor.invoke(JavaBeanInterceptor.java:103)
                     at ca.mcgill.muhc.scn.user.role.action.EditRoleAction_$$_javassist_seam_16.save(EditRoleAction_$$_javassist_seam_16.java)
                     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                     at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
                     at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
                     at java.lang.reflect.Method.invoke(Unknown Source)
                     at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:335)
                     at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:348)
                     at org.jboss.el.parser.AstPropertySuffix.invoke(AstPropertySuffix.java:58)
                     at org.jboss.el.parser.AstValue.invoke(AstValue.java:96)
                     at org.jboss.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:276)
                     at com.sun.facelets.el.TagMethodExpression.invoke(TagMethodExpression.java:68)
                     at javax.faces.component.MethodBindingMethodExpressionAdapter.invoke(MethodBindingMethodExpressionAdapter.java:88)
                     ... 55 more
                14:16:24,792 WARN  [lifecycle] #{editRole.save}: org.jboss.seam.security.AuthorizationException: Authorization check failed for permission[editRole,save]
                javax.faces.FacesException: #{editRole.save}: org.jboss.seam.security.AuthorizationException: Authorization check failed for permission[editRole,save]
                     at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:118)
                     at javax.faces.component.UICommand.broadcast(UICommand.java:387)
                     at org.ajax4jsf.component.AjaxViewRoot.processEvents(AjaxViewRoot.java:321)
                     at org.ajax4jsf.component.AjaxViewRoot.broadcastEvents(AjaxViewRoot.java:296)
                     at org.ajax4jsf.component.AjaxViewRoot.processPhase(AjaxViewRoot.java:253)
                     at org.ajax4jsf.component.AjaxViewRoot.processApplication(AjaxViewRoot.java:466)
                     at com.sun.faces.lifecycle.InvokeApplicationPhase.execute(InvokeApplicationPhase.java:82)
                     at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:100)
                     at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:118)
                     at javax.faces.webapp.FacesServlet.service(FacesServlet.java:265)
                     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
                     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
                     at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:83)
                     at org.jboss.seam.web.IdentityFilter.doFilter(IdentityFilter.java:40)
                     at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
                     at org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:90)
                     at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
                     at org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:64)
                     at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
                     at org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45)
                     at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
                     at org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:177)
                     at org.ajax4jsf.webapp.BaseFilter.handleRequest(BaseFilter.java:267)
                     at org.ajax4jsf.webapp.BaseFilter.processUploadsAndHandleRequest(BaseFilter.java:380)
                     at org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:507)
                     at org.jboss.seam.web.Ajax4jsfFilter.doFilter(Ajax4jsfFilter.java:56)
                     at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
                     at org.jboss.seam.web.LoggingFilter.doFilter(LoggingFilter.java:60)
                     at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
                     at org.jboss.seam.web.HotDeployFilter.doFilter(HotDeployFilter.java:53)
                     at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
                     at ca.mcgill.muhc.scn.util.TimingFilter.doFilter(TimingFilter.java:37)
                     at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
                     at org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158)
                     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
                     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
                     at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
                     at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
                     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
                     at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
                     at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
                     at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
                     at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
                     at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
                     at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
                     at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
                     at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
                     at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
                     at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
                     at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
                     at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
                     at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:828)
                     at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:601)
                     at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
                     at java.lang.Thread.run(Unknown Source)
                Caused by: javax.faces.el.EvaluationException: org.jboss.seam.security.AuthorizationException: Authorization check failed for permission[editRole,save]
                     at javax.faces.component.MethodBindingMethodExpressionAdapter.invoke(MethodBindingMethodExpressionAdapter.java:102)
                     at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:102)
                     ... 54 more
                Caused by: org.jboss.seam.security.AuthorizationException: Authorization check failed for permission[editRole,save]
                     at org.jboss.seam.security.Identity.checkPermission(Identity.java:590)
                     at org.jboss.seam.security.SecurityInterceptor$Restriction.check(SecurityInterceptor.java:147)
                     at org.jboss.seam.security.SecurityInterceptor.aroundInvoke(SecurityInterceptor.java:161)
                     at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
                     at org.jboss.seam.intercept.RootInterceptor.invoke(RootInterceptor.java:107)
                     at org.jboss.seam.intercept.JavaBeanInterceptor.interceptInvocation(JavaBeanInterceptor.java:185)
                     at org.jboss.seam.intercept.JavaBeanInterceptor.invoke(JavaBeanInterceptor.java:103)
                     at ca.mcgill.muhc.scn.user.role.action.EditRoleAction_$$_javassist_seam_16.save(EditRoleAction_$$_javassist_seam_16.java)
                     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                     at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
                     at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
                     at java.lang.reflect.Method.invoke(Unknown Source)
                     at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:335)
                     at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:348)
                     at org.jboss.el.parser.AstPropertySuffix.invoke(AstPropertySuffix.java:58)
                     at org.jboss.el.parser.AstValue.invoke(AstValue.java:96)
                     at org.jboss.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:276)
                     at com.sun.facelets.el.TagMethodExpression.invoke(TagMethodExpression.java:68)
                     at javax.faces.component.MethodBindingMethodExpressionAdapter.invoke(MethodBindingMethodExpressionAdapter.java:88)
                     ... 55 more
                14:16:24,808 ERROR [lifecycle] JSF1054: (Phase ID: INVOKE_APPLICATION 5, View ID: /user/role/editRole.xhtml) Exception thrown during phase execution: javax.faces.event.PhaseEvent[source=com.sun.faces.lifecycle.LifecycleImpl@1c4f4a1]
                14:16:24,808 INFO  [STDOUT] Hibernate: 
                    update
                        ADMIN_ROLE 
                    set
                        Name=?,
                        type=? 
                    where
                        role_id=?



                I'm finally setup to build and test with different versions of Seam so if there's something you want me to do, go ahead and ask! ;)

                • 5. Re: Change commited even if an AuthorizationException is thrown by @Restrict; flushmode = auto
                  bora bora Newbie

                  Have you managed to resolve this?
                  I am having exactly the same problem with Seam 2.2.1 Final..
                  Even though the method execution is not permitted based on the permissions (and an AuthorizationException is thrown) the entity is updated in the database.


                  What would be the correct way to handle this? Any ideas?


                  Thanks...

                  • 6. Re: Change commited even if an AuthorizationException is thrown by @Restrict; flushmode = auto
                    Sylvain Catudal Newbie

                    To my knowledge, the issue has not been resolved.  I created an observer as suggested above.  Here is what my class looks like:




                    import javax.persistence.EntityManager;
                    
                    import org.jboss.seam.annotations.In;
                    import org.jboss.seam.annotations.Name;
                    import org.jboss.seam.annotations.Observer;
                    import org.jboss.seam.security.Identity;
                    
                    @Name("notAuthorizedObserver")
                    public class NotAuthorizedObserver {
                    
                         @In
                         EntityManager entityManager;
                    
                         @Observer(value = Identity.EVENT_NOT_AUTHORIZED)
                         public void rollback() {
                              entityManager.clear();
                         }
                    }