EXTCDI-296 allow redirects to the error-view in case of security-violations
git-svn-id: https://svn.apache.org/repos/asf/myfaces/extensions/cdi/trunk@1353048 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/jee-modules/jsf-module/api/src/main/java/org/apache/myfaces/extensions/cdi/jsf/api/config/JsfModuleConfig.java b/jee-modules/jsf-module/api/src/main/java/org/apache/myfaces/extensions/cdi/jsf/api/config/JsfModuleConfig.java
index 717cc98..78af201 100644
--- a/jee-modules/jsf-module/api/src/main/java/org/apache/myfaces/extensions/cdi/jsf/api/config/JsfModuleConfig.java
+++ b/jee-modules/jsf-module/api/src/main/java/org/apache/myfaces/extensions/cdi/jsf/api/config/JsfModuleConfig.java
@@ -78,4 +78,16 @@
{
return true;
}
+
+ /**
+ * Per default the current view gets replaced with the error-view (in case of a security-violation).
+ * For using a redirect it's needed to return true and using Page.NavigationMode.REDIRECT for @Page of the
+ * error-view-config.
+ * @return true if the navigation-handler should be used in case of a security-violation, false otherwise
+ */
+ @ConfigEntry
+ public boolean isAlwaysUseNavigationHandlerOnSecurityViolation()
+ {
+ return false;
+ }
}
diff --git a/jee-modules/jsf-module/impl/src/main/java/org/apache/myfaces/extensions/cdi/jsf/impl/security/SecurityAwareViewHandler.java b/jee-modules/jsf-module/impl/src/main/java/org/apache/myfaces/extensions/cdi/jsf/impl/security/SecurityAwareViewHandler.java
index c22527c..97155cf 100644
--- a/jee-modules/jsf-module/impl/src/main/java/org/apache/myfaces/extensions/cdi/jsf/impl/security/SecurityAwareViewHandler.java
+++ b/jee-modules/jsf-module/impl/src/main/java/org/apache/myfaces/extensions/cdi/jsf/impl/security/SecurityAwareViewHandler.java
@@ -25,6 +25,8 @@
import org.apache.myfaces.extensions.cdi.core.api.security.AccessDeniedException;
import org.apache.myfaces.extensions.cdi.core.impl.util.ClassDeactivation;
import org.apache.myfaces.extensions.cdi.core.impl.util.CodiUtils;
+import org.apache.myfaces.extensions.cdi.jsf.api.config.JsfModuleConfig;
+import org.apache.myfaces.extensions.cdi.jsf.api.config.view.Page;
import org.apache.myfaces.extensions.cdi.jsf.api.config.view.ViewConfigDescriptor;
import org.apache.myfaces.extensions.cdi.jsf.impl.config.view.ViewConfigCache;
import org.apache.myfaces.extensions.cdi.jsf.impl.config.view.spi.EditableViewConfigDescriptor;
@@ -109,8 +111,23 @@
}
catch (AccessDeniedException accessDeniedException)
{
- Class<? extends ViewConfig> errorView =
- SecurityUtils.handleSecurityViolationWithoutNavigation(accessDeniedException);
+ Class<? extends ViewConfig> errorView;
+
+ ViewConfigDescriptor errorViewDescriptor =
+ ViewConfigCache.getViewConfigDescriptor(accessDeniedException.getErrorView());
+
+ if (errorViewDescriptor != null &&
+ errorViewDescriptor.getNavigationMode() == Page.NavigationMode.REDIRECT &&
+ CodiUtils.getContextualReferenceByClass(this.beanManager, JsfModuleConfig.class)
+ .isAlwaysUseNavigationHandlerOnSecurityViolation())
+ {
+ SecurityUtils.tryToHandleSecurityViolation(accessDeniedException);
+ errorView = errorViewDescriptor.getViewConfig();
+ }
+ else
+ {
+ errorView = SecurityUtils.handleSecurityViolationWithoutNavigation(accessDeniedException);
+ }
return this.wrapped.createView(context, ViewConfigCache.getViewConfigDescriptor(errorView).getViewId());
}