1 Reply Latest reply on Apr 14, 2016 11:25 AM by mbarkley

[3.2.3.Final] Issues with @RestrictedAccess

hr.stoyanov Apr 12, 2016 6:52 PM

Hi all

When I place security restriction on a page, unauthenticated user should not be able to access it, e.g:

...

@ApplicationScoped

@Page(path = "plan")

@Templated("#content")

@RestrictedAccess(roles = "default")

public class PlanPage extends AbstractBasePage {

...

}

That is not what I observe! The user can directly navigate to the restricted page from the browser URL bar (e.g. type in: http://127.0.0.1:8080/myapp/index.jsp#plan) and the page shows, despite that no one has been unauthenticated (e.g. I have the default user/role: ANNONYMOUS/NOBODY).

My expectation was that the user will be forwarded to a page with role={SecurityError.class}, which in my case is the home page:

...

@ApplicationScoped

@Page(path = "home", role = {LoginPage.class, DefaultPage.class, SecurityError.class})

@Templated("#content")

public class HomePage extends AbstractBasePage {...}

Even if I designate some other page with @Page(path = "signinfailed", role = SecurityError.class), the issue still exists and security is breached. There are no error messages.

Any clue?

1. Re: [3.2.3.Final] Issues with @RestrictedAccess

mbarkley Apr 14, 2016 11:25 AM (in response to hr.stoyanov)

Hi Hristo, could you kindly open a JIRA issue so that we can look into this?
Actions