Announcement Announcement Module
Collapse
No announcement yet.
Authorizing access to domain objects in an AbstractMarshallingPayloadEndpoint context Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Authorizing access to domain objects in an AbstractMarshallingPayloadEndpoint context

    I have a use case where a user should only have access to certain domain objects.

    The user has already been authenticated via Acegi from their Spring MVC login and a ACEGI_SECURITY_CONTEXT exists before they use the Spring webservices to access their domain objects.

    So I'd like to access their ACEGI_SECURITY_LAST_USERNAME and/or ACEGI_SECURITY_CONTEXT to get the current username. I can then check to see that they are trying to access their own domain objects and deny access if they don't "own" them.

    Unfortunately, AbstractMarshallingPayloadEndpoint passes an unmarshalled requestObject to the invokeInternal() method. The method only receives the unmarshalled requestObject, so it looks like I don't have any access to the Acegi data in that context.

    Is there any way to get access to the Acegi data in the AbstractMarshallingPayloadEndpoint context? I'd include the username in the message body but that would be an obvious security exposure.

  • #2
    SecurityContextHolder.getContext().getAuthenticati on().getName() would give you the user Name.

    Comment

    Working...
    X