Matt Raible wrote:
It seems to me that the ContextHolderAwareRequestFilter should be an enabled filter by default in Acegi - allowing folks to use request.isUserInRole() and many tag libraries with their applications. It seems like it'd be a lot simpler (especially from a configuration perspective) to roll the functionality of this filter into the HttpSessionContextIntegrationFilter - since it's always needed. I can't think of any reason why you wouldn't want the ContextHolderAwareRequestFilter enabled in a webapp. Thoughts?My only concern with this approach is the whole net.sf.acegisecurity.context package has been explicitly designed to be usable without Acegi Security (ie for people who wish to use a ThreadLocal to safely hold Objects used by multiple application layers, and have them stored between HttpServletRequest invocations). For example, I've not set the HttpSessionContextIntegrationFilter.context property to SecureContextImpl, even though most people will declare that in their IoC XML. It's just to avoid unnecessary bindings.
Matt
Regarding ContextHolderAwareRequestFilter, we could probably put it into SecurityEnforcementFilter instead. That would cause difficulty, though, for people who are trying to use SecurityEnforcementFilter with a container adapter configuration, as presumably they would prefer the container to handle isUserInRole() etc. Whilst we could handle this with a boolean property on SecurityEnforcementFilter, I'm wondering if the extra configuration of ContextHolderAwareRequestFilter is really that bad (it should be a single one-line bean declaration in the IoC XML plus a reference in FilterChainProxy). IMHO a boolean property would be a lot more subtle (ie support incident creating) than expressly listing the ContextHolderAwareRequestFilter against the FilterChainProxy.
HttpSessionContextIntegrationFilter also suffers the same problem as SecurityEnforcementFilter when considered from the perspective of container adapter users, as they wouldn't want Acegi Security to override their container.
Cheers Ben
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
