Re: [appfuse-user] redundant security??

Sun, 25 Feb 2007 09:13:15 -0800 

Yes, I do believe there is a duplication here.  However, when you're
doing security-related stuff, duplication is not necessarily a bad
thing.

In 2.0, we've removed the adminUrlMapping bean and adjusted
security.xml to contain all the URLs that need to be protected.

   <bean id="filterInvocationInterceptor"
class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
       <property name="authenticationManager" ref="authenticationManager"/>
       <property name="accessDecisionManager" ref="accessDecisionManager"/>
       <property name="objectDefinitionSource">
           <value>
               PATTERN_TYPE_APACHE_ANT
               /activeUsers.*=admin
               /clickstreams.jsp*=admin
               /flushCache.*=admin
               /passwordHint.html*=ROLE_ANONYMOUS,admin,user
               /reload.*=admin
               /signup.html*=ROLE_ANONYMOUS,admin,user
               /users.html*=admin
               /**/*.html*=admin,user
           </value>
       </property>
   </bean>

Matt

On 2/24/07, j2ee dodo <[EMAIL PROTECTED]> wrote:



Hi guys,

For appfuse 1.9.4, I removed the line

 <prop key="/users.html">userController</prop>

from "adminUrlMapping" bean in action-servlet.xml and everything
works normal as before, the same security check seems to
be done in security.xml already

E.g.

  <bean id="filterInvocationInterceptor"
class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
        <property name="authenticationManager" ref="authenticationManager"/>
        <property name="accessDecisionManager" ref="accessDecisionManager"/>
        <property name="objectDefinitionSource">
            <value>
                PATTERN_TYPE_APACHE_ANT
      .....
                /signup.html*=ROLE_ANONYMOUS,admin,user
                /users.html*=admin
      ...
            </value>
        </property>
    </bean>

So I was wandering if we even need adminUrlMapping bean at all
in action-servlet.xml if we simply do all security check in security.xml??

on the other hand, it looks like we replace acegi security on the
filterInvocationInterceptor bean part
 with spring spring security like adminUrlMapping bean in
action-servlet.xml....


Thanks,

Sam



--
http://raibledesigns.com

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to