----- Original Message -----
Sent: Thursday, July 22, 2004 4:26
PM
Subject: RE: tapestry + acegi
Hi
Karel,
Actually I've found another way using your idea in combination with a
"normal" configuration. I've changed the AuthenticationChannelProcessor so
that he'll allow all url's dat have FREE_ACCESS role assigned to it. All other
urls will be passed on to a nett.sf.acegisecurity.intercept.web.FilterSecurityInterceptor. Once
you've got the AuthenticationChannelProvider setup correctly, it's just a
matter of configuring the FilterSecurityInterceptor and placing the
filters-mappings in web.xml in the right place.
Here's my code for the AuthenticationChannelProcessor (which I partly
took from your project):
public void decide(FilterInvocation invocation,
ConfigAttributeDefinition config)
throws IOException,
ServletException {
Iterator iter =
config.getConfigAttributes();
//TODO when are there more
attributes?
while (iter.hasNext())
{
ConfigAttribute attribute =
(ConfigAttribute) iter.next();
if
(attribute.equals(FREE_ACCESS)){
RequestDispatcher dispatcher =
invocation.getHttpRequest().getRequestDispatcher(invocation.getRequestUrl());
dispatcher.forward(invocation.getHttpRequest(),
invocation.getHttpResponse());
}
}
}
The
code above will just forego security checking for attributes that have
FREE_ACCESS everything else will be passed on to the next
Filter
Wouter
That's a good question.
1) I think it can be done on Tapestry
page level using PageValidationListener.
2) It should be possible to improve
the AuthenticationChannelProcessor to support ROLE_*
attributes.
----------
I have also just discovered a
security hole with the URL patterns used in my example, because it was
possible to cheat it, so the better way will be to use those patterns:
\A/app.service.page/Login\Z=FREE_ACCESS
\A/app.service.page/Home\Z=FREE_ACCESS
(There are troubles with ? and = chars, so I use the wildcard .
instead):
I have still a problem with the LanguageSwitch,
how to write a safe pattern enabling it?
Karel
----- Original Message -----
Sent: Thursday, July 22, 2004 3:01
PM
Subject: RE: tapestry + acegi
Thanx for your
reply.
Ok I see now (I've dug a little deeper since I last mailed). My
next question:
Do I understand it correctly if I
would want to add more roles the same way you did, I would
need
to add these to the checking code?
Wouter