struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ian.Priest" <Ian.Pri...@opsera.com>
Subject Acegi with shale and clay
Date Mon, 24 Apr 2006 11:28:13 GMT
Hi,
 
I'm using Shale/Clay to create an application. I'd like to protect the
app with acegi's URL protection but I don't see a way to integrate with
the response rendering.
 
Here's an example: (all pages are rendered via Clay full html). I have
the structure
 
/welcome.html
/logon.html
/secure/page1.html
/secure/page2.html
 
the secure pages should only be accessable by those who have logged on
using logon.html. The secure/.. Pages are defined as a dialog called
"secure".
 
In welcome.html i have an actionlink whose action is dialog:Secure
 
I configure acegi to protect urls as follows:

<bean id="filterInvocationInterceptor"
class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
	<property name="authenticationManager">
		<ref bean="authenticationManager" />
	</property>
	<property name="accessDecisionManager">
		<ref local="httpRequestAccessDecisionManager" />
	</property>
	<property name="objectDefinitionSource">
		<value>
			CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON 
			PATTERN_TYPE_APACHE_ANT 
			/secure/**=ROLE_USER
			/**=ROLE_ANONYMOUS
		</value>
	</property>
	<property name="observeOncePerRequest" value="false"/>
</bean>

If I now hit my application at welcome.html I'm assigned role ANONYMOUS
and all is well. However, if I click on the link to the "secure" dialog
acegi doesn't redirect me to logon.html. The request generated when I
click on the actionlink appears to be a request for /welcome.html which
acegi says it's ok to access anonymously. Shale's dialog manager then
works out that the action is dialog:Secure and causes page1 of that
dialog to render, apparently without doing either a forward or a rediect
to /secure/page1.html. (In web.xml I have the mapping to acegi as
follows:
	<filter-mapping>
		<filter-name>Acegi Filter Chain Proxy</filter-name>
		<url-pattern>/*</url-pattern>
		<dispatcher>FORWARD</dispatcher>
        <dispatcher>REQUEST</dispatcher>
	</filter-mapping>
So forwards should also fire the filter).
That means acegi never has a chance to intercept the request. (Once I'm
in the dialog on page1.html, if I click on the next button I am
redirected to the logon.html page - acegi correctly intercepts the
/secure/page1.html request that is made).

How can I intercept Shale's page building and view rendering mechanisms
to ensure that my site's urls are secured correctly?

Cheers,
Ian.



---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message