7 Replies Latest reply on Aug 10, 2010 5:45 AM by Tim Muders

    swallowing exception restrict pages.xml

    Tim Muders Newbie
      Hi

      i have an problem with the Authorization. The "members block" is working fine but you have access on the "admin block" the Authorization Exception is swallowed and you can see the site rendered :(.
      I am a little bit dissapointed. I can't find what i am doing wrong. Is anybody here how has experience with
      role restriction in pages.xml? Please help.

      seam version 2.2.0.GA
      jboss version 5.1.0GA

      Cheers Tim


              <page view-id="/admin/*" login-required="true">
                      <exception class="org.jboss.seam.security.NotLoggedInException">
                              <redirect view-id="login.xhtml">
                                      <message severity="warn">#{messages['org.jboss.seam.NotLoggedIn']}</message>
                              </redirect>
                      </exception>
              </page>

              <page view-id="/admin/*" login-required="true">
                      <exception class="org.jboss.seam.security.AuthorizationException">
                              <redirect view-id="login.xhtml">
                                      <message severity="warn">You do not have the Permission</message>
                              </redirect>
                      </exception>
              </page>

              <page view-id="/members/*" login-required="true">
                      <exception class="org.jboss.seam.security.NotLoggedInException">
                              <redirect view-id="login.xhtml">
                                      <message severity="warn">#{messages['org.jboss.seam.NotLoggedIn']}</message>
                              </redirect>
                      </exception>
              </page>

              <page view-id="/admin/*">
                      <restrict>#{s:hasRole('admin')}</restrict>
                      <action execute="#{workaround.doSomething}" on-postback="false" />
              </page>

      20:13:07,375 ERROR [SeamPhaseListener] swallowing exception
      org.jboss.seam.security.AuthorizationException: Authorization check failed for expression [#{s:hasRole('admin')}]
        • 1. Re: swallowing exception restrict pages.xml
          Tim Muders Newbie
          Changelog from jboss-seam-2.2.0 and i can't see that it's fixed in the changelog.

          JBSEAM-1987

          anybody here with an solution ?


          Release Notes - JBoss Seam - Version 2.0.0.CR2

          ** Bug
              * [JBSEAM-1987] - <restrict> in pages.xml has no effect
              * [JBSEAM-1988] - AuthorizationException not redirected properly
          • 2. Re: swallowing exception restrict pages.xml
            Tim Muders Newbie
            My Bad :D
            Done .. Fixed :)
            my pages was such an fail :)

            with my new pages.xml everything works fine :)
            i am happy now ...


            <?xml version="1.0" encoding="UTF-8"?>
            <pages xmlns="http://jboss.com/products/seam/pages" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                    xsi:schemaLocation="http://jboss.com/products/seam/pages http://jboss.com/products/seam/pages-2.3.xsd"
                    login-view-id="/login.xhtml">

                    <exception class="org.jboss.seam.security.NotLoggedInException">
                            <end-conversation />
                            <redirect view-id="/error/error.xhtml">
                                    <message severity="warn">#{messages['org.jboss.seam.NotLoggedIn']}
                                    </message>
                            </redirect>
                    </exception>

                    <exception class="org.jboss.seam.security.AuthorizationException">
                            <end-conversation />
                            <redirect view-id="/error/error.xhtml">
                                    <message severity="warn">You do not have the Permission</message>
                            </redirect>
                    </exception>

                    <page view-id="/admin/*" login-required="true">
                            <restrict>#{s:hasRole('admin')}</restrict>
                    </page>

                    <page view-id="/members/*" login-required="true">
                            <restrict>#{identity.loggedIn}</restrict>
                    </page>


                    <!-- Login,Logout -->
                    <page view-id="/members/*.xhtml" action="#{identity.logout}">
                            <navigation from-action="#{identity.logout}">
                                    <redirect view-id="/login.xhtml"></redirect>
                            </navigation>
                    </page>

