onActivate not called / Ajax / Shiro

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

onActivate not called / Ajax / Shiro

Jens Breitenstein
Hi all!

I have a strange problem and maybe one of you can give me a hint...

Basically I have a table and each individual <tr> forms it's own zone
and can be replaced independently from each other by an eventlink (works
perfectly).
Next I added @RequiresPermissions("MyPermission:modify") on the
event-callback method to limit access. In case an user does not have the
required permissions Shiro correctly identfies it and throws an
OperationException("Subject does not have permission"), perfect too.
Unfortunately there is no redirect to the "Unauthorized" page but
instead the page is rendered in the "ajax dialog box" (which tapestry
shows in case of problems/errors).

 From the stacktrace I see
"SecurityExceptionHandlerAssistant.handleRequestException" is called to
retrieve the page name to show ("Unauthorized"). Unfortunately there is
no redirect to the page but instead "renderer.renderPageResponse(page)"
is called and surprisingly "onActivate" of my "Unauthorized" page is not
called at all.

Any idea what happens and how to solve it?


Jens



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: onActivate not called / Ajax / Shiro

lprimak
I don't think Tapestry-Security works for Ajax requests.
I think it's geared more of blocking access to pages for initial load.  
How can you have AJAX requests for a page that's not authorized?
Also, in Tapestry 5.4, this should be handled properly by way T5.4 handles JavaScript.

onActivate isn't getting called because Tapestry-Security / Shiro intercepts it (and denies it's permission)
before onActivate ever gets called.

On Oct 27, 2013, at 8:55 AM, Jens Breitenstein wrote:

> Hi all!
>
> I have a strange problem and maybe one of you can give me a hint...
>
> Basically I have a table and each individual <tr> forms it's own zone and can be replaced independently from each other by an eventlink (works perfectly).
> Next I added @RequiresPermissions("MyPermission:modify") on the event-callback method to limit access. In case an user does not have the required permissions Shiro correctly identfies it and throws an OperationException("Subject does not have permission"), perfect too. Unfortunately there is no redirect to the "Unauthorized" page but instead the page is rendered in the "ajax dialog box" (which tapestry shows in case of problems/errors).
>
> From the stacktrace I see "SecurityExceptionHandlerAssistant.handleRequestException" is called to retrieve the page name to show ("Unauthorized"). Unfortunately there is no redirect to the page but instead "renderer.renderPageResponse(page)" is called and surprisingly "onActivate" of my "Unauthorized" page is not called at all.
>
> Any idea what happens and how to solve it?
>
>
> Jens
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: onActivate not called / Ajax / Shiro

Jens Breitenstein
Hi Lenny

Thanks for your answer. I guess my description was somehow incomplete...

OnActivate from the "unauthorized" page is not called, that's surprising to me.

The user has permission to view the page in general but misses certain functionality permissions triggered  by event callback methods. My initial failure was to show such event links at all, but that's a different story...

Nevertheless its still possible to enter such a link URL directly in the browser, but luckily in this case everything works as expected (redirect to "unauthorized" page and onActivate from the unauthorized page gets called)

As the only difference is "zone/ajax" related, I guess shiro does not handle XHR requests correctly when rendering/redirecting, but this just an assumption. I have to dig deeper in the shiro source

