Hi, Am 02.12.2009 um 02:59 schrieb Dave: > Protected blogs is not an out-of-the-box feature and probably not an > easy customization. > > It might be possible via some LDAP and Spring Security magic that you > could create some blogs that are visible only to certain people.
Requiring authentication to access roller can realized by some changes to the Spring Security configuration, see the attached security.xml. The changes are basically: -- exclude some URL patterns from filtering, like styles and favicon. done in property filterInvocationDefinitionSource of bean filterChainProxy -- require at least editor role for all other URLs. done in property objectDefinitionSource of bean filterInvocationInterceptor. This implies that you grant the editor role to all users. Because I use the roller admin API to manage users, that is not problem for me. If you manage users using the roller webapp you might add some hack somewhere to grant that role automatically.. if you want to exclude some blog from requiring a successful login, you could add a rule to the filterInvocationInterceptor, e.g. /demo/**=ROLE_ANONYMOUS,admin,editor would allow everybody to access the blog with the handle 'demo' Of course this is a static definition and only works on blogs as a whole, not single postings. But it could be a starting point. This works for 4.0.1, I have not yet tried 5.0 best regards, konrad
security.xml
Description: XML document
