[jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-1018) Allow security checks in component lifecycle methds
Christian Bauer (JIRA)
jira-events at lists.jboss.org
Sun Mar 11 13:45:46 EDT 2007
[ http://jira.jboss.com/jira/browse/JBSEAM-1018?page=comments#action_12355763 ]
Christian Bauer commented on JBSEAM-1018:
-----------------------------------------
@Override
public void create() {
super.create();
...
if ( !isManaged() && getParentDirectory().getWriteAccessLevel() != Roles.GUESTROLE_ACCESSLEVEL) {
System.out.println("###### GUEST IS NOT ALLOWED, TROWING EXCEPTION");
throw new AuthorizationException("Please register an account to execute this operation");
...
18:35:13,398 DEBUG [RootInterceptor] intercepted: documentHome.create
18:35:13,398 DEBUG [RootInterceptor] intercepted: nodeDAO.POST_CONSTRUCT
18:35:13,398 DEBUG [RootInterceptor] intercepted: userDAO.POST_CONSTRUCT
18:35:13,399 DEBUG [RootInterceptor] intercepted: nodeDAO.findDirectory
18:35:13,401 INFO [STDOUT] Hibernate: select directory0_.NODE_ID as NODE2_65_, directory0_.NODE_REVISION as NODE3_65_, directory0_.OBJ_VERSION as OBJ4_65_, directory0_.NAME as NAME65_, directory0_.WIKINAME as WIKINAME65_, directory0_.MENU_ITEM as MENU7_65_, directory0_.AREA_NR as AREA8_65_, directory0_.PARENT_NODE_ID as PARENT22_65_, directory0_.CREATED_ON as CREATED9_65_, directory0_.CREATED_BY_USER_ID as CREATED24_65_, directory0_.LAST_MODIFIED_ON as LAST10_65_, directory0_.LAST_MODIFIED_BY_USER_ID as LAST23_65_, directory0_.WRITE_ACCESS_LEVEL as WRITE11_65_, directory0_.READ_ACCESS_LEVEL as READ12_65_, directory0_.DEFAULT_DOCUMENT_ID as DEFAULT21_65_ from NODE directory0_ where directory0_.NODE_TYPE='DIRECTORY' and directory0_.NODE_ID=?
18:35:13,403 INFO [STDOUT] ############### CHECKING CREATE PERMISSION: 1
18:35:13,403 INFO [STDOUT] ###### GUEST IS NOT ALLOWED, TROWING EXCEPTION
18:35:13,406 ERROR [STDERR] Mar 11, 2007 6:35:13 PM com.sun.facelets.FaceletViewHandler handleRenderException
SEVERE: Error Rendering View[/docEdit.xhtml]
java.lang.RuntimeException: exception invoking: create
at org.jboss.seam.util.Reflections.invokeAndWrap(Reflections.java:131)
at org.jboss.seam.Component.callComponentMethod(Component.java:1834)
at org.jboss.seam.Component.callCreateMethod(Component.java:1757)
at org.jboss.seam.Component.newInstance(Component.java:1746)
at org.jboss.seam.Component.getInstance(Component.java:1643)
at org.jboss.seam.Component.getInstance(Component.java:1610)
at org.jboss.seam.jsf.SeamVariableResolver.resolveVariable(SeamVariableResolver.java:53)
at org.apache.myfaces.config.LastVariableResolverInChain.resolveVariable(LastVariableResolverInChain.java:42)
at com.sun.facelets.el.LegacyELContext$LegacyELResolver.getValue(LegacyELContext.java:134)
at com.sun.el.parser.AstIdentifier.getValue(Unknown Source)
at com.sun.el.parser.AstValue.getValue(Unknown Source)
at com.sun.el.parser.AstNot.getValue(Unknown Source)
at com.sun.el.ValueExpressionImpl.getValue(Unknown Source)
at com.sun.facelets.el.TagValueExpression.getValue(TagValueExpression.java:71)
at com.sun.facelets.el.LegacyValueBinding.getValue(LegacyValueBinding.java:56)
at javax.faces.component.UIComponentBase.isRendered(UIComponentBase.java:1075)
at com.sun.facelets.tag.jsf.ComponentSupport.encodeRecursive(ComponentSupport.java:241)
at com.sun.facelets.tag.jsf.ComponentSupport.encodeRecursive(ComponentSupport.java:249)
at com.sun.facelets.FaceletViewHandler.renderView(FaceletViewHandler.java:573)
at org.ajax4jsf.framework.ViewHandlerWrapper.renderView(ViewHandlerWrapper.java:101)
at org.ajax4jsf.framework.ajax.AjaxViewHandler.renderView(AjaxViewHandler.java:221)
at org.apache.myfaces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:384)
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:138)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:130)
at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:107)
at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:78)
at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:383)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at org.jboss.seam.web.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:63)
