"rjstanford" wrote : ...If they visit "http://theirsite.com/admin";) though,
even though to the app its a legitimate endpoint, I wish to present them with a
404 error since its not known to their URL...
I was thinking about how to do this best too for some time and I really think
this is useful, not "security by obscurity", because people wont start to
fiddle with something if they don't know it's there.
More generally speaking: I would like to overwrite the standard reaction upon
an exception for a specific subset of a pages.
Further I would prefer to do this integrated with Seam security & fully
configured in pages.xml instead of manually checking for it like Peter
described.
So could we please get something like:
<page view-id="/admin/*">
| <restrict>#{s:hasRole('admin')}</restrict>
| <exception class="org.jboss.seam.security.AuthorizationException">
| <http-error error-code="404"/>
| </exception>
| </page>
One downside might be that one would get a 404 too if one is admin but calls
some method that requires "superadmin" privileges. On the other hand - if the
app is designed in an coherent way - this shouldn't happen because controls for
which one hasn't the necessary privileges are usually not shown. Another
solution might be to overwrite the exception mapping only for page access and
not for the backend.
So what do you think about this & could this please be added?!
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4035465#4035465
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4035465
_______________________________________________
jboss-user mailing list
jboss-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-user
