Announcement Announcement Module
No announcement yet.
How to allow Method invocation when not yet authenticated? Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to allow Method invocation when not yet authenticated?

    I have a UserManager class that I'm trying to enforce method invocation security on. So far it is working beautifully with only one exception... I can't have users create a new account any more [which limits the functionality somewhat ].

    The problem is two fold. The first issue I discovered was that if a user tried to run the signup action before the first user logged in, the SecureContext is not created, so the signup action throws an Exception with the error message "A valid SecureContext was not found in the RequestContext". This makes sense to me, and may be something that I just have to deal with.

    The second part of the problem is after the SecureContext has been created, when a user tries to singup, they get an Exception with this message:
    "Authentication credentials were not found in the SecureContext"

    I tried making an "AuthenticationVoter" that would grant access based on (authentication == null ^ isAuthenticationRequired()), but it seems to be returning the exception prior to my AccessDecisionVoter.

    Any suggestions about how I should approach this?


  • #2
    Would it be possible to simply remove the configuration attributes from your UserManager.createNewUser() method? Then it becomes a public method and anyone can call it who needs to.

    In the Contacts sample, ContactManager.getRandomContact() is a public method. See the applicationContext-common-authorization.xml file.


    • #3
      Weird.. that sample is was what I used as a starting point for adding authorization to my app. I simplified it a bit by removing the ACL stuff, so everything is role based in mine, but other than that I don't remember changing much of anything.

      The very first thing I tried was to not include an entry in the objectDefinitionSource for saveNewUser(), but when that failed I tried to get more creative [and so far have walked down a few dead ends]. But if it should have worked by just not having a listing for that method in objectDefinitionSource, then there must be something more fundamentally wrong with my config.

      I have been tied up the past couple of days and have not had a chance to try more stuff. But I'll look again at that sample app and see why it works [and mine doesn't]

      Thanks Ben.

      [I hate this awkward newbie stage ]


      • #4
        We all have to start sometime - don't worry about it.. :-)