Announcement Announcement Module
No announcement yet.
Paranoid web-security? How-to? Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Paranoid web-security? How-to?

    Hello all.
    Recently I started implementing a web-based application.
    I like Acegi, and decided to give it a try.
    One of my colleagues had written something prior to my tests, and I decided to use that.

    However I was very disappointed, that I have to set up url security by hand.

    In a couple of words: I have a user-only application, that requires that the user authenticates prior to accessing any part of the application. However when I did this:
      <bean id="filterInvocationInterceptor" class="net.sf.acegisecurity.intercept.web.FilterSecurityInterceptor">
        <property name="objectDefinitionSource">
    I got held up by an infinite web-redirecting when the user tries to access the login page at /login.html, or /security_check or /index.jsp (which just redirects to the login page).
    I tried to find a way do disable security checks for the index and the login resources, but to no avail.[/b]

    So. Is it possible to exclude any resources from the security checks?
    I tried:
    But this dies with a NPE when initializing the bean.

    The only (I don't like it, but...) way I found is to secure EVERYTHING except the login resources, but this approach is a complete PITA when it comes to a modularized application, where modules would be added, and the security module will not know anything about them.

  • #2
    See the Contacts Sample which demonstrates anonymous authentication. It addresses what you want to do. It's discussed at


    • #3
      Yep! That's exactly what I was looking for. Many thanks.