|
|
Hi, I am trying to protect with Acegi Security my service layer. Until now I have been using Acegi to restrict web access. Now I want to protect my service layer and I need help with it. To do this I wrote proper securityInterceptor and created autoProxy. This works fine but... When user wants to access page he/she does not have access he/she is redirected and sees access denied page - exceptionTranslationFilter works fine.
But... When I have a page the user has access to and on this page there is a button which performes the action which user does not have privilages to call, I see in my logs:
#{userMngBean.changePasswordAction}: javax.faces.el.EvaluationException: /page/secured/users.jspx @44,92 action=quot;#{userMngBean.changePasswordAction}quot;: org.acegisecurity.AccessDeniedException: Access is denied
javax.faces.FacesException: #{userMngBean.changePasswordAction}: javax.faces.el.EvaluationException: /page/secured/users.jspx @44,92 action=quot;#{userMngBean.changePasswordAction}quot;: org.acegisecurity.AccessDeniedException: Access is denied
changePasswordAction is JSF action user has not privillages to call to so access denied is right. What is NOT right is that that I see page with javax.faces.el.EvaluationException and stack trace.
What should I do to configure Acegi such that it will redirect user to access denied page???
exceptionTranslationFilter does not take this exception because it is wrapped by javax.faces.el.EvaluationException. What should I need to protect service layer? SecurityInterceptor and proxy - I know and this works fine. But what should I do to make exceptionTranslationFilter works in such cases? I am using JSF - this may be important.
Thans in advance for any help, solution or explanation.
Are you using something like this?Code: lt;bean id=quot;exceptionTranslationFilterquot; class=quot;org.acegisecurity.ui.ExceptionTranslationFilterquot;gt; lt;property name=quot;authenticationEntryPointquot;gt;lt;bean class=quot;org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPointquot;gt; lt;property name=quot;loginFormuclquot; value=quot;/login.htmlquot;/gt; lt;property name=quot;forcefromsquot; value=quot;falsequot;/gt; lt;property name=quot;serverSideRedirectquot; value=quot;truequot;/gt;lt;/beangt; lt;/propertygt; lt;property name=quot;accessDeniedHandlerquot;gt;lt;bean class=quot;org.acegisecurity.ui.AccessDeniedHandlerImplquot;gt; lt;property name=quot;errorPagequot; value=quot;/error.jsp?login_error=1quot;/gt;lt;/beangt; lt;/propertygt; lt;/beangt;
Then, from what I understand, the AccessDeniedHandlerImpl should redirect to the defined errorPage.
showthread.php?p=58298 |
|
Post at 2011-4-15 14:47
| This Author's Posts Only
