JBSEAM-1009 is about (if switched on) explicitly setting login-required (and restrict) per page or per wildcard in a way that allows a specific page to be less restricted than a * site wide wildcard. For each (login-required and restrict) it picks the most specific page where it is defined and only evaluates that one, ignores less specific wildcards. Why needed, I'll explain if asked.
In that context it is unsecure if a missing login-required is interpreted as login-required="false". By conicidence, that's what caused the interaction with 954, the mysterious afterRender beforeRender. The problem with afterRender beforeRender could occur any time there is no login-required but a restrict, but my work on 1009 made it happen sooner on my system. The reasonable workaround I've code today in the mornig and will submit as patch for 1009 hopefully later today is that I now force all DTD public IDs for pages.xml and all whatever.page.xml to be the same, so if someone consciously switches to the new DTD in pages.xml with #IMPLIED then he won't be able to "forget" an old DTD in any whatever.page.xml. Because that old DTD would cause an undesired login-required="false". I'll be happy to explain it again, but maybe we should have that conversation after I've submitted that 3rd version patch to 1009. I assume you want me to run it for some time here before submitting it :) View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4027993#4027993 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4027993 _______________________________________________ jboss-user mailing list [email protected] https://lists.jboss.org/mailman/listinfo/jboss-user