                    <page view-id="/admin/*.xhtml" action="#{identity.logout}">
                            <navigation from-action="#{identity.logout}">
                                    <redirect view-id="/login.xhtml"></redirect>
                            </navigation>
                    </page>

                    <page view-id="/error/*.xhtml" action="#{identity.logout}">
                            <navigation from-action="#{identity.logout}">
                                    <redirect view-id="/login.xhtml"></redirect>
                            </navigation>
                    </page>

                    <page view-id="/login.xhtml" action="#{identity.login}">
                            <navigation from-action="#{identity.login}">
                                    <rule if="#{identity.loggedIn}">
                                            <redirect view-id="/members/mainsite.xhtml"></redirect>
                                    </rule>
                            </navigation>
                    </page>



            </pages>
            • 3. Re: swallowing exception restrict pages.xml
              ahamed mustafa Newbie

              Hi,


              I am facing the same problem in my application.


              Initially I had schema location pointing to pages-2.2.xsd and
              then I modified to point pages-2.3.xsd


              I throws the org.jboss.seam.security.AuthorizationException
              but it is swallowed.


              Am using Seam 2.2.0.GA.


              Kindly help me thru this.

              • 4. Re: swallowing exception restrict pages.xml
                ahamed mustafa Newbie
                I couldn't solve the issue. I am not sure what is wrong.

                BUT..

                I mapped the EL expression in <restrict /> to a boolean method (with role-check logic)

                I made the boolean method to throw runtime exception when role-check fails(say my.dev.AznException).

                I am catching the AznException exception and redirecting to homepage.

                Its working fine now...

                • 5. Re: swallowing exception restrict pages.xml
                  Tim Muders Newbie
                  Sorry for the late reply. can you post you pages.xml

                  don't let pages handle exception. Does not work. For example:

                          <page view-id="/admin/*" login-required="true">
                                  <exception class="org.jboss.seam.security.NotLoggedInException">
                                          <redirect view-id="login.xhtml">
                                                  <message severity="warn">#{messages['org.jboss.seam.NotLoggedIn']}</message>
                                          </redirect>
                                  </exception>
                          </page>
                  --------------------------------------------


                  do it like this, and everything works fine:

                          <page view-id="/admin/*" login-required="true">
                                  <restrict>#{s:hasRole('admin')}</restrict>
                          </page>


                         <exception class="org.jboss.seam.security.NotLoggedInException">
                                  <end-conversation />
                                  <redirect view-id="/error/error.xhtml">
                                          <message severity="warn">#{messages['org.jboss.seam.NotLoggedIn']}
                                          </message>
                                  </redirect>
                          </exception>

                          <exception class="org.jboss.seam.security.AuthorizationException">
                                  <end-conversation />
                                  <redirect view-id="/error/error.xhtml">
                                          <message severity="warn">You do not have the Permission</message>
                                  </redirect>
                          </exception>

                  please post your pages.xml
                  • 6. Re: swallowing exception restrict pages.xml
                    peter pan Newbie
                    i'm a beginner to seam,i've got the same problem when i try to add the following restrict to a page

                    <page view-id="/projectEdit.xhtml">
                    <restrict>#{s:hasRole('admin')}</restrict>
                    </page>

                    is there something wrong?
                    • 7. Re: swallowing exception restrict pages.xml
                      Tim Muders Newbie
                      Do you handle the exception ?

                      <exception class="org.jboss.seam.security.NotLoggedInException">
                                      <end-conversation />
                                      <redirect view-id="/error/error.xhtml">
                                              <message severity="warn">#{messages['org.jboss.seam.NotLoggedIn']}
                                              </message>
                                      </redirect>
                              </exception>

                              <exception class="org.jboss.seam.security.AuthorizationException">
                                      <end-conversation />
                                      <redirect view-id="/error/error.xhtml">
                                              <message severity="warn">You do not have the Permission</message>
                                      </redirect>
                              </exception>


                      can you post your complete pages.xml ?!? So it's much easy to see what's wrong.