[jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-800) s:hasPermission vs view-id wildcards
Gavin King (JIRA)
jira-events at lists.jboss.org
Fri Feb 9 10:26:30 EST 2007
[ http://jira.jboss.com/jira/browse/JBSEAM-800?page=comments#action_12352719 ]
Gavin King commented on JBSEAM-800:
-----------------------------------
Totally agree
> s:hasPermission vs view-id wildcards
> ------------------------------------
>
> Key: JBSEAM-800
> URL: http://jira.jboss.com/jira/browse/JBSEAM-800
> Project: JBoss Seam
> Issue Type: Bug
> Components: Security
> Affects Versions: 1.1.6.GA
> Reporter: Stephan Bublava
> Assigned To: Shane Bryzak
> Fix For: 1.1.7.GA
>
>
> Assume I have a set of protected pages, i.e. pages.xml contains:
> <page view-id="/foo/*">
> <restrict />
> </page>
> and now I navigate to /foo/bar.seam.
> In this case the security frameworks checks: #{s:hasPermission('/foo/*', 'render', null)}.
> I believe this is bad, escpecially as it establishes strong ties between pages.xml and my security rules (which may break whenever pages.xml is changed). It would be much better to check for the actual page being accessed, i..e. #{s:hasPermission('/foo/bar.xhtml', 'render', null)}.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the seam-issues
mailing list