15.3.6. Handling Security Exceptions
So that users do not receive a basic default error page when a security error occurs, you should edit
pages.xml to redirect users to a more attractive page. The two main exceptions thrown by the security API are:
NotLoggedInException— This exception is thrown when the user attempts to access a restricted action or page when they are not logged in.AuthorizationException— This exception is only thrown if the user is already logged in, and they have attempted to access a restricted action or page for which they do not have the necessary privileges.
In the case of a
NotLoggedInException, we recommend the user be redirected to a login or registration page so that they can log in. For an AuthorizationException, it may be useful to redirect the user to an error page. Here's an example of a pages.xml file that redirects both of these security exceptions:
<pages>
...
<exception class="org.jboss.seam.security.NotLoggedInException">
<redirect view-id="/login.xhtml">
<message>You must be logged in to perform this action</message>
</redirect>
</exception>
<exception class="org.jboss.seam.security.AuthorizationException">
<end-conversation/>
<redirect view-id="/security_error.xhtml">
<message>
You do not have the necessary security privileges to perform this action.
</message>
</redirect>
</exception>
</pages>
Most web applications require more sophisticated handling of login redirection. Seam includes some special functionality, outlined in the following section.
