Hi Tcharlie,
How is does the user authenticate with your application? Do they fill
in and submit a form or are you using Basic HTTP Authentication or
some other method?
Also as a side note, although your permission mechanism will
definitely work ('urls:/jsp/newscorner.html:access'), it is typically
much better to describe system authorizations based on functionality,
not based on how they access the application. For example, this is
usually a cleaner/easier to manage approach:
perms[newsFeed:read].
(or something similar that makes sense for your particular application).
URLs and web frameworks and front-end GUIs technology change or are
added often over the life of a project, whereas my permission example
above is rooted in raw functionality only and has no bearing on what
front-end technology might be used. That you have the permission
filter defined for that url is enough to perform the url safety you
require.
Regards,
Les
On Mon, Jul 20, 2009 at 9:03 AM, Tcharlie<[email protected]> wrote:
>
> Hi all,
>
> I'm develloping a custom application using shiro (jsecurity 0.9).
> I wanted to forbid access to one html page, so, I added the following line
> in my web.xml:
> [urls]
> /jsp/newscorner.html = authc,
> perms[urls:/jsp/newscorner.html:access]
>
> It works fine when I use a server redirect (dispatcher.forward(...)).
> The problem comes when i try to make a client redirect to this page (via )
> Authentication headers are not present so I encounter a 401 error.
>
> Is there any httpsessionfilter implemented (based on jsessionid) or should I
> implement this by myself?
> Is there an other way to bypass this problem? (I don't want to change
> anything in my jsp's and html files).
>
> Thank in advance, Tcharlie
>
> --
> View this message in context:
> http://n2.nabble.com/BasicHttpHeader-and-jsp-links-tp3288699p3288699.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
