That's a good question.
1) I think itcan be done on Tapestry
page level using PageValidationListener.
2)It should be possible to improve the
AuthenticationChannelProcessor to support ROLE_*
attributes.
--
I have also just discovered a securityhole
with the URL patterns used in my
Has any thought been given to adding instance based security support to Acegi?
This seems to be a common requirement. Basically, what I mean by this is
that you can apply security constraints (hopefully in a declarative fashion)
to an object class with rules that are capable of discriminating
Can't this be done such using Method SecurityMethodInvocation
security in Acegi? Not sure how you know it is a CEO employee declaratively
though. I guess this is what you are asking.
like:
sample.Employee.getSalary=ROLE_MANAGER
sample.Employee.getAddress=ROLE_ALL
Sorry, I know the example
This is something I've been pondering
as well.
Stefan: I don't think that's what Andy
means. I believe that the security would be based on some property of the
instance, rather than of the user.
I came from the Notes/Domino world,
where a similar concept was applied with Readers and Authors
Actually, that is exactly what I was stating. He needs to know whether an
employee is a CEO or a regular employee since both use the same Employee object.
What I was eluding to is that currently, even if you added a property in the
Employee object to determine if it is a CEO or not, I was
This is exactly what I am implementing
right now. Funny, that this is the first post I see when I joined the list. I
am creating a series of custom voters:
SimpleRoleVoter will grant
access if the user has the role in question, deny otherwise
EntityRoleVoter will grant
access if any
Ben,
Comments below...
I've committed this one, minus the UsernameNotFoundException (because it
gets re-thrown by DaoAuthenticationProvider in a BadCredentialsException).
If people need to support additional application-specific (rather than
Acegi Security-specific) exceptions, we could
Andy Depue wrote:
Has any thought been given to adding instance based security support to Acegi?
This seems to be a common requirement.
There are so many ways of approaching instant-level security, as touched
on by the other replies to this thread. The major issues are where to
get the
I agree with your assessment Ben. Had many of those thoughts myself as
I was pondering our situation. In the end we went with VOTERS DETECT
OBJECT AS PARAMETER AND QUERY ACL OBJECT. Seems like the best choice
for us since we only want to deny or allow access not mutate or filter
properties of
It looks to me like the authz tag does not work properly inside a
Sitemesh decorator, but works correctly if used inside an actual
decorated jsp. I suspect that there are some problems with the
ContextHolder ThreadLocal instance and the Sitemesh decorator not
playing well together, but I
10 matches
Mail list logo
