[EMAIL PROTECTED] wrote:
First, thanks to Ben for helping me understand some of the Acegi internals. My question revolves around using BASIC authentication with Acegi. First, let me start by stating that I am not using HTML. I am using Flex which uses a Flash client with SOAP requests. What I want to know is if I use BASIC authentication will Acegi still be able to use the notion of a ContextHolder to store authentication credentials such as roles? I want to use the roles for my Spring managed business objects of course. Furthermore, is there a filter that I should be using that will not redirect to a page if authentication fails? Instead of the filter redirecting to a JSP, or other page, I would like to just send a response.sendError(HttpServlet.SC_UNAUTHORIZED) back to the client. Should I just write my own filter that is similar to the BasicProcessingFilter and append it in the chain of filters? The Flash client is expecting a 401 HTTP error to notice a Client.Authentication fault/exception. The current filter tries to redirect to the custom login form which does not apply in my context.
Hi Mark
The normal approach to BASIC authentication is to use SecurityEnforcementFilter, which detects any Acegi Security related exceptions. If the user is not logged in, the AuthenticationEntryPoint implementation will be called, which is usually BasicProcessingFilterEntryPoint in this case. If the user is logged in, a straight 403 (access denied) will be thrown. BasicProcessingFilterEntryPoint will throw a 401 (unauthorised) which will cause the calling browser to attempt login.
Whilst SecurityEnforcementFilter can provide HTTP URL security, you don't _have_ to use it for this. The main value in your case is it detects security exceptions thrown by later executed code (namely the MethodSecurityInterceptor), meaning it can send the 403 or redirect to the AuthenticationEntryPoint accordingly.
Does that answer your questions, as I think these classes will provide the behaviour you need?
Best regards Ben
------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
