Announcement Announcement Module
Collapse
No announcement yet.
Full example with JBoss adapter Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Full example with JBoss adapter

    If I understood correctly the whole thing (correct me if I'm wrong) even though I manage to authenticate I need to add another layer that binds the data I gathered before and add it in my container specific implementation using an adapter and that way I could use the role names in places like the struts-config.xml and the action tag so I'd be able to do things like:
    Code:
    <action roles="ROLE_1,ROLE_2" ... />
    I'd like to do that because I tried securing an action with the invocationInterceptor
    Code:
     <bean id="filterInvocationInterceptor" class="net.sf.acegisecurity.intercept.web.FilterSecurityInterceptor">
        <property name="authenticationManager">
          <ref bean="authenticationManager"/>
        </property>
        <property name="accessDecisionManager">
          <ref local="httpRequestAccessDecisionManager"/>
        </property>
        <property name="objectDefinitionSource">
          <value>
            CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
            PATTERN_TYPE_APACHE_ANT
            /pages/admin/**=ROLE_A
            /pages/operator/**=ROLE_O
            /InsertElevator.do**=ROLE_S,ROLE_A
          </value>
        </property>
      </bean>
    and yet I still manage to invoke the action even without the role so my hope is that at least using the adapter I could configure struts to deny access to actions if user is not in role (this is only hipothesys, did anyone made it work this way or otherwise?).
    I'm using JBoss 4.0RC1, will be installing RC2 today. Did anyone try it with this version? Can someone post a working in-memory example (or jdbc) (with web.xml, files that you changed/added in the server directories and where he put them and the applicationContext-acegi-security.xml file, where does the beanRefFactory.xml file go, is it a spring beans file and is that one bean the only thing that should be in it)? I would like to do it by myself but if someone did it why not use it as I don't find it to be the most intuitive thing in the world.
    In the application policy tag, what does the
    Code:
    <module-option name = "key">my_password</module-option>
    serve? Do I need to change that password and who uses that password and for what? Again sorry if I'm asking obvious questions.

  • #2
    You're using "convert to lowercase" so the mapping

    Code:
    /InsertElevator.do**=ROLE_S,ROLE_A
    should be

    Code:
    /insertelevator.do**=ROLE_S,ROLE_A
    I'd also recommend you have a

    Code:
    **=ROLE_S,ROLE_A
    and protect your public pages by explicitly declaring them as ROLE_ANONYMOUS. See the Contacts Filter Sample for a complete example. It basically means there's a "catch all" pattern that requires the user to be authenticated, rather than defaulting to authorizing the request.

    Comment

    Working...
    X