Tony, Your JSP output makes perfect sense. The ACEGI filter wraps the HttpServletRequest with the HttpServletRequestWrapper derived class SavedRequestAwareWrapper. According to the javadoc (which you gave) that is the default class the wrapper should use, unless you tweak it to use another class. That "default" class itself extends the SecurityContextHolderAwareRequestWrapper, which is the one that overrides the isUserInRole method (to have it search all ACEGI authority groups).
So, if your JSP can output the class as the correct one, as your output shows, then the problem must be with your back-end ACEGI configuration. Have you turned on your debugger and set a breakpoint to investigate what ACEGI roles were assigned? Or perhaps have your Bean perform a getPrincipal(), check the class, cast it to an org.acegisecurity.Authentication (which already extends Principal) object and check the getAuthorities(), getDetails(), and getPrincipal() to see what ACEGI loaded for that user. For more details the the source code of various classes such as: org.acegisecurity.Authentication http://svn.sourceforge.net/viewcvs.cgi/acegisecurity/trunk/acegisecurity/cor e/src/main/java/org/acegisecurity/Authentication.java?view=markup&rev=1519 org.acegisecurity.wrapper.SecurityContextHolderAwareRequestWrapper http://svn.sourceforge.net/viewcvs.cgi/acegisecurity/trunk/acegisecurity/cor e/src/main/java/org/acegisecurity/wrapper/SecurityContextHolderAwareRequestW rapper.java?view=markup&rev=1519 org.acegisecurity.wrapper.SavedRequestWrapper (extends above class) http://svn.sourceforge.net/viewcvs.cgi/acegisecurity/trunk/acegisecurity/cor e/src/main/java/org/acegisecurity/wrapper/SavedRequestAwareWrapper.java?view =log Regards, David -----Original Message----- From: tony k [mailto:[EMAIL PROTECTED] Sent: Monday, June 19, 2006 10:06 PM To: [email protected] Subject: Acegi filter wrapped request not seen by visibleOnUserRole...!? The Acegi Security System for Spring has a filter based mechanism for wrapping an HttpServletRequest such that it will return Acegi information for the isUserInRole() method of the request. if interested see: http://acegisecurity.org/multiproject/acegi-security/apidocs/org/acegisecuri ty/wrapper/SecurityContextHolderAwareRequestFilter.html i've applied this filter with the intention of visibleOnUserRole working against the Acegi authorization information. but it didn't work and after some research i've found that the typical jsp and faces internals obtain a handle to the request object in different ways such that faces doesn't see the request as wrapped by the filter. the following jsp: --------------begin jsp---------------- <%@ page import="javax.faces.context.FacesContext"%> <% out.println("jsp request class = [" + request.getClass().getName() + "]<br>"); out.println("faces request class = [" + FacesContext.getCurrentInstance().getExternalContext().getRequest().getClass ().getName() + "]"); %> --------------end jsp---------------- returns the following output (when running against tomcat): --------------begin out---------------- jsp request class = [org.acegisecurity.wrapper.SavedRequestAwareWrapper] faces request class = [org.apache.catalina.connector.RequestFacade] --------------end out---------------- so my general questions are... (a) anyone have any insight as to why this might be the case? (b) anyone have any workaround suggestions? (c) is this behavior in accordance with the spec? thanks, tony -- View this message in context: http://www.nabble.com/Acegi-filter-wrapped-request-not-seen-by-visibleOnUser Role...%21--t1815172.html#a4947993 Sent from the MyFaces - Users forum at Nabble.com.
