Announcement Announcement Module
Collapse
No announcement yet.
Filter config clarification and best practices Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Filter config clarification and best practices

    I've gotten pretty comfortable with a good chunk of Acegi, but I'm still a little confused about the configuration of filters.... or I'd at least like to hear some common/best practices for configuring/using these filters.

    I guess primarily I'm wondering about the FilterChainProxy. I understand that the this allows me to wire up a list of filters to invoke for given url patterns. However, I'm not clear on why I would have different groupings of filters for different urls... seems like I would either be applying the filters (secured area) or not. If a url is matched by the FilterChainProxy, it runs all the filters configured for it, right? So, perhaps there are cases where only certain filters can run?

    The contacts app just applies all the filters to /**, but I've seen other examples that specify different groups of filters for different urls... oh and some that specify filters for the login page or /j_acegi_security_check. Why would I want my filters to apply to the login page and the /j_acegi_security_check url? (Hmm, though I see that if I don't have j_acegi_security_check in my filter list I get a 404 when trying to log in.)

    I'm currently using these filters: httpSessionContextIntegrationFilter, authenticationProcessingFilter, and securityEnforcementFilter. I had the anonymousProcessingFilter hooked up, but I guess at some point I "unhooked" it.

    That raises another question: I had the anonymous stuff hooked up, but then I found that once I logged in as a user, I lost access to anything that was mapped to ROLE_ANONYMOUS. I understand that it was because my user didn't have that role, but it seems silly to create an "anonymous" role which you then have to give to *every* user. Wondering how people have used the anonymous authentication stuff?

    Oh, and one more question: what is the significance of the "*=" in these filter configurations?

    thanks,

    Ben

  • #2
    Re: Filter config clarification and best practices

    Originally posted by yukster
    The contacts app just applies all the filters to /**, but I've seen other examples that specify different groups of filters for different urls...
    FilterChainProxy was just designed to be flexible. In all cases you should start with a single /** entry and only have more than one entry in specialised (unusual) cases. It's rarely necessary to have more than one entry.

    Originally posted by yukster
    That raises another question: I had the anonymous stuff hooked up, but then I found that once I logged in as a user, I lost access to anything that was mapped to ROLE_ANONYMOUS. I understand that it was because my user didn't have that role, but it seems silly to create an "anonymous" role which you then have to give to *every* user. Wondering how people have used the anonymous authentication stuff?
    Most of the time you'll have a ROLE_USERS or ROLE_EVERYONE or similar "global" group. You then will have ROLE_ANONYMOUS,ROLE_EVERYONE defined in your configuration attributes for secure objects that can be called at any time (such as an index page or public method).

    Originally posted by yukster
    Oh, and one more question: what is the significance of the "*=" in these filter configurations?
    The left hand side of the equals sign is defined by the Ant Paths "standard". The "=" is required because we're treating it as a Properties file internally. The right hand side is our own convention (nothing special - just comma separate values of the names of filter beans in the application context) to list the filters.

    Comment

    Working...
    X