[Acegisecurity-developer] Re: tapestry + acegi

[Karel Miarka]

Wouter,   Thanks for sending the example solution. I have finaly decided to remove the AuthenticationChannelProcessor from Hispacta and replaced it by the standard Tapestry way of page protection - PageValidateListener. It is not declarative, but it seems to be simpler, more secure (doesn't give place for bugs with invalid patterns) and gives the developer more possibilities (it is easy to enable the language switch even when user is not logged in) and it is also possible to check for user's GrantedAuthorities in the pageValidate() method eg. to require some roles.   Regards, Karel ----- Original Message ----- From: Wouter de Vaal To: 'Karel Miarka' Sent: Thursday, July 22, 2004 4:26 PM Subject: RE: tapestry + acegi Hi Karel,   Actually I've found another way using your idea in combination with a "normal" configuration. I've changed the AuthenticationChannelProcessor so that he'll allow all url's dat have FREE_ACCESS role assigned to it. All other urls will be passed on to a nett.sf.acegisecurity.intercept.web.FilterSecurityInterceptor. Once you've got the AuthenticationChannelProvider setup correctly, it's just a matter of configuring the FilterSecurityInterceptor and placing the filters-mappings in web.xml in the right place.   Here's my code for the AuthenticationChannelProcessor (which I partly took from your project):   public void decide(FilterInvocation invocation, ConfigAttributeDefinition config)     throws IOException, ServletException {       Iterator iter = config.getConfigAttributes();     //TODO when are there more attributes?     while (iter.hasNext()) {       ConfigAttribute attribute = (ConfigAttribute) iter.next();             if (attribute.equals(FREE_ACCESS)){        RequestDispatcher dispatcher = invocation.getHttpRequest().getRequestDispatcher(invocation.getRequestUrl());        dispatcher.forward(invocation.getHttpRequest(), invocation.getHttpResponse());       }     }   }   The code above will just forego security checking for attributes that have FREE_ACCESS everything else will be passed on to the next Filter   Wouter   From: Karel Miarka [mailto:[EMAIL PROTECTED] Sent: Thursday, July 22, 2004 4:19 PM To: [EMAIL PROTECTED] Cc: Wouter de Vaal Subject: Re: tapestry + acegi That's a good question.   1) I think it can be done on Tapestry page level using PageValidationListener. 2) It should be possible to improve the AuthenticationChannelProcessor to support ROLE_* attributes.   ----------   I have also just discovered a security hole with the URL patterns used in my example, because it was possible to cheat it, so the better way will be to use those patterns:   \A/app.service.page/Login\Z=FREE_ACCESS \A/app.service.page/Home\Z=FREE_ACCESS   (There are troubles with ? and = chars, so I use the wildcard . instead):   I have still a problem with the LanguageSwitch, how to write a safe pattern enabling it?   Karel     ----- Original Message ----- From: Wouter de Vaal To: 'Karel Miarka' Sent: Thursday, July 22, 2004 3:01 PM Subject: RE: tapestry + acegi Thanx for your reply.   Ok I see now (I've dug a little deeper since I last mailed). My next question:   Do I understand it correctly if I would want to add more roles the same way you did, I would need to add these to the checking code?   Wouter