I am new with acegi, I am trying to create a demo webapp with Spring, Struts, hibernate and using the acegi-1.0 for authentication and autherization. I can't seem to get the 'observeOncePerRequest' on the FilterSecurityInterceptor to work. I would like each servlet forward to be secure and also page level security.
Here is part of my acegi config
<bean id="authenticationProcessingFilter" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
<property name="authenticationManager">
<ref bean="authenticationManager"/>
</property>
<property name="authenticationFailureUrl">
<value>/login.jsp?login_error=1</value>
</property>
<property name="defaultTargetUrl">
<value>/secure/userSessionInfo.do</value>
</property>
<property name="alwaysUseDefaultTargetUrl">
<value>true</value>
</property>
<property name="filterProcessesUrl">
<value>/secure/j_acegi_security_check</value>
</property>
<!-- <property name="rememberMeServices"><ref local="rememberMeServices"/></property>-->
</bean>
<bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
<property name="authenticationManager">
<ref bean="authenticationManager"/>
</property>
<property name="accessDecisionManager">
<ref local="httpRequestAccessDecisionManager"/>
</property>
<property name="observeOncePerRequest">
<value>false</value>
</property>
<property name="objectDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/secure/userprofileload.do=ROLE_USER
/secure/**=ROLE_USER,ROLE_DEVELOPER
</value>
</property>
</bean>
----------------------------------------------------------------------------------------------
__________________________________
STruts confi
<action path="/secure/userSessionInfo" type="com.web.login.UserSessionInfoAction"
name="loginForm"
validate="false">
<forward name="success" path="/secure/userAccountMain.do"/>
</action>
<action path="/secure/userAccountMain" type="com.web.userAccount.UserAccountMainLoadAction"
scope="request"
validate="false">
<forward name="success" path="/secure/userProfileLoad.do"/>
</action>
<action path="/secure/userProfileLoad" type="com.web.userAccount.UserProfileLoadAction"
scope="request"
validate="false">
<!--<forward name="success" path="section.userAccount.userProfile"/>-->
<forward name="success" path="/secure/section/userAccount/userProfile"/>
</action>
With this setting, I expect my access to fail if I login as a DEVELPOER, but I should be able to login as a USER. I was able to get into the application as both DEVELOPER and USER
