[jira] [Created] (DELTASPIKE-749) Doc: Security: Making intitially requested and secured page available for redirect after login

[Ron Smeral (JIRA)]

Ron Smeral created DELTASPIKE-749:
-------------------------------------

             Summary: Doc: Security: Making intitially requested and secured 
page available for redirect after login
                 Key: DELTASPIKE-749
                 URL: https://issues.apache.org/jira/browse/DELTASPIKE-749
             Project: DeltaSpike
          Issue Type: Bug
          Components: Documentation
            Reporter: Ron Smeral
            Priority: Minor


http://deltaspike.apache.org/documentation/security.html#_making_intitially_requested_and_secured_page_available_for_redirect_after_login

In _CDI Implementation to redirect the login to the first denied page_:
* change Usuario to User
* why use {{char[]}} for password? Is that some security measure, to prevent 
interned Strings of passwords hanging around in memory? If so, that should be 
noted, otherwise it should be changed to String, it's confusing. 

In CDI and PL implementations: 
* the AdminAccessDecisionVoter should implement AccessDecisionVoter, not extend 
AbstractAccessDecisionVoter
* I think the {{AdminAccessDecisionVoter}} should be agnostic of the view layer 
and therefore shouldn't inject {{ViewConfigResolver}} and shouldn't keep the 
denied page itself.

Maybe the listener could handle the {{AccessDeniedException}} instead:

Basic voter:
{code:java|title=AdminAccessDecisionVoter.java}
@SessionScoped //or @WindowScoped
public class AdminAccessDecisionVoter implements AccessDecisionVoter {

    @Override
    protected void checkPermission(AccessDecisionVoterContext context, 
Set<SecurityViolation> violations) {
        // voting stuff
    }
}
{code}

The listener/holder/handler:
{code:java|title=AuthenticationListener.java}
@ExceptionHandler
public class AuthenticationListener {

    @Inject ViewNavigationHandler viewNavigationHandler;

    @Inject ViewConfigResolver viewConfigResolver;

    private Class<? extends ViewConfig> deniedPage;

    public void rememberDeniedView(@BeforeHandles 
ExceptionEvent<ErrorViewAwareAccessDeniedException> evt) {
        deniedPage = 
viewConfigResolver.getViewConfigDescriptor(FacesContext.getCurrentInstance().getViewRoot().getViewId()).getConfigClass();
        evt.handledAndContinue();
    }

    public void handleLoggedIn(@Observes UserLoggedInEvent event) {
        if(deniedPage != null) {
            viewNavigationHandler.navigateTo(deniedPage);
            deniedPage = null;
        }
        viewNavigationHandler.navigateTo(Pages.Home.class);
    }
}
{code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)