Re: [appfuse-user] Security configuration

Campa Wed, 21 Nov 2007 05:48:13 -0800

Mike Horwitz wrote:
> 
> On Nov 21, 2007 11:33 AM, Campa <[EMAIL PROTECTED]> wrote:
> 
>>
>> Hi,
>>
>> I'm using appfuse 2.0 with struts 2.
>> I cannot understand because requesting a url like
>> http://...8080/patient/list.html, logged with a user with only
>> "ROLE_USER"
>> the security layer give me an ExceptionPage (
>> org.acegisecurity.AccessDeniedException: Access is denied ). It not block
>> user with ADMIN_ROLE.
> 
> 
> Taking a flyer here, but I am assuming that  /patient/list.html calls
> UserManager.getUsers() somewhere in the background? If so you will need to
> allow all users access to that method (changes need to be applied to
> methodSecurityInterceptor towards the bottom of security.xml). One note:
> allowing access to the list of users in the application could be a
> security
> risk.
> 
> Mike.
> 
> Thanks, Mike...
> But I have changed the code to see if the security check that block users,
> not admins, is related to the backend.
> Into the action now I have:
> ....
> public String list() {
> //    patients = patientManager.getAll();
>               return SUCCESS;
> }
> ....
> 
> But the security exception remain.
> Patient model is related many-to-many with users (treated with appfuse std
> userManager) could be here the problem ?
> 
> Thanks
> Stefano
> 
>>
>> My security.xml file reporting the follow ANT_PATHs:
>> <bean id="filterInvocationInterceptor"
>> class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
>>        <property name="authenticationManager"
>> ref="authenticationManager"/>
>>        <property name="accessDecisionManager"
>> ref="accessDecisionManager"/>
>>        <property name="objectDefinitionSource">
>>            <value>
>>                PATTERN_TYPE_APACHE_ANT
>>                /admin/*=ROLE_ADMIN
>>                /passwordHint.html*=ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER
>>                /signup.html*=ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER
>>                /a4j.res/*.html*=ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER <!--
>> APF-737, OK to remove if not using JSF -->
>>                /**/*.html*=ROLE_ADMIN,ROLE_USER
>>                /patient/list.html*=ROLE_ADMIN,ROLE_USER
>>            </value>
>>        </property>
>>    </bean>
>>
>> Can some one help me ?
>> Thanks
>> Stefano
>>
>>
>> --
>> View this message in context:
>> http://www.nabble.com/Security-configuration-tf4849572s2369.html#a13875515
>> Sent from the AppFuse - User mailing list archive at Nabble.com.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>> For additional commands, e-mail: [EMAIL PROTECTED]
>>
>>
> 
> 

-- 
View this message in context: 
http://www.nabble.com/Security-configuration-tf4849572s2369.html#a13877441
Sent from the AppFuse - User mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: [appfuse-user] Security configuration

Reply via email to
