15.3.6. Handling Security Exceptions
So that users do not receive a basic default error page when a security error occurs, you should edit
pages.xml
to redirect users to a more attractive page. The two main exceptions thrown by the security API are:
NotLoggedInException
— This exception is thrown when the user attempts to access a restricted action or page when they are not logged in.AuthorizationException
— This exception is only thrown if the user is already logged in, and they have attempted to access a restricted action or page for which they do not have the necessary privileges.
In the case of a
NotLoggedInException
, we recommend the user be redirected to a login or registration page so that they can log in. For an AuthorizationException
, it may be useful to redirect the user to an error page. Here's an example of a pages.xml
file that redirects both of these security exceptions:
<pages> ... <exception class="org.jboss.seam.security.NotLoggedInException"> <redirect view-id="/login.xhtml"> <message>You must be logged in to perform this action</message> </redirect> </exception> <exception class="org.jboss.seam.security.AuthorizationException"> <end-conversation/> <redirect view-id="/security_error.xhtml"> <message> You do not have the necessary security privileges to perform this action. </message> </redirect> </exception> </pages>
Most web applications require more sophisticated handling of login redirection. Seam includes some special functionality, outlined in the following section.