Sorry, I remembered, a bit more just after i clicked 'send', I was thinking your [user] was your actual userid.
we use something like: authcBasic,rest[myapp:somekey] then check for the permission "myapp:somekey:read" when doing a GET if my user has this permission then all is well. (or they could have " myapp:somekey:* " ) In your example your user would need to have the permission users:read ( for a GET ) On Wed, Sep 22, 2010 at 4:57 PM, Brian Demers <[email protected]>wrote: > Not sure, configure our REST bits programaticlly, but the first option > looks correct > > On Wed, Sep 22, 2010 at 12:14 PM, Hilco Wijbenga <[email protected] > > wrote: > >> On 19 September 2010 20:23, Hilco Wijbenga <[email protected]> >> wrote: >> > On 18 September 2010 01:42, Les Hazlewood <[email protected]> >> wrote: >> >> As Brian mentioned, check out the BasicHttpAuthenticationFilter >> >> (available as the 'authcBasic' default filter). Most REST apps use >> >> that one for authentication and this performs the challenge/response >> >> logic you mentioned (HTTP 401, etc). You might also want to look in >> >> to the HttpMethodPermissionFilter for authorization. They're both >> >> linked from the page Brian included. >> > >> > I've got the BasicHttpAuthenticationFilter working but I'm unclear on >> > how to add the HttpMethodPermissionFilter. I can get something like >> > >> > /account/** = authcBasic >> > >> > to work but >> > >> > /account/** = authcBasic, rest[user] >> > >> > just seems to block everything. >> > >> > Also, how do I configure different permissions for different HTTP >> > methods? E.g. allow everyone POST on /accounts (to create a new >> > account) but require role Admin for GET on /accounts (to list all >> > existing accounts). >> > >> > How do I allow one particular user access to a particular URL. I.e. >> > how do I allow *only* user xyz access to /user/xyz/stuff? Obviously, I >> > don't want to have to configure each user separately. >> > >> > Cheers, >> > Hilco >> >> Anyone? >> > >
