[seam-issues] [JBoss JIRA] (SEAMFACES-209) Security integration shows denied pages

Tomáš Tikovský (Issue Comment Edited) (JIRA) jira-events at lists.jboss.org
Mon Oct 31 07:02:45 EDT 2011 

    [ https://issues.jboss.org/browse/SEAMFACES-209?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12638489#comment-12638489 ] 

Tomáš Tikovský edited comment on SEAMFACES-209 at 10/31/11 7:02 AM:
--------------------------------------------------------------------

Im observing the same issue with upstream seam-faces. redirectToAccessDeniedView() is executed at render response phase, so context.getRenderResponse() returns true and whole method is skiped ... I tried to add @RestrictAtPhase(value=PhaseIdType.RESTORE_VIEW) to security pages, so it executes earlier, but context.getRenderResponse() still returns true ..... 

Folowing fix is working for me: org/jboss/seam/faces/security/SecurityPhaseListener.java
-if (!(context.getResponseComplete() || context.getRenderResponse())) {
+if (!(context.getResponseComplete())) {

Anybody know what sideeffects this can have?

                
      was (Author: tikus):
    Im observing the same issue with upstream seam-faces. redirectToAccessDeniedView() is executed at render response phase, so context.getRenderResponse() returns true and whole method is skiped ... I tried to add @RestrictAtPhase(value=PhaseIdType.RESTORE_VIEW) to security pages, so it executes earlier, but context.getRenderResponse() still returns true ..... 
                  
> Security integration shows denied pages
> ---------------------------------------
>
>                 Key: SEAMFACES-209
>                 URL: https://issues.jboss.org/browse/SEAMFACES-209
>             Project: Seam Faces
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 3.1.0.Beta2
>            Reporter: Nicklas Karlsson
>
> I have a @ViewConfig and security annotated page that fails the auth check but the code in SecurityPhaseListener
>     private void redirectToAccessDeniedView(FacesContext context, UIViewRoot viewRoot) {
>         // If a user has already done a redirect and rendered the response (possibly in an observer) we cannot do this output
>         if (!(context.getResponseComplete() || context.getRenderResponse())) {
> quietly fails the check and then proceeds to render the page. It should perhaps throw an exception or take some other actions to at least deny the page.
> In an unrelated note, I can't see where response output would be produced since I just edited the browser url and pointed it at a forbidden page...

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the seam-issues mailing list