Ben, This sounds good to me.
Thanks, Karel ----- Original Message ----- From: "Ben Alex" <[EMAIL PROTECTED]> To: "Karel Miarka" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Friday, September 03, 2004 7:54 AM Subject: SecurityEnforcementFilter always executing, even if for login page > Karel Miarka wrote: > > >Ben, > > > >You are completely right, but my filter solves one important problem > >regarding > >Tapestry: The current SecurityEnforcementFilter doens't allow the login page > >to be at the same place as the protected pages and because in Tapestry all > >the pages are accessed using app?service=page/PageName, so it is a problem. > >My filter is suitable for applications where all the pages should be > >protected except the login page. > > > >That would be nice If the SecurityEnforementFilter could be made to run only > >once and solve the cyclic > >problem when the login page is inside the protected area. But because it > >sends the redirect it is not enough to use the FILTER_APPLIED flag :( > > > > > (cc: Developer list so there's some history) > > How about this for an approach.... > > We change the AuthenticationEntryPoint.commence argument to also take a > FilterChain. ie not just ServletRequest and ServletResponse. Then > SecurityEnforcementFilter can be configured to secure all requests (ie > *). It will delegate to FilterSecurityInterceptor, which in turn > delegates to its superclass, AbstractSecurityInterceptor, which then > finds nothing in the ContextHolder and throws > AuthenticationCredentialsNotFoundException, which is then caught by > SecurityEnforcementFilter (being a subclass of AuthenticationException) > and it delegates to the revised AuthenticationEntryPoint. We could then > modify AuthenticationProcessingFilterEntryPoint to detect if the request > is for itself. Thus it will perform a FilterChain.doFilter rather than > redirect again to the login page. This should not only work for Tapestry > applications, but also any other situation whereby the user has secured > * (including the login page). Do you (or anyone else) see any problems > with this approach? > > Ben > > > ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click _______________________________________________ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
