Announcement Announcement Module
Collapse
No announcement yet.
Syntax for securing one page instead of a whole directory? Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Syntax for securing one page instead of a whole directory?

    Hi, I am trying to use Acegi to add security to an existing web application. I only need to secure a single page in the root directory.

    I understand the syntax for blocking access to a whole directory such as:
    \A/directory/.*\Z

    What is the correct way for a single page in the root directory? I tried

    <property name="objectDefinitionSource">
    <value> CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
    \A/edit\.jsp\Z=test_user
    </value>
    </property>

    but it is not working. Did I do something wrong?

    I cannot modify the structure of the application and that would break the system.

    Your help is really appreciated!

    Pete

  • #2
    You would presumably want to add a wildcard at the end
    Code:
    \A/edit.jsp.*\Z
    To cover the addition of query strings etc. So you can access the page even when you limit access to a specific role or something? How is the rest of your setup configured?

    Comment


    • #3
      First of all I would suggest you use Ant Paths, as they're more readable and forgiving in most cases than regular expressions. But that's a style preference, and makes no difference. If you stick to the latter, please use Luke's regular expression pattern so that querystring parameters also cause a match.

      I think the right hand side of your equals is incorrect. It probably should be =ROLE_FOOBAR or similar, with ROLE_FOOBAR being a GrantedAuthority[] that is populated by your AuthenticationManager (in most cases your AuthenticationDao will do this from a database table).

      Comment


      • #4
        Acegi -- a very good tool. use it.

        Luke,

        Thank you very much for your input.

        Ben,

        you are always so helpful.

        Though I had quit using Acegi for another project before (http://forum.springframework.org/showthread.php?t=14696), I could not resist the urge of using Acegi because it is simply a very good framework with or without Spring (you only need Spring to start Acegi). For that project, I was eventually able to continue using Acegi after looking at your source code and found a solution (a bit frustration there). For this project, with Acegi I added security to an existing pure servlet-based app in a non-intrusive way. Very happy.

        Acegi is a powerful tool and no doubt not using it would be a mistake if anyone uses Spring to build an enterprise solution, but I feel it needs more documtation, examples, and bug fixes/addition of code. Ben, why not write a book about Acegi? In a "ALive" style? Matt Raible wrote a Spring Alive (a good one, www.sourcebeat.com). There are a few Spring books with a introduction of Acegi. I believe there is a market for a book with in-depth and comprehensive description of Acegi.

        Again, thank you both very much.

        Regards, Pete
        Last edited by robyn; May 16th, 2006, 03:08 AM.

        Comment


        • #5
          Hi Pete

          Thank you for your kind words, and I'm pleased you were able to use Acegi Security in your project! Luke has a really nifty migration tool at http://www.monkeymachine.co.uk/acegifier/convert.htm for converting from web.xml to Acegi Security. It's still in beta, so be gentle.

          There is already a book being written on Acegi Security, although not by me. :-) Unfortunately there are only so many hours in the day, although I am reviewing it technically and writing a forward etc. Hopefully it'll be a hit. The author is actually well-known and highly experienced - it's good to have a person of his calibre developing such a useful and frequently requested publication.

          Cheers
          Ben

          Comment

          Working...
          X