On Dec 10, 2007 8:33 PM, J. David Mendoza <[EMAIL PROTECTED]> wrote: > sorry Michael... you're right... > I'm using AppFuse 2.0.1, and I was looking at how the UserManager's > methods are secured... was trying to figure it out... so if anyone would > explain that to me it would be great... I wanted to know if someone knows > how to configure acegi's annotation driven security, I would like that even > more if it isn't to hard to configure, cause what the UserManager has > already would be enough. >
There are two different interceptors securing the user manager. The first is the standard ACEGI Method interceptor which limits access to the getUsers() and removeUser() methods to users with the role Admin - look for the bean called methodSecurityInterceptor in security.xml. More details on this here: http://www.appfuse.org/display/APF/Apply+Security+to+Managers+and+DAOs The second interceptor is a custom method interceptor which makes sure that only Admin users can edit profiles that are not their own - the relevant code is in the UserSecurityAdvice class. If you have not full sourced your project, you can get the source code here: http://tinyurl.com/3cc9ho . The method interceptor is applied to the user manager using the standard Spring AOP config (in applicationContext-service.xml): <aop:config> ... <aop:advisor id="userManagerSecurity" advice-ref="userSecurityAdvice" pointcut="execution(* *..service.UserManager.saveUser(..))" order="1"/> ... </aop:config> <bean id="userSecurityAdvice" class="org.appfuse.service.UserSecurityAdvice "/> > I also tried to configure the acegi's ACL but is to big of a deal and a > lot of configuration, so I'm hardcoding stuff. > ACEGI ACL stuff is a bit mind bending at first (in fact ACEGI is a bit mind bending full stop). On the off chance you have not seen it yet, there is a tutorial for ACL in AppFuse here: http://raibledesigns.com/wiki/Wiki.jsp?page=AppFuseAcegiACL. It was written for AppFuse 1.9.4, but should be reasonably easy to adapt for 2.0.1. On the other hand if what you have already works, why change? :-) Mike > > Thanks... > > David M. > > On Dec 10, 2007, at 12:50 PM, Michael Horwitz wrote: > > So you need to secure against a specific role or does your security need > to more complicated, e.g. check the parameters being passed in against the > current user? It would also help to know which version of AppFuse you are > using? > > Mike > > On 12/10/07, J. David Mendoza <[EMAIL PROTECTED]> wrote: > > > > I need to secure a manager's methods, what do I need to do? > > > > Thanks... > > > > David M. > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > >
