1 Reply Latest reply on Jan 30, 2012 1:36 AM by peijun xie

    Seam Security Design Problem

    peijun xie Newbie

      Hi,everybody ,I'm new to seam and I'm really confused about seam's page navigation rule.


      Now, I have a requirement: I need set /* to be login-required but /error.xhtml is excepted.


      And I wanna integrate seam security with cas. so, I config pages.xml like this:



          <page view-id="/error.xhtml" login-required="false"/>
      
          <page view-id="/*" login-required="true">
              <navigation evaluate="#{identity.tryLogin}">
                  <rule if-outcome="false">
                      <redirect view-id="/error.xhtml"/>
                  </rule>
              </navigation>
          </page>





      My rule: if someone have already identified by cas, then tryLogin just fill credentials' username and password with cas' username, this makes seam just do what it is designed( identity -> authencator). If not, then display the error page with you have not logged in ,please login first.


      But seam's rule is from most general to most specific, if I haven't logged in by cas, then that means my configuration will cause an infinite circulation as identity.tryLogin will always return false, and redirect to /error.xhtml, but the rule '/*' will first intercept it, and re-redirect to /error.xhtml...


      This design makes us can't exclude some specific situation from the most general situation.


      Could anyone explain?


      Maybe this is my misunderstand of seam, if so, please help correct me, Thanks