Vikas Sasidharan wrote:
I am not so enthusiastic about setting the flag to true. Could anybody suggest some other possible alternatives? My last option is to have a custom MethodSecurityInterceptor that enables separation of before-invocation and after-invocation interception. The problem is that I have set "/allowIfAllAbstain/" to false. Consequently, when the method call gets intercepted (before invocation) the Role Voter would return ABSTAIN and because of the flag not being set, Acegi would deny access to the user.
I'd suggest you investigate the different AccessDecisionManager implementations provided out-of-the-box and if needed provide your own. You could always use the AuthenticatedVoter so that there is a before-invocation authorization decision made for each secure object invocation.
Cheers Ben ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Home: http://acegisecurity.org Acegisecurity-developer mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
