How to make ViewConfig redirecting on access deny
Hi, everyone: I have a problem in managing the access denied redirection using Seam Security ViewConfig.
My @ViewConfig interface as follows:
{code}
@ViewConfig
public interface Pages
{
static enum AllPages
{
@FacesRedirect
@ViewPattern("/public/*")
@LoginView("/public/login.xhtml")
@AccessDeniedView("/public/login.xhtml")
PUBLIC,
@ViewPattern("/private/*")
@LoginView("/public/login.xhtml")
@AccessDeniedView("/public/accessdeny.xhtml")
@Private
PRIVATE,
//------------------------------------------------------------
// SAFE
//------------------------------------------------------------
@ViewPattern("/private/safe/safeList.xhtml")
@LoginView("/public/login.xhtml")
@AccessDeniedView("/public/accessdeny.xhtml")
@SafeList
SAFELIST
}
}
{code}
and annotations created by @SecurityBindingType
{code}
@SecurityBindingType
@Retention(RetentionPolicy.RUNTIME)
@Target({ElementType.FIELD, ElementType.METHOD, ElementType.TYPE})
public @interface Private {}
@SecurityBindingType
@Retention(RetentionPolicy.RUNTIME)
@Target({ElementType.FIELD, ElementType.METHOD, ElementType.TYPE})
public @interface SafeList {}
{code}
finally the rescrictionmethods are:
{code}
public class SecurityRules
{
@Inject
Logger log;
public @Secures @Private boolean authenticatedCheck(Identity identity)
{
boolean perm = identity != null &&
identity.getUser() != null &&
identity.isLoggedIn();
log.debugv( "Private permission for user {0} is {1}", identity.getUser(), perm );
return perm;
}
public @Secures @SafeList boolean safeList(LoggedUser loggedUser)
{
boolean perm = false;
log.debugv( "SafeList permission for user {0} is {1}", loggedUser.getUser(), perm );
return perm;
}
}
{code}
Anytime I tri to access to any pages in the path /private/* I'm correctly redirected to the login page (very good).
But if I tri to access the pafe /private/safe/safeList.xhtml I'm not redirected to the accessdeny.xhtm as expected since the security rescriction for @SafeList is always false.
If i check the logs i see:
17:06:35,610 DEBUG [it.redev.sibc.core.view.ViewChain] (http-localhost-127.0.0.1-8080-2) NEXT TO [null]: /private/safe/safeList.xhtml
17:06:35,610 DEBUG [it.redev.sibc.core.view.ViewChain] (http-localhost-127.0.0.1-8080-2) NEXT TO [null]: /private/safe/safeList.xhtml
17:06:35,612 DEBUG [it.redev.sibc.core.resctictions.SecurityRules] (http-localhost-127.0.0.1-8080-2) Private permission for user SimpleUser{id='Test '} is true
17:06:35,612 DEBUG [it.redev.sibc.core.resctictions.SecurityRules] (http-localhost-127.0.0.1-8080-2) Private permission for user SimpleUser{id='Test '} is true
17:06:35,613 DEBUG [it.redev.sibc.core.resctictions.SecurityRules] (http-localhost-127.0.0.1-8080-2) SafeList permission for user Test Test (test) is false
17:06:35,613 DEBUG [it.redev.sibc.core.resctictions.SecurityRules] (http-localhost-127.0.0.1-8080-2) SafeList permission for user Test Test (test) is false
17:06:35,647 DEBUG [it.redev.sibc.core.view.ViewChain] (http-localhost-127.0.0.1-8080-2) START [null]: /private/safe/safeList.xhtml
17:06:35,647 DEBUG [it.redev.sibc.core.view.ViewChain] (http-localhost-127.0.0.1-8080-2) START [null]: /private/safe/safeList.xhtml
17:06:35,648 DEBUG [it.redev.sibc.core.view.ViewChain] (http-localhost-127.0.0.1-8080-2) BEGIN [1]: /private/safe/safeList.xhtml
17:06:35,648 DEBUG [it.redev.sibc.core.view.ViewChain] (http-localhost-127.0.0.1-8080-2) BEGIN [1]: /private/safe/safeList.xhtml
so the two restriction are fired but even if the second one is FALSE I can access the page, moreover if I try to click to a button in the page I finally have the redirection to the accessdeny page.
Anyone can hel me???
MR
