Karel Miarka wrote:
Ben,
You are completely right, but my filter solves one important problem regarding Tapestry: The current SecurityEnforcementFilter doens't allow the login page to be at the same place as the protected pages and because in Tapestry all the pages are accessed using app?service=page/PageName, so it is a problem. My filter is suitable for applications where all the pages should be protected except the login page.
That would be nice If the SecurityEnforementFilter could be made to run only
once and solve the cyclic
problem when the login page is inside the protected area. But because it
sends the redirect it is not enough to use the FILTER_APPLIED flag :(
(cc: Developer list so there's some history)
How about this for an approach....
We change the AuthenticationEntryPoint.commence argument to also take a FilterChain. ie not just ServletRequest and ServletResponse. Then SecurityEnforcementFilter can be configured to secure all requests (ie *). It will delegate to FilterSecurityInterceptor, which in turn delegates to its superclass, AbstractSecurityInterceptor, which then finds nothing in the ContextHolder and throws AuthenticationCredentialsNotFoundException, which is then caught by SecurityEnforcementFilter (being a subclass of AuthenticationException) and it delegates to the revised AuthenticationEntryPoint. We could then modify AuthenticationProcessingFilterEntryPoint to detect if the request is for itself. Thus it will perform a FilterChain.doFilter rather than redirect again to the login page. This should not only work for Tapestry applications, but also any other situation whereby the user has secured * (including the login page). Do you (or anyone else) see any problems with this approach?
Ben
------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click _______________________________________________ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer