I managed to answer this one myself, by trolling the Internet and
reading
the Acegi source. The final answer was to create a
RESTfulDefinitionSource.
I used Spring constructor injection to load in the "security
patterns":
<bean id="filterInvocationInterceptor"
class="org.acegisecurity.intercept.web.FilterSecur
ityInterceptor">
<property name="authenticationManager"
ref="authenticationManager"/>
<property name="accessDecisionManager">
<ref local="httpRequestAccessDecisionManager"/>
</property>
<property name="objectDefinitionSource"
ref="filterDefinitionMap" />
</bean>
<bean id="filterDefinitionMap"
class="com.homeaway.hcdata.utils.acegi.RESTfulDefi
nitionSource" >
<constructor-arg type="java.lang.String" >
<value>
/**:GET=ROLE_READER
/**:PUT,DELETE,POST=ROLE_WRITER
</value>
</constructor-arg>
</bean>
The easiest thing was to then delegate within
RESTfulDefinitionSource to a
RESTfulPathBasedFilterInvocationDefinitionMap, which is
essentially a clone of the
PathBasedFilterInvocationDefinitionMap. (But one that takes
into account Http Methods). I would have liked to extend
PathBasedFilterInvocationDefinitionMap, but it is basically
not friendly to subclassing. Although I followed the logic of
that class
almost exactly so that I could be sure that I got things wired
correctly.
It seems that Acegi might consider this form as the default form??
So that patterns like this
/**=ROLE_SUPERVISOR
default to "all methods". But patterns like this are also
acceptable;
/**:PUT,DELETE,POST=ROLE_SUPERVISOR
It could be entirely backwards compatible. And Acegi would then
support
REST!!
You might also consider refactoring the
org.acegisecurity.intercept.web
package. It doesn't lend itself well to extension or variation.
Thanks,
-- Chris
On Aug 21, 2007, at 9:20 PM, Chris Berry wrote:
Unfortunately, this package isn't well suited for extension.
I could extend PathBasedFilterInvocationDefinitionMap
but since it provides no way to access requestMap & pathMatcher
I had to duplicate all of that code.
But I could workaround that, what I don't see is how to get
around the
FilterInvocationDefinitionSourceEditor
I want to be able to do something like this:
<bean id="filterInvocationInterceptor"
class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
<property name="authenticationManager"
ref="authenticationManager"/>
<property name="accessDecisionManager">
<ref local="httpRequestAccessDecisionManager"/>
</property>
<property name="objectDefinitionSource"
ref="filterDefinitionMap" />
</bean>
<bean id="filterDefinitionMap"
class="com.homeaway.hcdata.utils.acegi.RESTfulPathBasedFilterInvocat
ionDefinitionMap"
<property name="objectDefinitionSource" >
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/**=ROLE_SUPERVISOR
</value>
</property>
</bean>
But I don't see how to accomplish it??
Must I extend FilterInvocationDefinitionSourceEditor ??
I'm no Spring expert, so I'm unclear how the Property Editors get
wired
in...
Thanks,
-- Chris
On Aug 21, 2007, at 7:10 PM, Brian Moseley wrote:
On 8/21/07, Chris Berry <[EMAIL PROTECTED]> wrote:
Anyway, AFAICT, the solution is to provide a custom
FilterInvocationDefinitionSource
I plan to extend PathBasedFilterInvocationDefinitionMap.
[...]
sure, that looks good to me, with the following caveat:
to support http-based protocols that extend the basic method set,
like
webdav with its PROPFIND, PROPPATCH, MKCOL, LOCK etc, and to keep
mapping files brief, it might be handy to be able to configure named
sets of methods on the FilterInvocationDefinitionSource.
perhaps
something like this:
<property name="readMethods"
value="GET,HEAD,OPTIONS,PROPFIND"/>
<property name="writeMethods"
value="POST,PUT,DELETE,PROPPATCH,LOCK"/>
and:
/foo/bar.html:READ_METHODS,WRITE_METHODS=ROLE_FOO
/secure/*:READ_METHODS=ROLE_BAR
/account/something=ROLE_BAR
--------------------------------------------------------------------
-----
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a
browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
S'all good --- [EMAIL PROTECTED]
S'all good --- [EMAIL PROTECTED]
--------------------------------------------------------------------
-----
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a
browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer