Hi Les,
Les Hazlewood-2 wrote:
>
> Hi Tcharlie,
>
> How is does the user authenticate with your application? Do they fill
> in and submit a form or are you using Basic HTTP Authentication or
> some other method?
>
>
I've got a jsp form to authenticate my users. the link is good because if my
user is not authenticated, he is redirected on my login page
Les Hazlewood-2 wrote:
>
> Also as a side note, although your permission mechanism will
> definitely work ('urls:/jsp/newscorner.html:access'), it is typically
> much better to describe system authorizations based on functionality,
> not based on how they access the application. For example, this is
> usually a cleaner/easier to manage approach:
>
> perms[newsFeed:read].
>
> (or something similar that makes sense for your particular application).
>
> URLs and web frameworks and front-end GUIs technology change or are
> added often over the life of a project, whereas my permission example
> above is rooted in raw functionality only and has no bearing on what
> front-end technology might be used. That you have the permission
> filter defined for that url is enough to perform the url safety you
> require.
>
> Regards,
>
> Les
>
In fact, I'm mixing an other security framework with Shiro (wich provides
much more fonctionnalities, for example PCI compliance or calendar logging
restriction) and should make 0 impact when upgrading to this "mixed"
framework. So I need to provided the permission category, resource name and
then the action to perform.
I'm sure that my custom realm works fine, I tested it with server redirect
(servlet dispatcher) and it's ok...
My only problem remains with client redirect ( ) wich results a 401 error.
"Les Hazlewood-2
On Mon, Jul 20, 2009 at 9:03 AM, Tcharlie<[email protected] wrote:
> wrote:
>>
>> Hi all,
>>
>> I'm develloping a custom application using shiro (jsecurity 0.9).
>> I wanted to forbid access to one html page, so, I added the following
>> line
>> in my web.xml:
>> [urls]
>> /jsp/newscorner.html = authc,
>> perms[urls:/jsp/newscorner.html:access]
>>
>> It works fine when I use a server redirect (dispatcher.forward(...)).
>> The problem comes when i try to make a client redirect to this page (via
>> )
>> Authentication headers are not present so I encounter a 401 error.
>>
>> Is there any httpsessionfilter implemented (based on jsessionid) or
>> should I
>> implement this by myself?
>> Is there an other way to bypass this problem? (I don't want to change
>> anything in my jsp's and html files).
>>
>> Thank in advance, Tcharlie
>>
>> --
>> View this message in context:
>> http://n2.nabble.com/BasicHttpHeader-and-jsp-links-tp3288699p3288699.html
>> Sent from the Shiro User mailing list archive at Nabble.com.
>>
>
>
--
View this message in context:
http://n2.nabble.com/BasicHttpHeader-and-jsp-links-tp3288699p3288978.html
Sent from the Shiro User mailing list archive at Nabble.com.
