Re: [S2} REST plugin & Security
Thanks Jeromy, Yep, we did get the standard JEE security working in WAS. (Fat-fingered typing in the web.xml was the culprit). I'll have a look at the Sping option if we find the container stuff a bit lacking. Thanks again for your feedback. Mike 2008/7/29 Jeromy Evans <[EMAIL PROTECTED]>: > > If you don't have complex URL patterns, I'd continue down the JEE path. It > should work. Although I haven't tried it with websphere it's a fundamental > requirement of the container. > > I'd temporarily switch to HTTP BASIC instead of LDAP to try isolate the > problem. > > Yes, creating a custom Security Interceptor is another approach. It's > pretty simple to throw your own interceptor into the stack that checks the > Principal or Session and forces a redirect/error if appropriate. It's a low > effort approach but you take on some more risk of introducing > vulnerabilities. > > An better approach is to use a third party filter. Acegi/Spring Security is > the most popular and probably the most flexible as it's closely bound to > your (Spring) Object Factory. There are other open source filters available > too that may suite you. > > Hope that helps, > Jeromy Evans > > > Mike Watson wrote: >> >> I should probably add that I'm just trying to authenticate via LDAP at >> this stage. Authorization will be implemented later. >> >> 2008/7/28 Mike Watson <[EMAIL PROTECTED]>: >> >>> >>> Hi Folks, >>> >>> What's the most straightforward way to secure my REST URLs? >>> >>> I'd assumed that I'd be able to use the standard JEE approach and >>> secure based on URL patterns but this doesn't seem to work (on >>> Websphere anyway) and I'm assuming it's to do with the fact everything >>> I'm doing is happening in filters rather than working with 'real' >>> resources. (I don't get any errors, I just get to see resources I >>> shouldn't when I'm not authenticated). >>> >>> Is there some sort of Security Interceptor I should enable or should >>> this work the way I initially assumed? >>> >>> Has anybody else (Jeromy?) done this? >>> >>> Cheers >>> >>> Mike >>> >>> >> >> - >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> >> Internal Virus Database is out of date. >> Checked by AVG - http://www.avg.com Version: 8.0.138 / Virus Database: >> 270.5.5/1569 - Release Date: 23/07/2008 1:31 PM >> >> >> >> > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [S2} REST plugin & Security
If you don't have complex URL patterns, I'd continue down the JEE path. It should work. Although I haven't tried it with websphere it's a fundamental requirement of the container. I'd temporarily switch to HTTP BASIC instead of LDAP to try isolate the problem. Yes, creating a custom Security Interceptor is another approach. It's pretty simple to throw your own interceptor into the stack that checks the Principal or Session and forces a redirect/error if appropriate. It's a low effort approach but you take on some more risk of introducing vulnerabilities. An better approach is to use a third party filter. Acegi/Spring Security is the most popular and probably the most flexible as it's closely bound to your (Spring) Object Factory. There are other open source filters available too that may suite you. Hope that helps, Jeromy Evans Mike Watson wrote: I should probably add that I'm just trying to authenticate via LDAP at this stage. Authorization will be implemented later. 2008/7/28 Mike Watson <[EMAIL PROTECTED]>: Hi Folks, What's the most straightforward way to secure my REST URLs? I'd assumed that I'd be able to use the standard JEE approach and secure based on URL patterns but this doesn't seem to work (on Websphere anyway) and I'm assuming it's to do with the fact everything I'm doing is happening in filters rather than working with 'real' resources. (I don't get any errors, I just get to see resources I shouldn't when I'm not authenticated). Is there some sort of Security Interceptor I should enable or should this work the way I initially assumed? Has anybody else (Jeromy?) done this? Cheers Mike - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Internal Virus Database is out of date. Checked by AVG - http://www.avg.com Version: 8.0.138 / Virus Database: 270.5.5/1569 - Release Date: 23/07/2008 1:31 PM - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [S2} REST plugin & Security
I should probably add that I'm just trying to authenticate via LDAP at this stage. Authorization will be implemented later. 2008/7/28 Mike Watson <[EMAIL PROTECTED]>: > Hi Folks, > > What's the most straightforward way to secure my REST URLs? > > I'd assumed that I'd be able to use the standard JEE approach and > secure based on URL patterns but this doesn't seem to work (on > Websphere anyway) and I'm assuming it's to do with the fact everything > I'm doing is happening in filters rather than working with 'real' > resources. (I don't get any errors, I just get to see resources I > shouldn't when I'm not authenticated). > > Is there some sort of Security Interceptor I should enable or should > this work the way I initially assumed? > > Has anybody else (Jeromy?) done this? > > Cheers > > Mike > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[S2} REST plugin & Security
Hi Folks, What's the most straightforward way to secure my REST URLs? I'd assumed that I'd be able to use the standard JEE approach and secure based on URL patterns but this doesn't seem to work (on Websphere anyway) and I'm assuming it's to do with the fact everything I'm doing is happening in filters rather than working with 'real' resources. (I don't get any errors, I just get to see resources I shouldn't when I'm not authenticated). Is there some sort of Security Interceptor I should enable or should this work the way I initially assumed? Has anybody else (Jeromy?) done this? Cheers Mike - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
