[jboss-user] [JBoss Seam] - Re: Multiple Domain Quesiton

[spambob]

"rjstanford" wrote : ...If they visit "http://theirsite.com/admin") though, even though to the app its a legitimate endpoint, I wish to present them with a 404 error since its not known to their URL...

I was thinking about how to do this best too for some time and I really think this is useful, not "security by obscurity", because people wont start to fiddle with something if they don't know it's there.
More generally speaking: I would like to overwrite the standard reaction upon an exception for a specific subset of a pages.

Further I would prefer to do this integrated with Seam security & fully configured in pages.xml instead of manually checking for it like Peter described.

So could we please get something like:
<page view-id="/admin/*">
  |         <restrict>#{s:hasRole('admin')}</restrict>
  |         <exception class="org.jboss.seam.security.AuthorizationException">
  |                 <http-error error-code="404"/>
  |         </exception>
  | </page>
One downside might be that one would get a 404 too if one is admin but calls some method that requires "superadmin" privileges. On the other hand - if the app is designed in an coherent way - this shouldn't happen because controls for which one hasn't the necessary privileges are usually not shown. Another solution might be to overwrite the exception mapping only for page access and not for the  backend.

So what do you think about this & could this please be added?!

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4035465#4035465

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4035465