[seam-issues] [JBoss JIRA] Issue Comment Edited: (SEAMFACES-209) Security integration shows denied pages

Thu, 22 Sep 2011 03:20:38 -0700 

    [ 
https://issues.jboss.org/browse/SEAMFACES-209?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12629830#comment-12629830
 ] 

Nicklas Karlsson edited comment on SEAMFACES-209 at 9/22/11 6:19 AM:
---------------------------------------------------------------------

Also, the if-check regarding whether forwarding is possible or not is probably 
faulty since I'm able to do a 

{code}
        public void bad(@Observes NotAuthorizedEvent e)
        {
                navigationHandler.handleNavigation(facesContext, null, 
"/accessdenied?faces-redirect=true");
                facesContext.responseComplete();
        }
{code}

and it works.

      was (Author: nickarls):
    Also, the if-check regarding whether forwarding is possible or not is 
probably faulty since I'm able to do a 

        public void bad(@Observes NotAuthorizedEvent e)
        {
                navigationHandler.handleNavigation(facesContext, null, 
"/accessdenied?faces-redirect=true");
                facesContext.responseComplete();
        }

and it works.
  
> Security integration shows denied pages
> ---------------------------------------
>
>                 Key: SEAMFACES-209
>                 URL: https://issues.jboss.org/browse/SEAMFACES-209
>             Project: Seam Faces
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 3.1.0.Beta2
>            Reporter: Nicklas Karlsson
>
> I have a @ViewConfig and security annotated page that fails the auth check 
> but the code in SecurityPhaseListener
>     private void redirectToAccessDeniedView(FacesContext context, UIViewRoot 
> viewRoot) {
>         // If a user has already done a redirect and rendered the response 
> (possibly in an observer) we cannot do this output
>         if (!(context.getResponseComplete() || context.getRenderResponse())) {
> quietly fails the check and then proceeds to render the page. It should 
> perhaps throw an exception or take some other actions to at least deny the 
> page.
> In an unrelated note, I can't see where response output would be produced 
> since I just edited the browser url and pointed it at a forbidden page...

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

        
_______________________________________________
seam-issues mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/seam-issues

Reply via email to