Back Forum Reply New
amy

1#
Print
tT
Post at 2011-4-15 16:31 | This Author's Posts Only

Full example with JBoss adapter

like, understood, specific, example
If I understood correctly the whole thing (correct me if I'm wrong) even though I manage to authenticate I need to add another layer that binds the data I gathered before and add it in my container specific implementation using an adapter and that way I could use the role names in places like the struts-config.xml and the action tag so I'd be able to do things like:

Code:
lt;action roles=quot;ROLE_1,ROLE_2quot; ... /gt;
I'd like to do that because I tried securing an action with the invocationInterceptor

Code:lt;bean id=quot;filterInvocationInterceptorquot; class=quot;net.sf.acegisecurity.intercept.web.FilterSecurityInterceptorquot;gt;   lt;property name=quot;authenticationManagerquot;gt;     lt;ref bean=quot;authenticationManagerquot;/gt;   lt;/propertygt;   lt;property name=quot;accessDecisionManagerquot;gt;     lt;ref local=quot;fromRequestAccessDecisionManagerquot;/gt;   lt;/propertygt;   lt;property name=quot;objectDefinitionSourcequot;gt;     lt;valuegt;       CONVERT_ucl_TO_LOWERCASE_BEFORE_COMPARISON       PATTERN_TYPE_APACHE_ANT       /pages/admin/**=ROLE_A       /pages/operator/**=ROLE_O       /InsertElevator.do**=ROLE_S,ROLE_A     lt;/valuegt;   lt;/propertygt; lt;/beangt;
and yet I still manage to invoke the action even without the role so my hope is that at least using the adapter I could configure struts to deny access to actions if user is not in role (this is only hipothesys, did anyone made it work this way or otherwise?).
I'm using JBoss 4.0RC1, will be installing RC2 today. Did anyone try it with this version? Can someone post a working in-memory example (or jdbc)  (with web.xml, files that you changed/added in the server directories and where he put them and the applicationContext-acegi-security.xml file, where does the beanRefFactory.xml file go, is it a spring beans file and is that one bean the only thing that should be in it)? I would like to do it by myself but if someone did it why not use it as I don't find it to be the most intuitive thing in the world.
In the application policy tag, what does the

Code:
lt;module-option name = quot;keyquot;gt;my_passwordlt;/module-optiongt;serve? Do I need to change that password and who uses that password and for what? Again sorry if I'm asking obvious questions.

You're using quot;convert to lowercasequot; so the mappingCode:
/InsertElevator.do**=ROLE_S,ROLE_A
should beCode:
/insertelevator.do**=ROLE_S,ROLE_A
I'd also recommend you have aCode:
**=ROLE_S,ROLE_A
and protect your public pages by explicitly declaring them as ROLE_ANONYMOUS. See the Contacts Filter Sample for a complete example. It basically means there's a quot;catch allquot; pattern that requires the user to be authenticated, rather than defaulting to authorizing the request.
This Thread is Moderate by root at 2011-4-25 07:49 Move
Favor Share Rate
Reply Quote

Subscribe TOP

¥
Back Forum Reply New