[jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-1987) <restrict> in pages.xml has no effect

Werner Kolov (JIRA) jira-events at lists.jboss.org
Wed Nov 7 09:11:44 EST 2007 

    [ http://jira.jboss.com/jira/browse/JBSEAM-1987?page=comments#action_12386477 ] 
            
Werner Kolov commented on JBSEAM-1987:
--------------------------------------

Try to add following 3 entries to your pages.xml

  <page view-id="/restricted.xhtml" login-required="true">
    <restrict>#{s:hasRole('doesNotExist')}</restrict>
  </page>

  <exception class="org.jboss.seam.security.AuthorizationException">
      <redirect view-id="/home.xhtml">
          <message>You don't have permission to do this</message>
      </redirect>
  </exception>

  <exception class="org.jboss.seam.TransactionException">
    <end-conversation/>
    <redirect view-id="/exceptions.xhtml">
      <message>#{messages.seam_specific_exception}</message>
    </redirect>
  </exception>

You will never be redirected to /home.xhtml after an AuthorizationException, because the exception class org.jboss.seam.TransactionException does not exist (any more) in Seam 2.0. Sure, this is a configuration error, but unfortunately you are not prompted about it during the parsing of pages.xml. The parser simply throws ALL exception handlers away, if one of them is wrong, so the complete custom exception handling and all <restrict> tags don't work. This error can easily happen, if you migrate from one Seam version (1.2.1) to another (2.0.0) and some exception classes change.

This is bug is closed, so I'll wait a while for a comment and, if nothing happens, report a new issue for this problem.

> <restrict> in pages.xml has no effect
> -------------------------------------
>
>                 Key: JBSEAM-1987
>                 URL: http://jira.jboss.com/jira/browse/JBSEAM-1987
>             Project: JBoss Seam
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 2.0.0.CR1
>            Reporter: Samuel Mendenhall
>         Assigned To: Shane Bryzak
>            Priority: Critical
>             Fix For: 2.0.0.CR2
>
>
> Default seam-gen'd project
> Create a page called restricted.xhtml
> Add to pages.xml:
> <page view-id="/restricted.xhtml" login-required="true">
> 	<restrict>#{s:hasRole('doesNotExist')}</restrict>
> </page>
> Logging in will by default give the user the 'admin' role, but the user can still access the page even without the doesNotExist role.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the seam-issues mailing list