Colin,
I was playing with the 2 prefix solution and I don't like it very much,
because I don't see any advantage of this usage of Acegi Security for
Tapestry developer, because:
1) I still must have my pages protected using PageValidateListener
2) usage of HTTP request security is anyway problematic with Tapestry
3) I request a page with /app prefix but in the Tapestry generated anchors
inside there is still the /auth prefix used (so it seems I have no control
of this)
4) I think it is usual to have a fully loaded user object (of the logged in
user) stored in my Tapestry app Visit object and when I use Acegi Session
Authentication it is quite problematic to put it there (I must create it
from the username stored in HTTP session by Acegi, but Visit may not exist
in Engine setupForRequest, it is impossible to access anything directly from
Visit and it is not good to set some user service into Visit, because it may
not be serializable and so on)
But because I want to use the authorization services of Acegi I have taken
another approach:
1) I keep my Login and authorization in usual Tapestry way and I place my
user object into visit
2) in Engine setupForRequest I create the Acegi SecureContext filled with
TestingAuthenticationToken:
Visit visit = (Visit)getVisit();
if (visit!=null) {
User user = visit.getUser();
if (user!=null) {
SecureContext secureContext = new SecureContextImpl();
// build granted authorities
Set roles = user.getRoles();
GrantedAuthority[] authorities = new GrantedAuthority[roles.size()];
Iterator iterator = roles.iterator();
for (int i = 0; iterator.hasNext(); i++) {
authorities[i] = new GrantedAuthorityImpl("ROLE_" +
((String)iterator.next()).toUpperCase());
}
Authentication auth = new TestingAuthenticationToken(user.getLogin(),
user.getPassword(), authorities);
secureContext.setAuthentication(auth);
ContextHolder.setContext(secureContext);
}
}
Do you find this usage inproper on insecure?
TIA,
Karel
- Original Message -
From: "Colin Sampaleanu" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, June 04, 2004 4:57 PM
Subject: Re: [Acegisecurity-developer] infinite cycle caused by "secured"
login page
> Karel,
>
> One way to handle this is to have your Tapestry app accessible under two
> prefixes (just register it twice in web.xml), for example both
> /app
> and
> /auth
>
> Your login page would be accesed under /app and would not trigger the
> /auth interceptor. Tapestry is quite fine with this. Now you do have to
> ensure that pages which need to be secured are not accessed via /app,
> which you can do with some interceptor setup, or alternately
> programmatically by deriving protected pages from a common base class
> and have the pages check themselves for a logged in status...
>
> Hope this helps,
> Colin
>
> Karel Miarka wrote:
>
> >Hello,
> >
> >I'm developing an application based on Spring and Tapestry and I have
> >started to play with ASS4S . I wanted to make all my pages secure (user
> >login is required to access any page). So I have added this pattern into
> >FilterSecurityInterceptor configuration:
> >
> >\A/app.*\Z=ROLE_USER
> >
> >But the problem is that my login page is located also inside this
pattern,
> >the URL is: /app?service=page/Login . And I understand that because
simple
> >redirect is used. So I have tried to create my own FreeAccessVoter to
allow
> >access to this page, but as I have discovered later the redirect is send
> >before the voter is called.
> >
> >So how to handle such cases? Is it possible without having to move the
Login
> >page?
> >
> >TIA,
> >Karel
> >
> >
>
>
>
> ---
> This SF.Net email is sponsored by the new InstallShield X.
> >From Windows to Linux, servers to mobile, InstallShield X is the one
> installation-authoring solution that does it all. Learn more and
> evaluate today! http://www.installshield.com/Dev2Dev/0504
> ___
> Acegisecurity-developer mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
>
>
---
This SF.Net email is sponsored by: GNOME Foundation
Hackers Unite! GUADEC: The world's #1 Open Source Desktop Event.
GNOME Users and Developers European Conference, 28-30th June in Norway
http://2004/guadec.org
___
Acegisecurity-developer mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
