Announcement Announcement Module
Collapse
No announcement yet.
Security based on urls Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Security based on urls

    Hi,

    I have a question here for url based security

    I have a user A who can only view /secure/*.jsp
    I have a user B who can view /admin/*.jsp

    Now, when I am logged in as A and change the url (by typing in the address bar) to /admin/*jsp, A is also able to see the jsp.
    How can I restrict this?

  • #2
    I would have a look at the examples that ship with Acegi, they show how to do this.

    Comment


    • #3
      Hi karl,

      I was workin with the examles (contacts) and it allows this.
      I mean I am able to see the admin permissions page, if I change the url manually, User is not able to see the link to go to it, though


      Thanks
      Vinaya

      Comment


      • #4
        I guess the link is protected but the URL isn't. If you add the URL and the ROLE to the code below it should fix it. You might want to JIRA this if you think it's a problem.
        Code:
           <bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
              <property name="authenticationManager"><ref bean="authenticationManager"/></property>
              <property name="accessDecisionManager"><ref local="httpRequestAccessDecisionManager"/></property>
              <property name="objectDefinitionSource">
                 <value>
        			    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
        			    PATTERN_TYPE_APACHE_ANT
        			    /index.jsp=ROLE_ANONYMOUS,ROLE_USER
        			    /hello.htm=ROLE_ANONYMOUS,ROLE_USER
        			    /logoff.jsp=ROLE_ANONYMOUS,ROLE_USER
        			    /switchuser.jsp=ROLE_SUPERVISOR
        			    /j_acegi_switch_user=ROLE_SUPERVISOR
        			    /acegilogin.jsp*=ROLE_ANONYMOUS,ROLE_USER
        				/**=ROLE_USER
                 </value>
              </property>
           </bean>

        Comment

        Working...
        X