[
https://issues.apache.org/jira/browse/DELTASPIKE-749?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14196117#comment-14196117
]
Gerhard Petracek commented on DELTASPIKE-749:
---------------------------------------------
i agree and that's why we changed so that it is as expected, but it's not
consistent any longer.
that's due to the nature of the initial concepts which came in from seam-solder.
since we can't change it easily for the other parts, we might need to wait
until v2.
+1 for a "solutions" part
> Doc: Security: Making intitially requested and secured page available for
> redirect after login
> ----------------------------------------------------------------------------------------------
>
> Key: DELTASPIKE-749
> URL: https://issues.apache.org/jira/browse/DELTASPIKE-749
> Project: DeltaSpike
> Issue Type: Bug
> Components: Documentation
> Reporter: Ron Smeral
> Priority: Minor
>
> http://deltaspike.apache.org/documentation/security.html#_making_intitially_requested_and_secured_page_available_for_redirect_after_login
> In _CDI Implementation to redirect the login to the first denied page_:
> * change Usuario to User
> * why use {{char[]}} for password? Is that some security measure, to prevent
> interned Strings of passwords hanging around in memory? If so, that should be
> noted, otherwise it should be changed to String, it's confusing.
> In CDI and PL implementations:
> * -the AdminAccessDecisionVoter should implement AccessDecisionVoter, not
> extend AbstractAccessDecisionVoter-
> * I think the {{AdminAccessDecisionVoter}} should be agnostic of the view
> layer and therefore shouldn't inject {{ViewConfigResolver}} and shouldn't
> keep the denied page itself.
> Maybe the listener could handle the {{AccessDeniedException}} instead:
> Basic voter:
> {code:java|title=AdminAccessDecisionVoter.java}
> @SessionScoped //or @WindowScoped
> public class AdminAccessDecisionVoter extends AbstractAccessDecisionVoter {
> @Override
> protected void checkPermission(AccessDecisionVoterContext context,
> Set<SecurityViolation> violations) {
> // voting stuff
> }
> }
> {code}
> The listener/holder/handler:
> {code:java|title=AuthenticationListener.java}
> @ExceptionHandler
> public class AuthenticationListener {
> @Inject ViewNavigationHandler viewNavigationHandler;
> @Inject ViewConfigResolver viewConfigResolver;
> private Class<? extends ViewConfig> deniedPage;
> public void rememberDeniedView(@BeforeHandles
> ExceptionEvent<ErrorViewAwareAccessDeniedException> evt) {
> deniedPage =
> viewConfigResolver.getViewConfigDescriptor(FacesContext.getCurrentInstance().getViewRoot().getViewId()).getConfigClass();
> evt.handledAndContinue();
> }
> public void handleLoggedIn(@Observes UserLoggedInEvent event) {
> if(deniedPage != null) {
> viewNavigationHandler.navigateTo(deniedPage);
> deniedPage = null;
> }
> viewNavigationHandler.navigateTo(Pages.Home.class);
> }
> }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
