<!-- ======================== FILTER CHAIN ======================= -->
<bean id="filterChainProxy" class=" org.acegisecurity.util.FilterChainProxy">
<property name="filterInvocationDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/**/*.html*=channelProcessingFilter,httpSessionContextIntegrationFilter,casProcessingFilter,remoteUserFilter,basicProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor </value>
</property>
</bean>
<bean id="remoteUserFilter" class="org.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter"/>
The SecurityContextHolderAwareRequestFilter filter allows container based security to be derived to acegi context.
On 6/20/06, David Friedman <[EMAIL PROTECTED]> wrote:
Tony,
Your JSP output makes perfect sense. The ACEGI filter wraps the
HttpServletRequest with the HttpServletRequestWrapper derived class
SavedRequestAwareWrapper. According to the javadoc (which you gave) that is
the default class the wrapper should use, unless you tweak it to use another
class. That "default" class itself extends the
SecurityContextHolderAwareRequestWrapper, which is the one that overrides
the isUserInRole method (to have it search all ACEGI authority groups).
So, if your JSP can output the class as the correct one, as your output
shows, then the problem must be with your back-end ACEGI configuration.
Have you turned on your debugger and set a breakpoint to investigate what
ACEGI roles were assigned? Or perhaps have your Bean perform a
getPrincipal(), check the class, cast it to an
org.acegisecurity.Authentication (which already extends Principal) object
and check the getAuthorities(), getDetails(), and getPrincipal() to see what
ACEGI loaded for that user. For more details the the source code of various
classes such as:
org.acegisecurity.Authentication
http://svn.sourceforge.net/viewcvs.cgi/acegisecurity/trunk/acegisecurity/cor
e/src/main/java/org/acegisecurity/Authentication.java?view=markup&rev=1519
org.acegisecurity.wrapper.SecurityContextHolderAwareRequestWrapper
http://svn.sourceforge.net/viewcvs.cgi/acegisecurity/trunk/acegisecurity/cor
e/src/main/java/org/acegisecurity/wrapper/SecurityContextHolderAwareRequestW
rapper.java?view=markup&rev=1519
org.acegisecurity.wrapper.SavedRequestWrapper (extends above class)
http://svn.sourceforge.net/viewcvs.cgi/acegisecurity/trunk/acegisecurity/cor
e/src/main/java/org/acegisecurity/wrapper/SavedRequestAwareWrapper.java?view
=log
Regards,
David
-----Original Message-----
From: tony k [mailto:[EMAIL PROTECTED]]
Sent: Monday, June 19, 2006 10:06 PM
To: [email protected]
Subject: Acegi filter wrapped request not seen by visibleOnUserRole...!?
The Acegi Security System for Spring has a filter based mechanism for
wrapping an HttpServletRequest such that it will return Acegi information
for the isUserInRole() method of the request.
if interested see:
http://acegisecurity.org/multiproject/acegi-security/apidocs/org/acegisecuri
ty/wrapper/SecurityContextHolderAwareRequestFilter.html
i've applied this filter with the intention of visibleOnUserRole working
against the Acegi authorization information.
but it didn't work and after some research i've found that the typical jsp
and faces internals obtain a handle to the request object in different ways
such that faces doesn't see the request as wrapped by the filter.
the following jsp:
--------------begin jsp----------------
<%@ page import="javax.faces.context.FacesContext"%>
<%
out.println("jsp request class = [" + request.getClass().getName() +
"]<br>");
out.println("faces request class = ["
+
FacesContext.getCurrentInstance ().getExternalContext().getRequest().getClass
().getName()
+ "]");
%>
--------------end jsp----------------
returns the following output (when running against tomcat):
--------------begin out----------------
jsp request class = [org.acegisecurity.wrapper.SavedRequestAwareWrapper]
faces request class = [org.apache.catalina.connector.RequestFacade]
--------------end out----------------
so my general questions are...
(a) anyone have any insight as to why this might be the case?
(b) anyone have any workaround suggestions?
(c) is this behavior in accordance with the spec?
thanks,
tony
--
View this message in context:
http://www.nabble.com/Acegi-filter-wrapped-request-not-seen-by-visibleOnUser
Role...%21--t1815172.html#a4947993
Sent from the MyFaces - Users forum at Nabble.com.
