Announcement Announcement Module
Collapse
No announcement yet.
Paranoid web-security? How-to? Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Paranoid web-security? How-to?

    Hello all.
    Recently I started implementing a web-based application.
    I like Acegi, and decided to give it a try.
    One of my colleagues had written something prior to my tests, and I decided to use that.

    However I was very disappointed, that I have to set up url security by hand.

    In a couple of words: I have a user-only application, that requires that the user authenticates prior to accessing any part of the application. However when I did this:
    Code:
      <bean id="filterInvocationInterceptor" class="net.sf.acegisecurity.intercept.web.FilterSecurityInterceptor">
        <property name="objectDefinitionSource">
          <value>
            CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
            PATTERN_TYPE_APACHE_ANT
            /**=ROLE_USER
            /admin/**=ROLE_ADMIN
          </value>
        </property>
      </bean>
    I got held up by an infinite web-redirecting when the user tries to access the login page at /login.html, or /security_check or /index.jsp (which just redirects to the login page).
    I tried to find a way do disable security checks for the index and the login resources, but to no avail.[/b]

    So. Is it possible to exclude any resources from the security checks?
    I tried:
    Code:
    ...
            PATTERN_TYPE_APACHE_ANT
            /=
            /login.html=
            /index.jsp=
            /security_check=
            /**=ROLE_USER
    ...
    But this dies with a NPE when initializing the bean.

    The only (I don't like it, but...) way I found is to secure EVERYTHING except the login resources, but this approach is a complete PITA when it comes to a modularized application, where modules would be added, and the security module will not know anything about them.

  • #2
    See the Contacts Sample which demonstrates anonymous authentication. It addresses what you want to do. It's discussed at http://acegisecurity.sourceforge.net...y-ui-anonymous.

    Comment


    • #3
      Yep! That's exactly what I was looking for. Many thanks.

      Comment

      Working...
      X