1 Reply Latest reply on Apr 14, 2016 11:25 AM by Max Barkley

    [3.2.3.Final] Issues with @RestrictedAccess

    Hristo Stoyanov Master

      Hi all

      When I place security restriction on a page, unauthenticated user should not be able to access it, e.g:

       

      ...

      @ApplicationScoped

      @Page(path = "plan")

      @Templated("#content")

      @RestrictedAccess(roles = "default")

      public class PlanPage extends AbstractBasePage {

      ...

      }

       

       

      That is not what I observe! The user can directly navigate to the restricted page from the browser URL bar (e.g. type in: http://127.0.0.1:8080/myapp/index.jsp#plan) and the page shows, despite that no one has been unauthenticated (e.g. I have the default user/role: ANNONYMOUS/NOBODY).

       

      My expectation was that the user will be forwarded to a page with role={SecurityError.class}, which in my case is the home page:

      ...

      @ApplicationScoped

      @Page(path = "home", role = {LoginPage.class, DefaultPage.class, SecurityError.class})

      @Templated("#content")

      public class HomePage extends AbstractBasePage {...}

       

       

      Even if I designate some other page with @Page(path = "signinfailed", role = SecurityError.class), the issue still exists and security is breached. There are no error messages.

       

      Any clue?