[seam-issues] [JBoss JIRA] (SEAMFACES-209) Security integration shows denied pages
[
https://issues.jboss.org/browse/SEAMFACES-209?page=com.atlassian.jira.plu...
]
Cody Lerum commented on SEAMFACES-209:
--------------------------------------
If this is the best we can do then it is really no security at all.
We have to account for the fact that a user could have bookmarked a page when he had
different security roles, or security polices changed.
The fact that a user could navigate to a bookmarked page and bypass all restrictions is
unacceptable. What are our options?
Security integration shows denied pages
---------------------------------------
Key: SEAMFACES-209
URL: https://issues.jboss.org/browse/SEAMFACES-209
Project: Seam Faces
Issue Type: Bug
Components: Security
Affects Versions: 3.1.0.Beta2
Reporter: Nicklas Karlsson
Assignee: Jason Porter
Fix For: 3.1.0.Final
I have a @ViewConfig and security annotated page that fails the auth check but the code
in SecurityPhaseListener
private void redirectToAccessDeniedView(FacesContext context, UIViewRoot viewRoot) {
// If a user has already done a redirect and rendered the response (possibly in
an observer) we cannot do this output
if (!(context.getResponseComplete() || context.getRenderResponse())) {
quietly fails the check and then proceeds to render the page. It should perhaps throw an
exception or take some other actions to at least deny the page.
In an unrelated note, I can't see where response output would be produced since I
just edited the browser url and pointed it at a forbidden page...
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira