[EMAIL PROTECTED] wrote:
Sounds to me like you *always* want the ContextHolder to contain a SecureContext which in turn has an Authentication object. That way you'll never get NullPointerExceptions when MethodSecurityInterceptor is called. So you *never* want an unauthenticated user accessing your application. Is that correct?If you have \A/secure/.*\Z=ROLE_SUPERVISOR,ROLE_TELLER in
I want to get rid of this line in filterInvocationInterceptor. If ROLE_ABC is included in this line, then things work out smoothly, but then it means that in future If I will be adding a new role in descriptor I have to restart my context ( tomcat ) , is there any way through which role can be added in secureContext without restarting the server.
The easiest way to do that is to have a single line in FilterInvocationInterceptor, such as \A/secure/*\Z=ROLE_EVERYBODY. Then ensure you grant ROLE_EVERYBODY to every user, perhaps via an automatic addition to the UserDetails returned from your AuthenticationDao. This will ensure every user is authenticated before they hit your MethodSecurityInterceptor controlled objects, and the ContextHolder contains non-null details. If you disable caching as per my previous emails, you will be ensuring any additional role grants to the logged in user are picked up on each request, because the DaoAuthenticationProvider will always delegate to your AuthenticationDao. The DaoAuthenticationProvider will always be called via the MethodSecurityInterceptor, as its superclass (AbstractSecurityInterceptor) re-checks the ContextHolder.getContext().getAuthentication() on each secured method invocation. Again, a reminder, you're best off with some form of caching that is "stale object aware" and performs eviction.
Ben
------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click _______________________________________________ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
