Thanks for this. I am familiar with configuring Spring Security for another application so this is great news for me.
I am looking forward to trying this out. Luke On Wed, Dec 2, 2009 at 6:31 AM, Konrad Hosemann <kon...@hosemann.name> wrote: > Hi, > > Am 02.12.2009 um 02:59 schrieb Dave: >> Protected blogs is not an out-of-the-box feature and probably not an >> easy customization. >> >> It might be possible via some LDAP and Spring Security magic that you >> could create some blogs that are visible only to certain people. > > Requiring authentication to access roller can realized by some changes to the > Spring Security configuration, see the attached security.xml. The changes are > basically: > > -- exclude some URL patterns from filtering, like styles and favicon. done in > property filterInvocationDefinitionSource of bean filterChainProxy > > -- require at least editor role for all other URLs. done in property > objectDefinitionSource of bean filterInvocationInterceptor. This implies that > you grant the editor role to all users. Because I use the roller admin API to > manage users, that is not problem for me. If you manage users using the > roller webapp you might add some hack somewhere to grant that role > automatically.. > > if you want to exclude some blog from requiring a successful login, you could > add a rule to the filterInvocationInterceptor, e.g. > /demo/**=ROLE_ANONYMOUS,admin,editor > would allow everybody to access the blog with the handle 'demo' > > Of course this is a static definition and only works on blogs as a whole, not > single postings. But it could be a starting point. > > This works for 4.0.1, I have not yet tried 5.0 > > best regards, > konrad >
