Thanks Jeromy, Yep, we did get the standard JEE security working in WAS. (Fat-fingered typing in the web.xml was the culprit).
I'll have a look at the Sping option if we find the container stuff a bit lacking. Thanks again for your feedback. Mike 2008/7/29 Jeromy Evans <[EMAIL PROTECTED]>: > > If you don't have complex URL patterns, I'd continue down the JEE path. It > should work. Although I haven't tried it with websphere it's a fundamental > requirement of the container. > > I'd temporarily switch to HTTP BASIC instead of LDAP to try isolate the > problem. > > Yes, creating a custom Security Interceptor is another approach. It's > pretty simple to throw your own interceptor into the stack that checks the > Principal or Session and forces a redirect/error if appropriate. It's a low > effort approach but you take on some more risk of introducing > vulnerabilities. > > An better approach is to use a third party filter. Acegi/Spring Security is > the most popular and probably the most flexible as it's closely bound to > your (Spring) Object Factory. There are other open source filters available > too that may suite you. > > Hope that helps, > Jeromy Evans > > > Mike Watson wrote: >> >> I should probably add that I'm just trying to authenticate via LDAP at >> this stage. Authorization will be implemented later. >> >> 2008/7/28 Mike Watson <[EMAIL PROTECTED]>: >> >>> >>> Hi Folks, >>> >>> What's the most straightforward way to secure my REST URLs? >>> >>> I'd assumed that I'd be able to use the standard JEE approach and >>> secure based on URL patterns but this doesn't seem to work (on >>> Websphere anyway) and I'm assuming it's to do with the fact everything >>> I'm doing is happening in filters rather than working with 'real' >>> resources. (I don't get any errors, I just get to see resources I >>> shouldn't when I'm not authenticated). >>> >>> Is there some sort of Security Interceptor I should enable or should >>> this work the way I initially assumed? >>> >>> Has anybody else (Jeromy?) done this? >>> >>> Cheers >>> >>> Mike >>> >>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> >> Internal Virus Database is out of date. >> Checked by AVG - http://www.avg.com Version: 8.0.138 / Virus Database: >> 270.5.5/1569 - Release Date: 23/07/2008 1:31 PM >> >> >> >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
