[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-800) s:hasPermission vs view-id wildcards

Stephan Bublava (JIRA) jira-events at lists.jboss.org
Fri Feb 9 03:20:29 EST 2007


s:hasPermission vs view-id wildcards
------------------------------------

                 Key: JBSEAM-800
                 URL: http://jira.jboss.com/jira/browse/JBSEAM-800
             Project: JBoss Seam
          Issue Type: Bug
          Components: Security
    Affects Versions: 1.1.6.GA
            Reporter: Stephan Bublava


Assume I have a set of protected pages, i.e. pages.xml contains:

<page view-id="/foo/*">
    <restrict />
</page>

and now I navigate to /foo/bar.seam.

In this case the security frameworks checks: #{s:hasPermission('/foo/*', 'render', null)}.

I believe this is bad, escpecially as it establishes strong ties between pages.xml and my security rules (which may break whenever pages.xml is changed). It would be much better to check for the actual page being accessed, i..e. #{s:hasPermission('/foo/bar.xhtml', 'render', null)}.


-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        



More information about the seam-issues mailing list