[jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-508) Seam/Security

Tue Jan 23 14:12:58 EST 2007

    [ http://jira.jboss.com/jira/browse/JBSEAM-508?page=comments#action_12351469 ] 
            
Peter Muir commented on JBSEAM-508:
-----------------------------------

1) If security components aren't configured in components.xml (but the servlet filter has been added)

java.lang.NullPointerException
	at org.jboss.seam.security.filter.SeamSecurityFilter.checkSecurityConstraints(SeamSecurityFilter.ja
va:82)
	at org.jboss.seam.security.filter.SeamSecurityFilter.doFilter(SeamSecurityFilter.java:64)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202
)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
	at org.jboss.seam.servlet.SeamRedirectFilter.doFilter(SeamRedirectFilter.java:32)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202
)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
	at org.jboss.seam.servlet.SeamExceptionFilter.doFilter(SeamExceptionFilter.java:46)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202
)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
	at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202
)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
	at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:175)

	at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
	at org.jboss.web.tomcat.tc5.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:156)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
	at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11Base
Protocol.java:664)
	at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
	at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
	at java.lang.Thread.run()V(Unknown Source)	

2) If an empty security constraint element is specified (<security-constraint></security-constraint>) then an NPE is thrown (sorry, I don't have the trace to hand)

+1 for being able to specify 'web-resource-collection' restraints in pages.xml

+1 for if the user is not logged in, and requests a secured page, they get redirected to the securityError.seam page. On this page I have a login box, the user can log in. It would be good if the login is successful, for the user to be redirected to the originally requested page.

> Seam/Security
> -------------
>
>                 Key: JBSEAM-508
>                 URL: http://jira.jboss.com/jira/browse/JBSEAM-508
>             Project: JBoss Seam
>          Issue Type: Feature Request
>          Components: Security
>            Reporter: Gavin King
>         Assigned To: Shane Bryzak
>            Priority: Blocker
>             Fix For: 1.1.5.GA
>
>
> The security framework for Seam:
> Identity API for authentication and programmatic authorization
> SecurityInterceptor
> @RequirePermission, @RequireRole
> @DefinePermission
> <page require-permission>, <page require-role> in pages.xml
> <s:secure/>
> JAAS integration
> Possibly we will do it as
> @Restrict + an EL for expressing restrictions

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira