[jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-1009) optionally login-require in a more specific page should be able to override a wildcard login-require

[Norman Richards (JIRA)]

    [ http://jira.jboss.com/jira/browse/JBSEAM-1009?page=comments#action_12398170 ] 
            
Norman Richards commented on JBSEAM-1009:
-----------------------------------------

Although I don't think this case represents the right solution, this is a problem we definitely should solve. (one reason being that it is incompatible with richfaces)  Here are some solutions that have been proposed:

* Disallow login-required="true" for "*".  It's a largely nonsensical setting, and if we can encourage people from using it, we'd all be much happier.  url-rewriting could make the ugly URLs disappear.  

* Expand "*" wildcards to allow for an extension like "*.xhtml" or the likes.  This doesn't solve the overriding problem, but it would fix the RF issue.   In general, proper regex would be nice, but that doesn't play well with the ordering logic we have for overriding pages definitions

* Invert the ordering of security declarations.  When talking about security rules, the most specific rule should generally win.  While that might not make sense is the context of pages.xml, it's really the right approach.  You'd need to make making login-required ternary (like in the proposal here - true|false|unspecified) to make this work.   

* Filter out the a4j resource requests and otherwise stick with the status quo.  We already hardcode debug.seam in this, which I think we all find rather unfortunate.  Hardcoding exclusions is bad.  This could be configurable, but we'd rather avoid increasing the configuration burden on users.

I think that was all of the options Pete and I discussed.  Any other suggestions here?  I would like to see login-required able to be overridden, and as I said above I really don't see why the most general rule should take precedence in security.  That just doesn't seem right.  



> optionally login-require in a more specific page should be able to override a wildcard login-require
> ----------------------------------------------------------------------------------------------------
>
>                 Key: JBSEAM-1009
>                 URL: http://jira.jboss.com/jira/browse/JBSEAM-1009
>             Project: JBoss Seam
>          Issue Type: Patch
>          Components: Security
>    Affects Versions: 1.2.0.GA
>         Environment: all
>            Reporter: Leo Baschy
>         Assigned To: Shane Bryzak
>         Attachments: may-override-login-required.patch, may-override-login-required.patch, weaker-explicit-security.patch, weaker-explicit-security.patch
>
>
> This should be optional to switch on, so no one's existing expectations of security get broken.
> The point is about having a generic wildcard  <page view-id="*" scheme="http" login-required="true">  to secure the whole site, and then allowing specific pages or specific wildcards to have login-required="false".  E.g. for a registration (with preview) section as one cannot be logged in if one isn't registered yet.
> Some may suggest instead forcing pages into dedicated secure and not-secure directories, but in reality if there are multiple reasons to force pages into directories different ways (security, hyperlink management, publishability of URLs, etc.), one cannot serve all of them.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira