[jira] [Updated] (DELTASPIKE-749) Doc: Security: Making intitially requested and secured page available for redirect after login

Ron Smeral (JIRA) Thu, 23 Oct 2014 04:07:49 -0700

     [ 
https://issues.apache.org/jira/browse/DELTASPIKE-749?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Ron Smeral updated DELTASPIKE-749:
----------------------------------
    Description: 
http://deltaspike.apache.org/documentation/security.html#_making_intitially_requested_and_secured_page_available_for_redirect_after_login

In _CDI Implementation to redirect the login to the first denied page_:
* change Usuario to User
* why use {{char[]}} for password? Is that some security measure, to prevent 
interned Strings of passwords hanging around in memory? If so, that should be 
noted, otherwise it should be changed to String, it's confusing. 

In CDI and PL implementations: 
* -the AdminAccessDecisionVoter should implement AccessDecisionVoter, not 
extend AbstractAccessDecisionVoter-
* I think the {{AdminAccessDecisionVoter}} should be agnostic of the view layer 
and therefore shouldn't inject {{ViewConfigResolver}} and shouldn't keep the 
denied page itself.

Maybe the listener could handle the {{AccessDeniedException}} instead:

Basic voter:
{code:java|title=AdminAccessDecisionVoter.java}
@SessionScoped //or @WindowScoped
public class AdminAccessDecisionVoter extends AbstractAccessDecisionVoter {

    @Override
    protected void checkPermission(AccessDecisionVoterContext context, 
Set<SecurityViolation> violations) {
        // voting stuff
    }
}
{code}

The listener/holder/handler:
{code:java|title=AuthenticationListener.java}
@ExceptionHandler
public class AuthenticationListener {

    @Inject ViewNavigationHandler viewNavigationHandler;

    @Inject ViewConfigResolver viewConfigResolver;

    private Class<? extends ViewConfig> deniedPage;

    public void rememberDeniedView(@BeforeHandles 
ExceptionEvent<ErrorViewAwareAccessDeniedException> evt) {
        deniedPage = 
viewConfigResolver.getViewConfigDescriptor(FacesContext.getCurrentInstance().getViewRoot().getViewId()).getConfigClass();
        evt.handledAndContinue();
    }

    public void handleLoggedIn(@Observes UserLoggedInEvent event) {
        if(deniedPage != null) {
            viewNavigationHandler.navigateTo(deniedPage);
            deniedPage = null;
        }
        viewNavigationHandler.navigateTo(Pages.Home.class);
    }
}
{code}

  was:
http://deltaspike.apache.org/documentation/security.html#_making_intitially_requested_and_secured_page_available_for_redirect_after_login

In _CDI Implementation to redirect the login to the first denied page_:
* change Usuario to User
* why use {{char[]}} for password? Is that some security measure, to prevent 
interned Strings of passwords hanging around in memory? If so, that should be 
noted, otherwise it should be changed to String, it's confusing. 

In CDI and PL implementations: 
* the AdminAccessDecisionVoter should implement AccessDecisionVoter, not extend 
AbstractAccessDecisionVoter
* I think the {{AdminAccessDecisionVoter}} should be agnostic of the view layer 
and therefore shouldn't inject {{ViewConfigResolver}} and shouldn't keep the 
denied page itself.

Maybe the listener could handle the {{AccessDeniedException}} instead:

Basic voter:
{code:java|title=AdminAccessDecisionVoter.java}
@SessionScoped //or @WindowScoped
public class AdminAccessDecisionVoter implements AccessDecisionVoter {

    @Override
    protected void checkPermission(AccessDecisionVoterContext context, 
Set<SecurityViolation> violations) {
        // voting stuff
    }
}
{code}

The listener/holder/handler:
{code:java|title=AuthenticationListener.java}
@ExceptionHandler
public class AuthenticationListener {

    @Inject ViewNavigationHandler viewNavigationHandler;

    @Inject ViewConfigResolver viewConfigResolver;

    private Class<? extends ViewConfig> deniedPage;

    public void rememberDeniedView(@BeforeHandles 
ExceptionEvent<ErrorViewAwareAccessDeniedException> evt) {
        deniedPage = 
viewConfigResolver.getViewConfigDescriptor(FacesContext.getCurrentInstance().getViewRoot().getViewId()).getConfigClass();
        evt.handledAndContinue();
    }

    public void handleLoggedIn(@Observes UserLoggedInEvent event) {
        if(deniedPage != null) {
            viewNavigationHandler.navigateTo(deniedPage);
            deniedPage = null;
        }
        viewNavigationHandler.navigateTo(Pages.Home.class);
    }
}
{code}


> Doc: Security: Making intitially requested and secured page available for 
> redirect after login
> ----------------------------------------------------------------------------------------------
>
>                 Key: DELTASPIKE-749
>                 URL: https://issues.apache.org/jira/browse/DELTASPIKE-749
>             Project: DeltaSpike
>          Issue Type: Bug
>          Components: Documentation
>            Reporter: Ron Smeral
>            Priority: Minor
>
> http://deltaspike.apache.org/documentation/security.html#_making_intitially_requested_and_secured_page_available_for_redirect_after_login
> In _CDI Implementation to redirect the login to the first denied page_:
> * change Usuario to User
> * why use {{char[]}} for password? Is that some security measure, to prevent 
> interned Strings of passwords hanging around in memory? If so, that should be 
> noted, otherwise it should be changed to String, it's confusing. 
> In CDI and PL implementations: 
> * -the AdminAccessDecisionVoter should implement AccessDecisionVoter, not 
> extend AbstractAccessDecisionVoter-
> * I think the {{AdminAccessDecisionVoter}} should be agnostic of the view 
> layer and therefore shouldn't inject {{ViewConfigResolver}} and shouldn't 
> keep the denied page itself.
> Maybe the listener could handle the {{AccessDeniedException}} instead:
> Basic voter:
> {code:java|title=AdminAccessDecisionVoter.java}
> @SessionScoped //or @WindowScoped
> public class AdminAccessDecisionVoter extends AbstractAccessDecisionVoter {
>     @Override
>     protected void checkPermission(AccessDecisionVoterContext context, 
> Set<SecurityViolation> violations) {
>         // voting stuff
>     }
> }
> {code}
> The listener/holder/handler:
> {code:java|title=AuthenticationListener.java}
> @ExceptionHandler
> public class AuthenticationListener {
>     @Inject ViewNavigationHandler viewNavigationHandler;
>     @Inject ViewConfigResolver viewConfigResolver;
>     private Class<? extends ViewConfig> deniedPage;
>     public void rememberDeniedView(@BeforeHandles 
> ExceptionEvent<ErrorViewAwareAccessDeniedException> evt) {
>         deniedPage = 
> viewConfigResolver.getViewConfigDescriptor(FacesContext.getCurrentInstance().getViewRoot().getViewId()).getConfigClass();
>         evt.handledAndContinue();
>     }
>     public void handleLoggedIn(@Observes UserLoggedInEvent event) {
>         if(deniedPage != null) {
>             viewNavigationHandler.navigateTo(deniedPage);
>             deniedPage = null;
>         }
>         viewNavigationHandler.navigateTo(Pages.Home.class);
>     }
> }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Updated] (DELTASPIKE-749) Doc: Security: Making intitially requested and secured page available for redirect after login

Reply via email to