Announcement Announcement Module
Collapse
No announcement yet.
Adding a New Role Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Adding a New Role

    Hi,

    I am trying to add a new role, ROLE_DEMO to the exisiting contacts example

    here is my security.xml

    Code:
    <bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
          <property name="authenticationManager"><ref bean="authenticationManager"/></property>
          <property name="accessDecisionManager"><ref local="httpRequestAccessDecisionManager"/></property>
          <property name="objectDefinitionSource">
             <value>
    			    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
    			    PATTERN_TYPE_APACHE_ANT
    			    /index.jsp=ROLE_ANONYMOUS,ROLE_USER,ROLE_DEMO
    			    /hello.htm=ROLE_ANONYMOUS,ROLE_USER,ROLE_DEMO
    			    /logoff.jsp=ROLE_ANONYMOUS,ROLE_USER,ROLE_DEMO
    			    /switchuser.jsp=ROLE_SUPERVISOR
    			    /j_acegi_switch_user=ROLE_SUPERVISOR
    			    /acegilogin.jsp*=ROLE_ANONYMOUS,ROLE_USER,ROLE_DEMO
    				/**=ROLE_USER,ROLE_DEMO
             </value>
          </property>
       </bean>
    This seems not working.
    Do I need to override any other classes for this?
    Is it mandatory to have ROLE_ prefixed for all the roels?

    Thanks

  • #2
    When you say it's not working, what does that actually mean? You do need to ensure when the users are loaded the appropriate ones have the ROLE assigned otherwise you aren't going to be able to access the URL.

    Comment


    • #3
      If I assign a role ROLE_USER to the user, I am successfully logged in into the application.
      But if the have the role as ROLE_DEMO or ADMINDS, for the same user, it gives me

      Code:
      Sorry, access is denied
      org.acegisecurity.AccessDeniedException: Access is denied 
      
      Authentication object as a String: [email protected]185c930: Username: org.acegisecurity.userdetails.User@fa7c0980: Username: CADAMS; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_DEMO; Password: [PROTECTED]; Authenticated: true; Details: org.acegisecurity.ui.WebAuthenticationDetails@fffd148a: RemoteIpAddress: 127.0.0.1; SessionId: 40BA25A77EB83451AF6D4AD682A1A995; Granted Authorities: ROLE_DEMO

      Comment


      • #4
        I'm guessing this will be down to how you have secured your URLs. This is seen in the code you originally posted.

        Comment


        • #5
          I hae the ROLE_USER working but not ROLE_DEMO (which gives, access denied).
          Is there any other place where I need to include ROLE_DEMO other than filterInvocationInterceptor?

          Thanks

          Comment


          • #6
            You need to make sure the user that is trying to access the URL is actually assigned the ROLE. If you are using InMemoryDaoImpl or something similar just add the ROLE to the User.

            Comment


            • #7
              Originally posted by karldmoore View Post
              You need to make sure the user that is trying to access the URL is actually assigned the ROLE. If you are using InMemoryDaoImpl or something similar just add the ROLE to the User.
              By this do you mean, adding in the database( I am using jdbcDaoImp)? I already have that added.

              What is the role of

              Code:
               <bean id="contactManagerSecurity" class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
                    <property name="authenticationManager"><ref bean="authenticationManager"/></property>
                    <property name="accessDecisionManager"><ref local="businessAccessDecisionManager"/></property>
                    <property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
                    <property name="objectDefinitionSource">
                       <value>
                          sample.contact.ContactManager.create=ROLE_USER,CVADMIN
                          sample.contact.ContactManager.getAllRecipients=ROLE_USER,CVADMIN
                          sample.contact.ContactManager.getAll=ROLE_USER,AFTER_ACL_COLLECTION_READ,CVADMIN
                          sample.contact.ContactManager.getByUserId=ROLE_USER,SUPERVISOR,CVADMIN
                          sample.contact.ContactManager.delete=ACL_CONTACT_DELETE
                          sample.contact.ContactManager.deletePermission=ACL_CONTACT_ADMIN
                          sample.contact.ContactManager.addPermission=ACL_CONTACT_ADMIN
                       </value>
                    </property>
                 </bean>

              Thanks
              Vinaya

              Comment


              • #8
                I don't remember using the word "database". All I was trying to say is there are two things to do. You need to secure the URL or object with the ROLE_, you then need to ensure the user actually has the ROLE_ assigned.

                So in the example you would add.
                Code:
                marissa=koala,ROLE_SUPERVISOR,ROLE_DEMO
                dianne=emu,ROLE_USER
                scott=wombat,ROLE_USER
                peter=opal,disabled,ROLE_USER
                Code:
                /secure/extreme/**=ROLE_SUPERVISOR,ROLE_DEMO
                /secure/**=IS_AUTHENTICATED_REMEMBERED
                /**=IS_AUTHENTICATED_ANONYMOUSLY

                Comment


                • #9
                  Hi,

                  Thanks,
                  I got them working.

                  Comment


                  • #10
                    Nice, what did the problem end up being?

                    Comment


                    • #11
                      I had to override AclEntryAfterInvocationProvider's constructor.
                      Code:
                       
                      public NPAclEntryAfterInvocationProvider(AclService aclService, Permission[] requirePermission) {
                              super(aclService, "SUPERVISOR", requirePermission);
                          }

                      Comment

                      Working...
                      X