[
https://issues.apache.org/jira/browse/DELTASPIKE-749?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14195107#comment-14195107
]
Gerhard Petracek commented on DELTASPIKE-749:
---------------------------------------------
only the artifact which keeps the denied-page needs to be session- or
window-scoped.
@#2: personally i would agree, however, there are more pragmatic minds out
there and imo for them we should always show the minimal way - otherwise they
see it as over-complicated...
@#3: since you changed the notion of AuthenticationListener, we are talking
about the same same name, but a different artifact (since it isn't an
exception-handler any longer... what you tried to do initially is an
"exception-observer" - we don't have that, but a lot of users are trying to do
that (esp. in context of security violations) and therefore i discussed it
already with jason. that's the reason why it worked at all... in case of
security-exceptions we handle it differently, because we don't have such
observers. it isn't consistent/correct, but too many users are using it like
you tried to do it, because it's what you expect. however, it isn't what
exception-control is doing usually, so we don't like to promote this special
handling.)
since deltaspike isn't bound to picketlink the primary documentation needs to
be independent - documenting the integration with "security-providers" like
picketlink is just a bonus for our documentation (which is **very welcome**).
so far we just included that one, because a full example (with manual
login/logout) isn't that complicated, but it looks a bit long...
-> +1 for your 2nd code-suggestion, but we need to add details about the
possible scopes of AdminAccessDecisionVoter (since a voter should be stateless,
if you keep the state in other beans...)
> Doc: Security: Making intitially requested and secured page available for
> redirect after login
> ----------------------------------------------------------------------------------------------
>
> Key: DELTASPIKE-749
> URL: https://issues.apache.org/jira/browse/DELTASPIKE-749
> Project: DeltaSpike
> Issue Type: Bug
> Components: Documentation
> Reporter: Ron Smeral
> Priority: Minor
>
> http://deltaspike.apache.org/documentation/security.html#_making_intitially_requested_and_secured_page_available_for_redirect_after_login
> In _CDI Implementation to redirect the login to the first denied page_:
> * change Usuario to User
> * why use {{char[]}} for password? Is that some security measure, to prevent
> interned Strings of passwords hanging around in memory? If so, that should be
> noted, otherwise it should be changed to String, it's confusing.
> In CDI and PL implementations:
> * -the AdminAccessDecisionVoter should implement AccessDecisionVoter, not
> extend AbstractAccessDecisionVoter-
> * I think the {{AdminAccessDecisionVoter}} should be agnostic of the view
> layer and therefore shouldn't inject {{ViewConfigResolver}} and shouldn't
> keep the denied page itself.
> Maybe the listener could handle the {{AccessDeniedException}} instead:
> Basic voter:
> {code:java|title=AdminAccessDecisionVoter.java}
> @SessionScoped //or @WindowScoped
> public class AdminAccessDecisionVoter extends AbstractAccessDecisionVoter {
> @Override
> protected void checkPermission(AccessDecisionVoterContext context,
> Set<SecurityViolation> violations) {
> // voting stuff
> }
> }
> {code}
> The listener/holder/handler:
> {code:java|title=AuthenticationListener.java}
> @ExceptionHandler
> public class AuthenticationListener {
> @Inject ViewNavigationHandler viewNavigationHandler;
> @Inject ViewConfigResolver viewConfigResolver;
> private Class<? extends ViewConfig> deniedPage;
> public void rememberDeniedView(@BeforeHandles
> ExceptionEvent<ErrorViewAwareAccessDeniedException> evt) {
> deniedPage =
> viewConfigResolver.getViewConfigDescriptor(FacesContext.getCurrentInstance().getViewRoot().getViewId()).getConfigClass();
> evt.handledAndContinue();
> }
> public void handleLoggedIn(@Observes UserLoggedInEvent event) {
> if(deniedPage != null) {
> viewNavigationHandler.navigateTo(deniedPage);
> deniedPage = null;
> }
> viewNavigationHandler.navigateTo(Pages.Home.class);
> }
> }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
