[seam-issues] [JBoss JIRA] (SEAMFACES-209) Security integration shows denied pages
[
https://issues.jboss.org/browse/SEAMFACES-209?page=com.atlassian.jira.plu...
]
Cody Lerum commented on SEAMFACES-209:
--------------------------------------
Also just discovered that the order matters
@RestrictAtPhase({PhaseIdType.RESTORE_VIEW, PhaseIdType.INVOKE_APPLICATION}) works
while
@RestrictAtPhase({PhaseIdType.INVOKE_APPLICATION, PhaseIdType.RESTORE_VIEW})
allows people to subvert
Security integration shows denied pages
---------------------------------------
Key: SEAMFACES-209
URL: https://issues.jboss.org/browse/SEAMFACES-209
Project: Seam Faces
Issue Type: Bug
Components: Security
Affects Versions: 3.1.0.Beta2
Reporter: Nicklas Karlsson
Assignee: Jason Porter
Fix For: Future
I have a @ViewConfig and security annotated page that fails the auth check but the code
in SecurityPhaseListener
private void redirectToAccessDeniedView(FacesContext context, UIViewRoot viewRoot) {
// If a user has already done a redirect and rendered the response (possibly in
an observer) we cannot do this output
if (!(context.getResponseComplete() || context.getRenderResponse())) {
quietly fails the check and then proceeds to render the page. It should perhaps throw an
exception or take some other actions to at least deny the page.
In an unrelated note, I can't see where response output would be produced since I
just edited the browser url and pointed it at a forbidden page...
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira