Ben Alex wrote:
Matt Raible wrote:
Sorry for all the questions, just want to get all my ducks in a row so AppFuse is using Acegi Security in the recommended fashion.
No problemo.
Question 1: I've found that putting the ContextHolderAwareRequestFilter in a FilterChainProxy bean does not work - it has to be explicitly mapped in my web.xml. Is this a bug in the documentation or implementation?Based on forum reports, it would seem there is a bug in that section of code. For FilterChainProxy to work it needs to do some low-level FilterChain manipulation, so it's possible this is not compatible with ContextHolderAwareRequestFilter's replacement of the ServletRequest. I think the problem is I'm using the fi.getRequest() inside VirtualFilterChain, whereas I probably should use the ServletRequest (named arg0 in VirtualFilterChain.doFilter()) instead. I am reluctant to declare that the problem just yet, as it needs testing. You're welcome to give that a try if you have a moment.
I changed both of the places where fi.getRequest() was called. Changing the first one didn't affect anything, but changing the second seems to have solved the problem. Here's the modified file:
Index: core/src/main/java/net/sf/acegisecurity/util/FilterChainProxy.java
===================================================================
RCS file: /cvsroot/acegisecurity/acegisecurity/core/src/main/java/net/sf/acegisecurity/util/FilterChainProxy.java,v
retrieving revision 1.2
diff -u -r1.2 FilterChainProxy.java
--- core/src/main/java/net/sf/acegisecurity/util/FilterChainProxy.java 20 Feb 2005 05:40:18 -0000 1.2
+++ core/src/main/java/net/sf/acegisecurity/util/FilterChainProxy.java 10 Mar 2005 15:50:02 -0000
@@ -297,7 +297,7 @@
+ " reached end of additional filter chain; proceeding with original chain");
}
- fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
+ fi.getChain().doFilter(arg0, fi.getResponse());
} else {
currentPosition++;@@ -308,7 +308,7 @@
+ additionalFilters[currentPosition - 1] + "'");
}- additionalFilters[currentPosition - 1].doFilter(fi.getRequest(),
+ additionalFilters[currentPosition - 1].doFilter(arg0,
fi.getResponse(), this);
}
}
Question 2: Because I still have to map 2 filters for Acegi Security, I'm leaning toward using the 5-filters in web.xml, rather than the one filter+FilterChainProxy. Are there any advantages to one or the other? The one thing I like about individual filters is I can make the <url-mappings> a little more explicit. Is something like the following possible with FilterChainProxy - so all 5 filters aren't processed for every request?
<filter-mapping> <filter-name>sessionContextIntegrationFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>authenticationFilter</filter-name> <url-pattern>/j_security_check</url-pattern> </filter-mapping> <filter-mapping> <filter-name>anonymousAuthenticationFilter</filter-name> <url-pattern>*.html</url-pattern> </filter-mapping> <filter-mapping> <filter-name>securityEnforcementFilter</filter-name> <url-pattern>*.html</url-pattern> </filter-mapping> <filter-mapping> <filter-name>remoteUserFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
Yes, it could be done like this:
<bean id="filterChainProxy" class="net.sf.acegisecurity.util.FilterChainProxy">
<property name="filterInvocationDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/**/*.html=sessionContextIntegrationFilter,anonymousAuthenticationFilter,securityEnforcementFilter,remoteUserFilter
/j_security_check=sessionContextIntegrationFilter,authenticationFilter,remoteUserFilter
/**=sessionContextIntegrationFilter,remoteUserFilter </value> </property> </bean>
Don't forget FilterChainProxy not only provides inclusion/exclusion of Filters based on URI, but it also offers the ability to re-order the Filters (an advantage of web.xml).
I don't see how you can exclude filters (except by leaving them out of the list). I'll try using the above syntax later today.
Thanks,
Matt
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