at org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45)
at org.jboss.seam.web.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:49)
at org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:57)
at org.jboss.seam.web.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:49)
at org.jboss.seam.web.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:53)
at org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:79)
at org.jboss.seam.web.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:49)
at org.jboss.seam.web.SeamFilter.doFilter(SeamFilter.java:84)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at org.ajax4jsf.framework.ajax.xmlfilter.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:75)
at org.ajax4jsf.framework.ajax.xmlfilter.BaseFilter.doFilter(BaseFilter.java:213)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:175)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:432)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
at org.jboss.web.tomcat.tc5.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:156)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
at java.lang.Thread.run(Thread.java:613)
Caused by: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.jboss.seam.intercept.RootInvocationContext.proceed(RootInvocationContext.java:31)
at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:57)
at org.jboss.seam.interceptors.BijectionInterceptor.aroundInvoke(BijectionInterceptor.java:47)
at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:69)
at org.jboss.seam.interceptors.ManagedEntityIdentityInterceptor.aroundInvoke(ManagedEntityIdentityInterceptor.java:37)
at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:69)
at org.jboss.seam.interceptors.RollbackInterceptor.aroundInvoke(RollbackInterceptor.java:34)
at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:69)
at org.jboss.seam.interceptors.TransactionInterceptor$1.work(TransactionInterceptor.java:32)
at org.jboss.seam.util.Work.workInTransaction(Work.java:37)
at org.jboss.seam.interceptors.TransactionInterceptor.aroundInvoke(TransactionInterceptor.java:27)
at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:69)
at org.jboss.seam.interceptors.MethodContextInterceptor.aroundInvoke(MethodContextInterceptor.java:27)
at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:69)
at org.jboss.seam.intercept.RootInterceptor.invoke(RootInterceptor.java:103)
at org.jboss.seam.intercept.JavaBeanInterceptor.interceptInvocation(JavaBeanInterceptor.java:151)
at org.jboss.seam.intercept.JavaBeanInterceptor.invoke(JavaBeanInterceptor.java:87)
at org.jboss.seam.wiki.core.action.DocumentHome_$$_javassist_132.create(DocumentHome_$$_javassist_132.java)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.jboss.seam.util.Reflections.invoke(Reflections.java:18)
at org.jboss.seam.util.Reflections.invokeAndWrap(Reflections.java:121)
... 63 more
Caused by: org.jboss.seam.security.AuthorizationException: Please register an account to execute this operation
at org.jboss.seam.wiki.core.action.NodeHome.create(NodeHome.java:78)
at org.jboss.seam.wiki.core.action.DocumentHome.create(DocumentHome.java:26)
... 91 more
And I get a generic Facelets exception page.
> Allow security checks in component lifecycle methds
> ---------------------------------------------------
>
> Key: JBSEAM-1018
> URL: http://jira.jboss.com/jira/browse/JBSEAM-1018
> Project: JBoss Seam
> Issue Type: Feature Request
> Components: Core
> Reporter: Christian Bauer
> Assigned To: Shane Bryzak
> Priority: Minor
>
> The Component.java.callComponentMethod() is used for lifecycle method calling, such as @Create methods. It also wraps all exceptions thrown in these methods, or at least casts them into RuntimeException (even if it already is a RuntimeException). So I can't use Identity.instance.checkPermission() in a @Create method and have my exception handling apply to failure. Minimum required: document this.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the seam-issues
mailing list