Announcement Announcement Module
Collapse
No announcement yet.
FilterSecurityInterceptor + Struts action path Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • FilterSecurityInterceptor + Struts action path

    Hi,

    We are in the process of integrating Acegi in our current project that uses Struts/Spring/Hibernate. So far we've managed to replace our authorization modules with acegi's authentication package. However, we've been trying to figure out how FilterSecurityInterceptor works, specifically objectDefintionSource. We are using Struts action mapping to forward/process requests across our application. Question is how do we write this mappings to the objectDefinitionSource parameter?

    For example:

    In struts-config.xml

    <action path="/path/action"
    type="action.doSomething"
    scope="request">
    <forward name="doThis" path="/jsp/action.jsp" />
    </action>

    In our application context we try putting:

    <bean id="filterInvocationInterceptor" class="net.sf.acegisecurity.intercept.web.FilterSe curityInterceptor">
    <property name="authenticationManager"><ref bean="authenticationManager"/></property>
    <property name="accessDecisionManager"><ref local="httpRequestAccessDecisionManager"/></property>
    <property name="objectDefinitionSource">
    <value>
    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
    \A/path/.*\Z=ROLE_USER
    \A/.*\Z=ROLE_USER,ROLE_ADMIN
    </value>
    </property>
    </bean>

    Now say I log in with a ROLE_ADMIN role, and click on the link with a URL that has /path/action, I am still able to see the page. Shouldn't the user be notified or not allowed to view this page? Or do I still need to place that explicitly on my JSP page?

    Any suggestions/comments will be highly appreciated :-)

  • #2
    Ok, it was a newbie error, I didn't define the SecurityEnforcementFilter on my web.xml :roll:

    Related question is, how can I redirect a 403 status page to a user friendly page? Thanks again :-)

    Comment


    • #3
      You'd normally use something like org.springframework.web.servlet.handler.SimpleMapp ingExceptionResolver, but it's web framework dependent.

      Comment

      Working...
      X