s:hasPermission vs view-id wildcards ------------------------------------ Key: JBSEAM-800 URL: http://jira.jboss.com/jira/browse/JBSEAM-800 Project: JBoss Seam Issue Type: Bug Components: Security Affects Versions: 1.1.6.GA Reporter: Stephan Bublava Assume I have a set of protected pages, i.e. pages.xml contains: <page view-id="/foo/*"> <restrict /> </page> and now I navigate to /foo/bar.seam. In this case the security frameworks checks: #{s:hasPermission('/foo/*', 'render', null)}. I believe this is bad, escpecially as it establishes strong ties between pages.xml and my security rules (which may break whenever pages.xml is changed). It would be much better to check for the actual page being accessed, i..e. #{s:hasPermission('/foo/bar.xhtml', 'render', null)}. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira