1 Reply Latest reply on Jun 29, 2010 1:41 PM by Sean Tozer

    seam security authorization with 3rd party authentication

    gebuh Newbie

      I'm having a lot of trouble with security.  I have a 3rd party authenticator, but I need to be able to prevent users from directly accessing pages(currently you can type a url with a cid in the address bar and go dirctly to any page).  I tried using

      <restrict>some restrict logic</restrict>

      in somepage.page.xml, but it has absolutely no effect.  I created an Authenticator class, it locks users out, but won't allow anyone in.  I have this:

      <page view-id="/*" action="#{authenticator.authenticate}" login-required="false"/>

      on pages.xml and components.xml (not sure why it's in both places) and this:


      in components.xml.  I've tried a bunch of different combinations,




      , etc. I'm getting nowhere.  What is the purpose of the security-enabled switch?  I'm using Seam 2.2.0 with jboss 5.1.0.  Is there some configuration setting I'm missing?

        • 1. Re: seam security authorization with 3rd party authentication
          Sean Tozer Newbie

          I'm a little confused.... you made authenticator.authenticate a page action for EVERY page? So every time it hits a page, it's going to try to log the user in? Authenticate should really only be called when the user is logging in, not constantly.

          <page view-id="/*" action="#{authenticator.authenticate}" login-required="false"/> seems very wrong. Especially in components.xml, there shouldn't be page descriptors in there at all. What that line basically says is every time a user accesses any page, try to log them in, but don't require logins for any page.


          To keep a user from a page, you can specify

          <page ... login-required="true">

          on that page's .page.xml file. Or, if you need more fine-grained control, you can do something more like


          What was the some restrict logic that you tried to no effect?


          Components.xml should have something more like this:

             <security:rule-based-permission-resolver security-rules="#{securityRules}"/>
             <security:identity authenticate-method="#{authenticator.authenticate}" remember-me="true"/>
             <factory name="currentSession" scope="stateless" value="#{facesContext.externalContext.request.session}" />
             <event type="org.jboss.seam.security.notLoggedIn">
                <action execute="#{redirect.captureCurrentView}"/>
             <event type="org.jboss.seam.security.loginSuccessful">
                <action execute="#{redirect.returnToCapturedView}"/>
                <action execute="#{currentSession.setMaxInactiveInterval(3600)}"/>

          That's just more or less what seam-gen should give you, incidentally.