You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@deltaspike.apache.org by "Gerhard Petracek (JIRA)" <ji...@apache.org> on 2014/11/17 18:59:35 UTC

[jira] [Updated] (DELTASPIKE-749) Doc: Security: Making intitially requested and secured page available for redirect after login

     [ https://issues.apache.org/jira/browse/DELTASPIKE-749?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Gerhard Petracek updated DELTASPIKE-749:
----------------------------------------
    Fix Version/s: 1.1.1

> Doc: Security: Making intitially requested and secured page available for redirect after login
> ----------------------------------------------------------------------------------------------
>
>                 Key: DELTASPIKE-749
>                 URL: https://issues.apache.org/jira/browse/DELTASPIKE-749
>             Project: DeltaSpike
>          Issue Type: Bug
>          Components: Documentation
>            Reporter: Ron Smeral
>            Priority: Minor
>             Fix For: 1.1.1
>
>
> http://deltaspike.apache.org/documentation/security.html#_making_intitially_requested_and_secured_page_available_for_redirect_after_login
> In _CDI Implementation to redirect the login to the first denied page_:
> * change Usuario to User
> * why use {{char[]}} for password? Is that some security measure, to prevent interned Strings of passwords hanging around in memory? If so, that should be noted, otherwise it should be changed to String, it's confusing. 
> In CDI and PL implementations: 
> * -the AdminAccessDecisionVoter should implement AccessDecisionVoter, not extend AbstractAccessDecisionVoter-
> * I think the {{AdminAccessDecisionVoter}} should be agnostic of the view layer and therefore shouldn't inject {{ViewConfigResolver}} and shouldn't keep the denied page itself.
> Maybe the listener could handle the {{AccessDeniedException}} instead:
> Basic voter:
> {code:java|title=AdminAccessDecisionVoter.java}
> @SessionScoped //or @WindowScoped
> public class AdminAccessDecisionVoter extends AbstractAccessDecisionVoter {
>     @Override
>     protected void checkPermission(AccessDecisionVoterContext context, Set<SecurityViolation> violations) {
>         // voting stuff
>     }
> }
> {code}
> The listener/holder/handler:
> {code:java|title=AuthenticationListener.java}
> @ExceptionHandler
> public class AuthenticationListener {
>     @Inject ViewNavigationHandler viewNavigationHandler;
>     @Inject ViewConfigResolver viewConfigResolver;
>     private Class<? extends ViewConfig> deniedPage;
>     public void rememberDeniedView(@BeforeHandles ExceptionEvent<ErrorViewAwareAccessDeniedException> evt) {
>         deniedPage = viewConfigResolver.getViewConfigDescriptor(FacesContext.getCurrentInstance().getViewRoot().getViewId()).getConfigClass();
>         evt.handledAndContinue();
>     }
>     public void handleLoggedIn(@Observes UserLoggedInEvent event) {
>         if(deniedPage != null) {
>             viewNavigationHandler.navigateTo(deniedPage);
>             deniedPage = null;
>         }
>         viewNavigationHandler.navigateTo(Pages.Home.class);
>     }
> }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)