2:16 p.m.
<restrict> in pages.xml has no effect
-------------------------------------
Key: JBSEAM-1987
URL: http://jira.jboss.com/jira/browse/JBSEAM-1987
Project: JBoss Seam
Issue Type: Bug
Components: Security
Affects Versions: 2.0.0.CR1
Reporter: Samuel Mendenhall
Assigned To: Shane Bryzak
Priority: Critical
Default seam-gen'd project
Create a page called restricted.xhtml
Add to pages.xml:
<page view-id="/restricted.xhtml" login-required="true">
<restrict>#{s:hasRole('doesNotExist')}</restrict>
</page>
Logging in will by default give the user the 'admin' role, but the user can still
access the page even without the doesNotExist role.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
7:08 p.m.
New subject: [jbossseam-issues] [JBoss JIRA] Updated: (JBSEAM-1987) <restrict> in pages.xml has no effect
[ http://jira.jboss.com/jira/browse/JBSEAM-1987?page=all ]
Shane Bryzak updated JBSEAM-1987:
---------------------------------
Fix Version/s: 2.0.0.CR2
<restrict> in pages.xml has no effect
-------------------------------------
Key: JBSEAM-1987
URL: http://jira.jboss.com/jira/browse/JBSEAM-1987
Project: JBoss Seam
Issue Type: Bug
Components: Security
Affects Versions: 2.0.0.CR1
Reporter: Samuel Mendenhall
Assigned To: Shane Bryzak
Priority: Critical
Fix For: 2.0.0.CR2
Default seam-gen'd project
Create a page called restricted.xhtml
Add to pages.xml:
<page view-id="/restricted.xhtml" login-required="true">
<restrict>#{s:hasRole('doesNotExist')}</restrict>
</page>
Logging in will by default give the user the 'admin' role, but the user can still
access the page even without the doesNotExist role.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
12:59 a.m.
New subject: [jbossseam-issues] [JBoss JIRA] Closed: (JBSEAM-1987) <restrict> in pages.xml has no effect
[ http://jira.jboss.com/jira/browse/JBSEAM-1987?page=all ]
Shane Bryzak closed JBSEAM-1987.
--------------------------------
Resolution: Cannot Reproduce Bug
I can only reproduce this behaviour when I don't configure a view to redirect to for
an AuthorizationException, which is expected behaviour.
<exception class="org.jboss.seam.security.AuthorizationException">
<redirect view-id="/home.xhtml">
<message>You don't have permission to do this</message>
</redirect>
</exception>
<restrict> in pages.xml has no effect
-------------------------------------
Key: JBSEAM-1987
URL: http://jira.jboss.com/jira/browse/JBSEAM-1987
Project: JBoss Seam
Issue Type: Bug
Components: Security
Affects Versions: 2.0.0.CR1
Reporter: Samuel Mendenhall
Assigned To: Shane Bryzak
Priority: Critical
Fix For: 2.0.0.CR2
Default seam-gen'd project
Create a page called restricted.xhtml
Add to pages.xml:
<page view-id="/restricted.xhtml" login-required="true">
<restrict>#{s:hasRole('doesNotExist')}</restrict>
</page>
Logging in will by default give the user the 'admin' role, but the user can still
access the page even without the doesNotExist role.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
8:11 a.m.
New subject: [jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-1987) <restrict> in pages.xml has no effect
[ http://jira.jboss.com/jira/browse/JBSEAM-1987?page=comments#action_12386477 ]
Werner Kolov commented on JBSEAM-1987:
--------------------------------------
Try to add following 3 entries to your pages.xml
<page view-id="/restricted.xhtml" login-required="true">
<restrict>#{s:hasRole('doesNotExist')}</restrict>
</page>
<exception class="org.jboss.seam.security.AuthorizationException">
<redirect view-id="/home.xhtml">
<message>You don't have permission to do this</message>
</redirect>
</exception>
<exception class="org.jboss.seam.TransactionException">
<end-conversation/>
<redirect view-id="/exceptions.xhtml">
<message>#{messages.seam_specific_exception}</message>
</redirect>
</exception>
You will never be redirected to /home.xhtml after an AuthorizationException, because the
exception class org.jboss.seam.TransactionException does not exist (any more) in Seam 2.0.
Sure, this is a configuration error, but unfortunately you are not prompted about it
during the parsing of pages.xml. The parser simply throws ALL exception handlers away, if
one of them is wrong, so the complete custom exception handling and all <restrict>
tags don't work. This error can easily happen, if you migrate from one Seam version
(1.2.1) to another (2.0.0) and some exception classes change.
This is bug is closed, so I'll wait a while for a comment and, if nothing happens,
report a new issue for this problem.
<restrict> in pages.xml has no effect
-------------------------------------
Key: JBSEAM-1987
URL: http://jira.jboss.com/jira/browse/JBSEAM-1987
Project: JBoss Seam
Issue Type: Bug
Components: Security
Affects Versions: 2.0.0.CR1
Reporter: Samuel Mendenhall
Assigned To: Shane Bryzak
Priority: Critical
Fix For: 2.0.0.CR2
Default seam-gen'd project
Create a page called restricted.xhtml
Add to pages.xml:
<page view-id="/restricted.xhtml" login-required="true">
<restrict>#{s:hasRole('doesNotExist')}</restrict>
</page>
Logging in will by default give the user the 'admin' role, but the user can still
access the page even without the doesNotExist role.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
8:37 a.m.
New subject: [jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-1987) <restrict> in pages.xml has no effect
[ http://jira.jboss.com/jira/browse/JBSEAM-1987?page=comments#action_12386483 ]
Pete Muir commented on JBSEAM-1987:
-----------------------------------
Please open a new jira issue for the exception handlers getting dropped.
<restrict> in pages.xml has no effect
-------------------------------------
Key: JBSEAM-1987
URL: http://jira.jboss.com/jira/browse/JBSEAM-1987
Project: JBoss Seam
Issue Type: Bug
Components: Security
Affects Versions: 2.0.0.CR1
Reporter: Samuel Mendenhall
Assigned To: Shane Bryzak
Priority: Critical
Fix For: 2.0.0.CR2
Default seam-gen'd project
Create a page called restricted.xhtml
Add to pages.xml:
<page view-id="/restricted.xhtml" login-required="true">
<restrict>#{s:hasRole('doesNotExist')}</restrict>
</page>
Logging in will by default give the user the 'admin' role, but the user can still
access the page even without the doesNotExist role.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
6283
days inactive
6324
days old
4 comments
4 participants
participants (4)
-
Pete Muir (JIRA) -
Samuel Mendenhall (JIRA)
-
Shane Bryzak (JIRA)
-
Werner Kolov (JIRA)