Actually with spring-security u could also use ant-like reg expressions to
block access to resources like this:
public static void contributeFilterSecurityInterceptor(
Configuration<RequestInvocationDefinition> configuration ) {
configuration.add( new RequestInvocationDefinition(
"/ltd.pdf",
"ROLE_ADMIN" ) );
}
You don't need to use the annotation at all
On Thu, Apr 9, 2009 at 8:38 PM, daniel joyce <daniel.a.jo...@gmail.com>wrote:
> I looked at spring security, and it required yet-another annotation,
> and annotating a class to protect it didn't protect the methods as
> well. This struck me as too hit-or-miss
>
> With Tomcat, I can simply protect whole paths or pages, no need to
> worry about annotating a class, and then annotating each method. Bit
> too fine-grained for my needs.
>
> On Thu, Apr 9, 2009 at 11:00 AM, manuel aldana <ald...@gmx.de> wrote:
> > Maybe you should look at the tapestry-spring-security plugin
> > (http://www.localhost.nu/java/tapestry-spring-security/index.html). It
> works
> > great and integrating is also not that difficult.
> >
> > Good thing is that you can both secure by single page or by page folders.
> >
> > Beware that it is not compatible with 5.1.x yet (works only for 5.0.18).
> >
> > daniel joyce schrieb:
> >>
> >> So I want to use pages with context so that it is easily bookmarkable.
> >>
> >> My website uses a DataSourcerealm to determine which pages can be
> >> accessed by a user.
> >>
> >> So normal flow is user logs in, first page he gets directed to sets up
> >> the User object as a ASO, other pages use this user.
> >>
> >> But if he bookmarks a url with context, say "configureProject/124332",
> >> and he clickes on the bookmark, logs in to tomcat, and gets redirected
> >> to it, the User object may not have been initialized yet. Now
> >> configure project is fine, since it is mostly working with projects.
> >> But I want the user object to exist so that I confirm the user
> >> actually owns it.
> >>
> >> Now I could have a basepage, whose onActivate() grabs the auth'd user
> >> string from the Httpsession, runs a query, and either sets up the User
> >> object, or bounces out the login page. And every other page could
> >> inherit from this one, and call super.OnActivate in their onActivate
> >> method.
> >>
> >> But I was wondering, is there a service I can write that can examine
> >> the HttpSession, and populate the User object. Is HttpSession
> >> available to services already? IE, can I inject it in the usual method
> >> via my builder?
> >>
> >> -Daniel
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
> >> For additional commands, e-mail: users-h...@tapestry.apache.org
> >>
> >
> >
> > --
> > manuel aldana
> > ald...@gmx.de
> > software-engineering blog: http://www.aldana-online.de
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
> > For additional commands, e-mail: users-h...@tapestry.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
> For additional commands, e-mail: users-h...@tapestry.apache.org
>
>
