[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-800) s:hasPermission vs view-id wildcards
Stephan Bublava (JIRA)
jira-events at lists.jboss.org
Fri Feb 9 03:20:29 EST 2007
s:hasPermission vs view-id wildcards
------------------------------------
Key: JBSEAM-800
URL: http://jira.jboss.com/jira/browse/JBSEAM-800
Project: JBoss Seam
Issue Type: Bug
Components: Security
Affects Versions: 1.1.6.GA
Reporter: Stephan Bublava
Assume I have a set of protected pages, i.e. pages.xml contains:
<page view-id="/foo/*">
<restrict />
</page>
and now I navigate to /foo/bar.seam.
In this case the security frameworks checks: #{s:hasPermission('/foo/*', 'render', null)}.
I believe this is bad, escpecially as it establishes strong ties between pages.xml and my security rules (which may break whenever pages.xml is changed). It would be much better to check for the actual page being accessed, i..e. #{s:hasPermission('/foo/bar.xhtml', 'render', null)}.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the seam-issues
mailing list