Jens

Von meinem iPhone gesendet

> Am 27.10.2013 um 14:44 schrieb Lenny Primak <[hidden email]>:
>
> I don't think Tapestry-Security works for Ajax requests.
> I think it's geared more of blocking access to pages for initial load.  
> How can you have AJAX requests for a page that's not authorized?
> Also, in Tapestry 5.4, this should be handled properly by way T5.4 handles JavaScript.
>
> onActivate isn't getting called because Tapestry-Security / Shiro intercepts it (and denies it's permission)
> before onActivate ever gets called.
>
>> On Oct 27, 2013, at 8:55 AM, Jens Breitenstein wrote:
>>
>> Hi all!
>>
>> I have a strange problem and maybe one of you can give me a hint...
>>
>> Basically I have a table and each individual <tr> forms it's own zone and can be replaced independently from each other by an eventlink (works perfectly).
>> Next I added @RequiresPermissions("MyPermission:modify") on the event-callback method to limit access. In case an user does not have the required permissions Shiro correctly identfies it and throws an OperationException("Subject does not have permission"), perfect too. Unfortunately there is no redirect to the "Unauthorized" page but instead the page is rendered in the "ajax dialog box" (which tapestry shows in case of problems/errors).
>>
>> From the stacktrace I see "SecurityExceptionHandlerAssistant.handleRequestException" is called to retrieve the page name to show ("Unauthorized"). Unfortunately there is no redirect to the page but instead "renderer.renderPageResponse(page)" is called and surprisingly "onActivate" of my "Unauthorized" page is not called at all.
>>
>> Any idea what happens and how to solve it?
>>
>>
>> Jens
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: onActivate not called / Ajax / Shiro

lprimak
I do believe your assumption is correct.

> On Oct 28, 2013, at 2:51 AM, "[hidden email]" <[hidden email]> wrote:
>
> Hi Lenny
>
> Thanks for your answer. I guess my description was somehow incomplete...
>
> OnActivate from the "unauthorized" page is not called, that's surprising to me.
>
> The user has permission to view the page in general but misses certain functionality permissions triggered  by event callback methods. My initial failure was to show such event links at all, but that's a different story...
>
> Nevertheless its still possible to enter such a link URL directly in the browser, but luckily in this case everything works as expected (redirect to "unauthorized" page and onActivate from the unauthorized page gets called)
>
> As the only difference is "zone/ajax" related, I guess shiro does not handle XHR requests correctly when rendering/redirecting, but this just an assumption. I have to dig deeper in the shiro source
>
> Jens
>
> Von meinem iPhone gesendet
>
>> Am 27.10.2013 um 14:44 schrieb Lenny Primak <[hidden email]>:
>>
>> I don't think Tapestry-Security works for Ajax requests.
>> I think it's geared more of blocking access to pages for initial load.  
>> How can you have AJAX requests for a page that's not authorized?
>> Also, in Tapestry 5.4, this should be handled properly by way T5.4 handles JavaScript.
>>
>> onActivate isn't getting called because Tapestry-Security / Shiro intercepts it (and denies it's permission)
>> before onActivate ever gets called.
>>
>>> On Oct 27, 2013, at 8:55 AM, Jens Breitenstein wrote:
>>>
>>> Hi all!
>>>
>>> I have a strange problem and maybe one of you can give me a hint...
>>>
>>> Basically I have a table and each individual <tr> forms it's own zone and can be replaced independently from each other by an eventlink (works perfectly).
>>> Next I added @RequiresPermissions("MyPermission:modify") on the event-callback method to limit access. In case an user does not have the required permissions Shiro correctly identfies it and throws an OperationException("Subject does not have permission"), perfect too. Unfortunately there is no redirect to the "Unauthorized" page but instead the page is rendered in the "ajax dialog box" (which tapestry shows in case of problems/errors).
>>>
>>> From the stacktrace I see "SecurityExceptionHandlerAssistant.handleRequestException" is called to retrieve the page name to show ("Unauthorized"). Unfortunately there is no redirect to the page but instead "renderer.renderPageResponse(page)" is called and surprisingly "onActivate" of my "Unauthorized" page is not called at all.
>>>
>>> Any idea what happens and how to solve it?
>>>
>>>
>>> Jens
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: [hidden email]
>>> For additional commands, e-mail: [hidden email]
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: onActivate not called / Ajax / Shiro

Thiago H de Paula Figueiredo
In reply to this post by lprimak
On Sun, 27 Oct 2013 11:44:42 -0200, Lenny Primak <[hidden email]>  
wrote:

> I don't think Tapestry-Security works for Ajax requests.
> I think it's geared more of blocking access to pages for initial load.

I wouldn't say that before checking the source first.

