[EMAIL PROTECTED] wrote:
I'm not sure why this is happening. Both DAOs should simply provide a UserDetails to the DaoAuthenticationProvider, which constructs an Authentication object if a valid authentication request was received. Therefore there should be no difference at the authorization stage, unless the created Authentication object is different. I'm tipping your Hibernate DAO implementation is not adding the same GrantedAuthority[]s to the UserDetails as the InMemoryDaoImpl is. I'd add some logging to your Hibernate DAO to see what the returned UserDetails actually contains.Ben,
I am still having problems getting messages to the forum... Anyways, here is my latest issue if you could please put it into the forum ,and maybe give advise ;).
---------------------------
I am having a problem when using basic authentication and my own
authentication DAO implementation. I am attempting to interface using
Hibernate to the database for authentication which works fine. I was
using an InMemoryDaoImpl to do testing with. The InMemoryDaoImpl allows
me to authenticate correctly and when the user did not have the required
role an AccessDeniedException would be thrown and I could handle this no
problem. When I switched to the Hibernate DAO implementation I can
authenticate no problem, but when access could not be granted to a
resource I got a 403 HTTP error. I really wanted my custom DAO
implementation to react the same as the InMemoryDAOImpl and throw the
AccessDeniedException.
403 gets sent in the event of an AccessDeniedException. Alternatively, if it's an AuthenticationException, the AuthenticationEntryPoint gets commenced. You'll probably use BasicProcessingFilterEntryPoint which sends a 401 to request the browser to retry with a BASIC authentication header.I tried to subclass net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter such that it would throw an AccessDeniedException instead of returning a 403, however this did not work. I replaced the securityEnforcement filter to use the subclass that I created and updated the web.xml to use this as well. Any suggestions to use the AccessDeniedException using basic authentication would be appreciated. I need to this because I am using a Flash client and I need to handle an exception/fault at this time instead of an HTTP error code.
I'm really thinking your Hibernate DAO is simply failing to populate the GrantedAuthority[]s of the UserDetails implementation (in most cases User), which is why you're getting AccessDeniedExceptions in the first place. However, I've just checked in a change to SecurityEnforcementFilter so there is a sendAccessDeniedError protected method you can override in a subclass if required.
Best regards Ben
------------------------------------------------------- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com _______________________________________________ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
