Details
-
Type:
Bug
-
Status: Resolved (View Workflow)
-
Priority:
Critical
-
Resolution: Done
-
Affects Version/s: 3.1.0.Beta3
-
Fix Version/s: 3.1.0.Beta4
-
Labels:None
-
Environment:JBoss AS 7.0.2.Final
Seam 3.1.0.Beta3
-
Steps to Reproduce:
-
Affects:Interactive Demo/Tutorial, Compatibility/Configuration
Description
Security rules is broken. If you deploy the Seam Security Authorization example and do a login. You will see the following error without any exception:
10:55:11,144 ERROR [org.jboss.weld.Bean] (http-192.168.0.199-192.168.0.199-8080-1) WELD-000019 Error destroying an instance Managed Bean [class org.jboss.seam.security.permission.SecurityRuleProducer] with qualifiers [@Any @Default] of org.jboss.seam.security.permission.SecurityRuleProducer@350510c7
The consequence is that no security rules (Restrictions) are being invoked after this error occurs.
Gliffy Diagrams
Issue Links
- is related to
-
SEAMFACES-215
Regression with ViewConfig where Security Rules are not respected anymore
-
- Resolved
-
Activity
- All
- Comments
- Work Log
- History
- Activity
- Links Hierarchy
Built Faces from latest head and deployed. The error is still there. Please expand a little when you say it doesn't work with Solder 3.1.0.Beta3. Authorization example deploys just fine.
Ove Ranheim
added a comment - Built Faces from latest head and deployed. The error is still there. Please expand a little when you say it doesn't work with Solder 3.1.0.Beta3. Authorization example deploys just fine.
Please find the attached test cases that demonstrates that ViewConfig is broken with regards to SecurityRules.
See readme.txt for further details.
It might be that this issue is a Faces issue and not a Security issue.
Ove Ranheim
added a comment - - edited Please find the attached test cases that demonstrates that ViewConfig is broken with regards to SecurityRules.
See readme.txt for further details.
It might be that this issue is a Faces issue and not a Security issue. To have correct behavior in SecurityRulesTest; Restrictions.checkGuest(Identity identity) should be changed to:
public @Secures @Guest boolean checkGuest() {
|
return true;
|
}
|
Ove Ranheim
added a comment - To have correct behavior in SecurityRulesTest; Restrictions.checkGuest(Identity identity) should be changed to:
public @Secures @Guest boolean checkGuest() {
return true;
}
It appears that things are working mostly correctly now. I had to tweak the test though.
- ViewConfig must be an interface otherwise none of the annotations on the enums are proccessed.
- I think you have an infinite loop as the AccessDenied page contains restrictions so it gets stuck.
- Removed the expected exception for test testAuthorizedPriveligedAction because it doesn't happen
Once I fixed those things then on the last test I get an error when it tries to redirect. I'm actually not sure if this is because Seam Servlet is causing a problem or something else. Please make the above changes and see if you can dig any further.
Jason Porter
added a comment - It appears that things are working mostly correctly now. I had to tweak the test though.
ViewConfig must be an interface otherwise none of the annotations on the enums are proccessed.
I think you have an infinite loop as the AccessDenied page contains restrictions so it gets stuck.
Removed the expected exception for test testAuthorizedPriveligedAction because it doesn't happen
Once I fixed those things then on the last test I get an error when it tries to redirect. I'm actually not sure if this is because Seam Servlet is causing a problem or something else. Please make the above changes and see if you can dig any further. I did a rewrite of the test today and to what I can see, it works just fine.
- Silly of me to have ViewConfig declared on class, not an interface. That was of course a bug in the case
- Added a catch exception handler for AuthorizationException and now the circle is complete
So, we can confluence @ViewConfig works as expect as of Solder/Seam Faces 3.1.0.Beta4.
However, the extension handling @ViewConfig should throw an exception when used on class and not on interface.
Ove Ranheim
added a comment - I did a rewrite of the test today and to what I can see, it works just fine.
Silly of me to have ViewConfig declared on class, not an interface. That was of course a bug in the case
Added a catch exception handler for AuthorizationException and now the circle is complete
So, we can confluence @ViewConfig works as expect as of Solder/Seam Faces 3.1.0.Beta4.
However, the extension handling @ViewConfig should throw an exception when used on class and not on interface. It currently logs a warning. An exception is probably better. Create a JIRA or pull request?
Jason Porter
added a comment - It currently logs a warning. An exception is probably better. Create a JIRA or pull request? 
I got the example working with the latest snapshot of Seam Faces (it doesn't work with Seam Faces 3.1.0.Beta3).