[jboss-cvs] jboss-seam/doc/reference/en/modules ...

Gavin King gavin.king at jboss.com
Mon May 21 20:30:44 EDT 2007 

  User: gavin   
  Date: 07/05/21 20:30:44

  Modified:    doc/reference/en/modules  security.xml
  Log:
  doc new restore page permission
  
  Revision  Changes    Path
  1.56      +15 -9     jboss-seam/doc/reference/en/modules/security.xml
  
  (In the diff below, changes in quantity of whitespace are not shown.)
  
  Index: security.xml
  ===================================================================
  RCS file: /cvsroot/jboss/jboss-seam/doc/reference/en/modules/security.xml,v
  retrieving revision 1.55
  retrieving revision 1.56
  diff -u -b -r1.55 -r1.56
  --- security.xml	14 May 2007 23:37:19 -0000	1.55
  +++ security.xml	22 May 2007 00:30:42 -0000	1.56
  @@ -672,24 +672,30 @@
         <para>
           Page security requires that the application is using a <literal>pages.xml</literal> file, however is
           extremely simple to configure.  Simply include a <literal>&lt;restrict/&gt;</literal> element within
  -        the <literal>page</literal> elements that you wish to secure.  By default, if a value is not provided for the
  -        <literal>restrict</literal> element, an implied permission of <literal>{viewId}:render</literal> will
  -        be checked for whenever accessing that page.  Otherwise the value will be evaluated as a standard
  -        security expression.  Here's a couple of examples:
  +        the <literal>page</literal> elements that you wish to secure.  If no explicit restriction is specified 
  +        the by the<literal>restrict</literal> element, an implied permission of <literal>/viewId.xhtml:render</literal> 
  +        will be checked when the page is accessed via a non-faces (GET) request, and a permission of 
  +        <literal>/viewId.xhtml:restore</literal> will be required when any JSF postback (form submission) originates
  +        from the page.  Otherwise, the specified restriction will be evaluated as a standard security expression. 
  +        Here's a couple of examples:
         </para>
               
         <programlisting><![CDATA[<page view-id="/settings.xhtml">
       <restrict/>
  -</page>
  +</page>]]></programlisting>
  +        
  +      <para>
  +        This page has an implied permission of <literal>/settings.xhtml:render</literal> required for non-faces 
  +        requests and an implied permission of <literal>/settings.xhtml:restore</literal> for faces requests.
  +      </para>
           
  -<page view-id="/reports.xhtml">    
  +      <programlisting><![CDATA[<page view-id="/reports.xhtml">    
       <restrict>#{s:hasRole('admin')}</restrict>
   </page>]]></programlisting>
         
         <para>
  -        In the above example, the first page has an implied permission restriction of 
  -        <literal>/settings.xhtml:render</literal>, while the second one checks that the user 
  -        is a member of the <literal>admin</literal> role.
  +        Both faces and non-faces requests to this page require that the user is a member of the 
  +        <literal>admin</literal> role.
         </para>
           
       </sect2>

More information about the jboss-cvs-commits mailing list