[
http://jira.jboss.com/jira/browse/JBSEAM-1009?page=comments#action_12398170 ]
Norman Richards commented on JBSEAM-1009:
-----------------------------------------
Although I don't think this case represents the right solution, this is a problem we
definitely should solve. (one reason being that it is incompatible with richfaces) Here
are some solutions that have been proposed:
* Disallow login-required="true" for "*". It's a largely
nonsensical setting, and if we can encourage people from using it, we'd all be much
happier. url-rewriting could make the ugly URLs disappear.
* Expand "*" wildcards to allow for an extension like "*.xhtml" or the
likes. This doesn't solve the overriding problem, but it would fix the RF issue. In
general, proper regex would be nice, but that doesn't play well with the ordering
logic we have for overriding pages definitions
* Invert the ordering of security declarations. When talking about security rules, the
most specific rule should generally win. While that might not make sense is the context
of pages.xml, it's really the right approach. You'd need to make making
login-required ternary (like in the proposal here - true|false|unspecified) to make this
work.
* Filter out the a4j resource requests and otherwise stick with the status quo. We
already hardcode debug.seam in this, which I think we all find rather unfortunate.
Hardcoding exclusions is bad. This could be configurable, but we'd rather avoid
increasing the configuration burden on users.
I think that was all of the options Pete and I discussed. Any other suggestions here? I
would like to see login-required able to be overridden, and as I said above I really
don't see why the most general rule should take precedence in security. That just
doesn't seem right.
optionally login-require in a more specific page should be able to
override a wildcard login-require
----------------------------------------------------------------------------------------------------
Key: JBSEAM-1009
URL:
http://jira.jboss.com/jira/browse/JBSEAM-1009
Project: JBoss Seam
Issue Type: Patch
Components: Security
Affects Versions: 1.2.0.GA
Environment: all
Reporter: Leo Baschy
Assigned To: Shane Bryzak
Attachments: may-override-login-required.patch,
may-override-login-required.patch, weaker-explicit-security.patch,
weaker-explicit-security.patch
This should be optional to switch on, so no one's existing expectations of security
get broken.
The point is about having a generic wildcard <page view-id="*"
scheme="http" login-required="true"> to secure the whole site, and
then allowing specific pages or specific wildcards to have
login-required="false". E.g. for a registration (with preview) section as one
cannot be logged in if one isn't registered yet.
Some may suggest instead forcing pages into dedicated secure and not-secure directories,
but in reality if there are multiple reasons to force pages into directories different
ways (security, hyperlink management, publishability of URLs, etc.), one cannot serve all
of them.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira