[jbossseam-issues] [JBoss JIRA] Updated: (JBSEAM-1009) optionally login-require in a more specific page should be able to override a wildcard login-require

Leo Baschy (JIRA) jira-events at lists.jboss.org
Thu Mar 15 20:04:32 EDT 2007

     [ http://jira.jboss.com/jira/browse/JBSEAM-1009?page=all ]

Leo Baschy updated JBSEAM-1009:

    Attachment: weaker-explicit-security.patch

Complete patch in one file weaker-explicit-security.patch.

Relaxed rejection of DTDs.

Doesn't care any longer whether whole site uses same DTD.

Tolerates use of no DTD.

Only rejects (with log.error and RuntimeException) if set <pages weaker-explicit-security="true"> and if any DTD is "-//JBoss/Seam Pages Configuration DTD 1.2//EN" or "-//JBoss/Seam Pages Configuration DTD 1.1//EN" because those two (any others?) still have the <!ATTLIST page login-required (true|false) "false"> when we need <!ATTLIST page login-required (true|false) #IMPLIED>.

> optionally login-require in a more specific page should be able to override a wildcard login-require
> ----------------------------------------------------------------------------------------------------
>                 Key: JBSEAM-1009
>                 URL: http://jira.jboss.com/jira/browse/JBSEAM-1009
>             Project: JBoss Seam
>          Issue Type: Patch
>          Components: Security
>    Affects Versions: 1.2.0.GA
>         Environment: all
>            Reporter: Leo Baschy
>         Assigned To: Shane Bryzak
>         Attachments: may-override-login-required.patch, may-override-login-required.patch, weaker-explicit-security.patch, weaker-explicit-security.patch
> This should be optional to switch on, so no one's existing expectations of security get broken.
> The point is about having a generic wildcard  <page view-id="*" scheme="http" login-required="true">  to secure the whole site, and then allowing specific pages or specific wildcards to have login-required="false".  E.g. for a registration (with preview) section as one cannot be logged in if one isn't registered yet.
> Some may suggest instead forcing pages into dedicated secure and not-secure directories, but in reality if there are multiple reasons to force pages into directories different ways (security, hyperlink management, publishability of URLs, etc.), one cannot serve all of them.

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


More information about the seam-issues mailing list