Re: [appfuse-user] Security configuration

Wed, 21 Nov 2007 05:51:34 -0800 


Rob Hills wrote:
> 
> Hi Stefano,
> 
> Campa wrote:
>> Hi,
>>
>> I'm using appfuse 2.0 with struts 2.
>> I cannot understand because requesting a url like
>> http://...8080/patient/list.html, logged with a user with only
>> "ROLE_USER"
>> the security layer give me an ExceptionPage (
>> org.acegisecurity.AccessDeniedException: Access is denied ). It not block
>> user with ADMIN_ROLE.
>>
>> My security.xml file reporting the follow ANT_PATHs:
>> <bean id="filterInvocationInterceptor"
>> class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
>>         <property name="authenticationManager"
>> ref="authenticationManager"/>
>>         <property name="accessDecisionManager"
>> ref="accessDecisionManager"/>
>>         <property name="objectDefinitionSource">
>>             <value>
>>                 PATTERN_TYPE_APACHE_ANT
>>                 /admin/*=ROLE_ADMIN
>>                 /passwordHint.html*=ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER
>>                 /signup.html*=ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER
>>                 /a4j.res/*.html*=ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER <!--
>> APF-737, OK to remove if not using JSF -->
>>                 /**/*.html*=ROLE_ADMIN,ROLE_USER
>>                 /patient/list.html*=ROLE_ADMIN,ROLE_USER
>>   
> Firstly, I'm no expert, but I believe that the "/**/*.html *=..." would 
> overrule your "/patient/list.html ..." because it comes before it.  But 
> that wouldn't cause your problem.
> 
> Have you checked your struts.xml file to see if there's an interceptor 
> that covers your URL?  I have some in my struts.xml file - like 
> "<interceptor-ref name="adminCheck" />"
> HTH,
> 

Hi Rob,
In my strtus.xml I have:
<interceptor-stack name="adminCheck">
                <interceptor-ref name="defaultStack"/>
                <interceptor-ref name="adminOnly"/>
 </interceptor-stack>

In your opinion I need to change something here ?
The strange effect is that action that end with "edit.html" work also for
not admin logged users while "list.html" not work.

Thx
Stefano
-- 
View this message in context: 
http://www.nabble.com/Security-configuration-tf4849572s2369.html#a13877547
Sent from the AppFuse - User mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to