Re: [S2} REST plugin & Security

Mon, 28 Jul 2008 22:32:07 -0700
If you don't have complex URL patterns, I'd continue down the JEE path. It should work. Although I haven't tried it with websphere it's a fundamental requirement of the container. 


I'd temporarily switch to HTTP BASIC instead of LDAP to try isolate the 
problem.



Yes, creating a custom Security Interceptor is another approach.  It's 
pretty simple to throw your own interceptor into the stack that checks 
the Principal or Session and forces a redirect/error if appropriate.  
It's a low effort approach but you take on some more risk of introducing 
vulnerabilities.



An better approach is to use a third party filter.  Acegi/Spring 
Security is the most popular and probably the most flexible as it's 
closely bound to your (Spring) Object Factory.  There are other open 
source filters available too that may suite you.


Hope that helps,
Jeromy Evans


Mike Watson wrote:

I should probably add that I'm just trying to authenticate via LDAP at
this stage. Authorization will be implemented later.

2008/7/28 Mike Watson <[EMAIL PROTECTED]>:

  

Hi Folks,

What's the most straightforward way to secure my REST URLs?

I'd assumed that I'd be able to use the standard JEE approach and
secure based on URL patterns but this doesn't seem to work (on
Websphere anyway) and I'm assuming it's to do with the fact everything
I'm doing is happening in filters rather than working with 'real'
resources. (I don't get any errors, I just get to see resources I
shouldn't when I'm not authenticated).

Is there some sort of Security Interceptor I should enable or should
this work the way I initially assumed?

Has anybody else (Jeromy?) done this?

Cheers

Mike


    


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


Internal Virus Database is out of date.

Checked by AVG - http://www.avg.com 
Version: 8.0.138 / Virus Database: 270.5.5/1569 - Release Date: 23/07/2008 1:31 PM





  



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]























					Reply via email to