> How can you have AJAX requests for a page that's not authorized?
> Also, in Tapestry 5.4, this should be handled properly by way T5.4  
> handles JavaScript.

I'm not following you.

> onActivate isn't getting called because Tapestry-Security / Shiro  
> intercepts it (and denies it's permission)
> before onActivate ever gets called.

The statement above would make me think that Tapestry-Security does work  
for AJAX requests too, as onActivate() is invoked for every request for  
the page, render or action.

--
Thiago H. de Paula Figueiredo
Tapestry, Java and Hibernate consultant and developer
http://machina.com.br

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: onActivate not called / Ajax / Shiro

lprimak

On Oct 28, 2013, at 8:09 AM, Thiago H de Paula Figueiredo wrote:

> On Sun, 27 Oct 2013 11:44:42 -0200, Lenny Primak <[hidden email]> wrote:
>
>> I don't think Tapestry-Security works for Ajax requests.
>> I think it's geared more of blocking access to pages for initial load.
>
> I wouldn't say that before checking the source first.

I say this because I had to work around this issue.
Tapestry-Security will return a full page (Unauthorized) which would result in a pop-up exception.

Let me elaborate.

Let's say you go to a page, and it requires authentication.  
You authenticate, you are in.  Great.

Now the page is in the browser for long enough for session to expire.
You are no longer authenticated.  Now you click Ajax request.
Tapestry-Security will redirect you to an Unauthorized page in this case.
This isn't done correctly, i.e. via full page redirect.  Tapestry 5.3 does not handle
this case correctly, i.e. a pop-up exception instead of a redirect.

I actually have a workaround for this in the FlowLogix library, via the @AJAX annotation.

>
>> How can you have AJAX requests for a page that's not authorized?
>> Also, in Tapestry 5.4, this should be handled properly by way T5.4 handles JavaScript.
>
> I'm not following you.

Tapestry 5.4 handles JavaScript errors better, so this issue doesn't exist in T5.4

>
>> onActivate isn't getting called because Tapestry-Security / Shiro intercepts it (and denies it's permission)
>> before onActivate ever gets called.
>
> The statement above would make me think that Tapestry-Security does work for AJAX requests too, as onActivate() is invoked for every request for the page, render or action.

The way Tapestry-Securitiy filter is set up is that it prevents any page calls if it's not authorized, Ajax or not.
This is the correct behavior.


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: onActivate not called / Ajax / Shiro

Andreas Fink
Hi Jens

On Oct 28, 2013, at 19:44 , Lenny Primak wrote:

...

>> The statement above would make me think that Tapestry-Security does work for AJAX requests too, as onActivate() is invoked for every request for the page, render or action.
>
> The way Tapestry-Securitiy filter is set up is that it prevents any page calls if it's not authorized, Ajax or not.
> This is the correct behavior.

In cases like this an "AJAX ping" can help you keep the session alive.
Something along the lines of this: http://stackoverflow.com/a/12597339


Cheers,
Andi.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: onActivate not called / Ajax / Shiro

lprimak
FlowLogix library also has a couple of solutions to deal with this:

@AJAX annotation
http://code.google.com/p/flowlogix/wiki/TLAJAXAnnotation
that will redirect to the login screen if session has expired (among other things)

and the SessionMonitor component http://code.google.com/p/flowlogix/wiki/TLSessionMonitor

On Oct 30, 2013, at 3:56 AM, Andreas Fink wrote:

> Hi Jens
>
> On Oct 28, 2013, at 19:44 , Lenny Primak wrote:
>
> ...
>
>>> The statement above would make me think that Tapestry-Security does work for AJAX requests too, as onActivate() is invoked for every request for the page, render or action.
>>
>> The way Tapestry-Securitiy filter is set up is that it prevents any page calls if it's not authorized, Ajax or not.
>> This is the correct behavior.
>
> In cases like this an "AJAX ping" can help you keep the session alive.
> Something along the lines of this: http://stackoverflow.com/a/12597339
>
>
> Cheers,
> Andi.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]