Tynamo

redirect to login page for pages secured with @RequiresXXX annotations

Details

  • Type: Improvement Improvement
  • Status: Resolved Resolved
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: security-0.3.1, security-0.4.0
  • Fix Version/s: security-0.4.1
  • Component/s: security
  • Labels:
    None
  • Number of attachments :
    0

Description

There is a slightly difference between the way the AuthorizationFilter and AuthenticationFilter redirect to the login page, and the way the ShiroExceptionHandler redirects to the login page.

This means that these two options do not behave exactly in the same way.

1) @RequiresRole("admin") public class Index {
2) configuration.add(factory.createChain("/").add(factory.roles(),"admin").build());

The option number 2 uses WebUtils.issueRedirect and returns a 301 redirect_ pointing to the login page to the client.

The @RequiresRole("admin") annotation uses the ShiroExceptionHandler and does an "internal" tapestry redirect to the login page. That is it will not return a 301 redirect to the login page and it won't change the original "window.location". This creates some difficulties when working with SSL and it's the root cause of the issue explained in TYNAMO-103.

Issue Links

relates to

Bug - A problem which impairs or prevents the functions of the product. TYNAMO-103 @Security, tapestry.secure-enabled, MetaDataConstants.SECURE_PAGE not honored by Tapestry security

  • Major - Major loss of function.
  • Closed - The issue is considered finished, the resolution is correct. Issues which are not closed can be reopened.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Alejandro Scandroli added a comment -

Changed the ShiroExceptionHandler to use WebUtils.issueRedirect

Show
Alejandro Scandroli added a comment - Changed the ShiroExceptionHandler to use WebUtils.issueRedirect
Hide
Permalink
Kalle Korhonen added a comment -

This resulted in major refactoring. We also needed to handle localization and the exception causes, so figured the best way to fully fix this is to enhance exceptionpage module and use it as security's dependency. This is implemented barring proper documentation.

Show
Kalle Korhonen added a comment - This resulted in major refactoring. We also needed to handle localization and the exception causes, so figured the best way to fully fix this is to enhance exceptionpage module and use it as security's dependency. This is implemented barring proper documentation.
Hide
Permalink
Alejandro Scandroli added a comment -

Great! Kalle, thanks!

Show
Alejandro Scandroli added a comment - Great! Kalle, thanks!

People

  • Assignee:
    Kalle Korhonen
    Reporter:
    Alejandro Scandroli
Vote (0)
Watch (0)

Dates

  • Created:
    Updated:
    Resolved: