alon salant wrote:
When working on SimpleFileStore, it was easy to disable Slide security by setting
org.apache.slide.security=false
in slide.properties.
However, I do want to be able configure basic webapp security using security constraints on paths and HTTP methods. But I do not want to manage users and roles within slide.
So I have slide configured with security=false, SimpleFileStore, TransientSecurityStore, and TransientLockStore for my store implementations, all user and role definitions removed from Domain.xml and basic auth configured in my web.xml for the path to the webdav servlet.
With this config, I can connect via webdav, log in and browse.
However, I cannot create files or folders, copy, move, delete....
The problem that I am running in to is that Methods (MkcolMethod for example), still try to authorize the current principal. If the principal is null, things work fine b/c SecurityImpl returns SubjectNode.UNAUTHENTICATED and slide lets this continue. However, if the principal is not null (it is not when the webapp makes the user log in), SecurityImpl.getPrincipal( ) tries to retrieve an object for that user resulting in an ObjectNotFoundException.
This looks like hard behavior to change (unfortunately). AbstractWebDavMethod creates the SlideToken with the user principal in run( ) using req.getUserPrincipal().
I haven't traced through the other methods to see if/how the user principal is used. It looks like copy/delete/put/move/mkcol (at least) all have issues related to this.
Any thoughts? What I am trying to do seems like a pretty common use case. Is there a good way to address this need? I'm hoping I've missed something simple.
Alon
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
