Announcement Announcement Module
Collapse
No announcement yet.
How do I exclude URLs? Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • How do I exclude URLs?

    I'm using good ol' container-managed authentication and migrating to Acegi. I'm protecting *.html in my web.xml and I allow some URLs to pass through using a <security-constraint> with no <auth-contraint>:

    Code:
        <!-- All anyone to access passwordHint and signup -->
        <security-constraint>
            <web-resource-collection>
                <web-resource-name>Unrestricted</web-resource-name>
                <description>All users can view</description>
                <url-pattern>/passwordHint.html</url-pattern>
                <url-pattern>/signup.html</url-pattern>
                <http-method>POST</http-method>
                <http-method>GET</http-method>
            </web-resource-collection>
        </security-constraint>
    With Acegi, I've been able to get all of this working, except for the unprotected pages. Is there a way to manipulate the following expression so that a couple of URLs aren't protected?

    Code:
     		<property name="objectDefinitionSource">
    			<value>
    			    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
    			    PATTERN_TYPE_APACHE_ANT
    				/*.html=Administrators
    			</value>
    		</property>
    I'd rather not put these pages in a specific directory since I've (so far) been able to integrate Acegi w/o changing a single line of code. ;-)

    Thanks,

    Matt

  • #2
    Excluding URLs [solution]

    After reading many posts on this forum and seeing the "anonymous" user approach, I gave it a whirl. I got it to work, but I had to write quite a bit of code to do something that should be simple. So I scrapped it and hacked Acegi a bit to allow excluded URLs. Below is a patch that allows you to exclude URLs in your context file with the following syntax:

    Code:
     		<property name="objectDefinitionSource">
    			<value>
    			    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
    			    PATTERN_TYPE_APACHE_ANT
    				!/signup.html=Foo
    				!/passwordhint.html*=Foo
    				/*.html*=Administrators
    			</value>
    		</property>
    I found that the "=Foo" is necessary, even though it's never used. Here's the patch/hack for the Ant pattern matching:

    Code:
    Index&#58; core/src/main/java/net/sf/acegisecurity/intercept/web/PathBasedFilterInvocationDefinitionMap.java
    ===================================================================
    RCS file&#58; 
    
    /cvsroot/acegisecurity/acegisecurity/core/src/main/java/net/sf/acegisecurity/intercept/web/PathBasedFilterInvocationD
    
    efinitionMap.java,v
    retrieving revision 1.2
    diff -u -r1.2 PathBasedFilterInvocationDefinitionMap.java
    --- core/src/main/java/net/sf/acegisecurity/intercept/web/PathBasedFilterInvocationDefinitionMap.java	5 Dec 2004 
    
    05&#58;04&#58;52 -0000	1.2
    +++ core/src/main/java/net/sf/acegisecurity/intercept/web/PathBasedFilterInvocationDefinitionMap.java	16 Dec 2004 
    
    00&#58;46&#58;51 -0000
    @@ -113,6 +113,19 @@
     
             while &#40;iter.hasNext&#40;&#41;&#41; &#123;
                 EntryHolder entryHolder = &#40;EntryHolder&#41; iter.next&#40;&#41;;
    +            
    +            // If path starts with !, and it matches, return
    +            if &#40;entryHolder.getAntPath&#40;&#41;.startsWith&#40;"!"&#41;&#41; &#123;
    +                String pathToCompare = 
    +                    entryHolder.getAntPath&#40;&#41;.substring&#40;1, entryHolder.getAntPath&#40;&#41;.length&#40;&#41;&#41;;
    +                boolean matched = PathMatcher.match&#40;pathToCompare, url&#41;;
    +                if &#40;matched&#41; &#123;
    +                    if &#40;logger.isDebugEnabled&#40;&#41;&#41; &#123;
    +                        logger.debug&#40;"Matched excluded URL, returning null"&#41;;
    +                    &#125;
    +                    return null;
    +                &#125;
    +            &#125;
     
                 boolean matched = PathMatcher.match&#40;entryHolder.getAntPath&#40;&#41;, url&#41;;

    Comment


    • #3
      Don't forget ObjectDefinitionSource is an interface, so you can keep your customisations and they will (unless we modify the interface contract) be compatible with future release of Acegi Security.

      I still intend to code an anonymous user approach, as people might find it helpful for method security as well.

      Comment

      Working...
      X