Hello,
Thank you for your answer Jonathan.
I have never tried the instance-based security so I don't know which
solution would suit the best.
BTW my investigation lead me to wonder if the way I enabled the security on
method was right.
I tried to use a new voter of mine to secure a page and this worked fine ...
Then I remembered that I had to enable myself security on method. With a
standard configuration of TSS I could not put an @Secure annotation anywhere
else than on a method of a page or component.
If I tried to put one on a method it did nothing at all. No error but no
security either.
So after loads of searches and trials I could have it working adding those 3
line in the applicationContext.xml
<security:authentication-manager alias="providerManager" />
<security:authentication-provider user-service-ref="userDao" />
<security:global-method-security secured-annotations="enabled" />
So far I could add an @Secure("ROLE_...") annotation on any method of my
application.
Then came the problem of DWR that was specifically excluded from Tapestry
context. Here again, I had to solve it adding one more filter in the web.xml
with a reference to a bean in the applicationContext.xml :
<bean id="dwrFilterChainProxy"
class="org.springframework.security.util.FilterChainProxy">
<property name="filterInvocationDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/**=httpSessionContextIntegrationFilter
</value>
</property>
</bean>
<bean id="httpSessionContextIntegrationFilter"
class="org.springframework.security.context.HttpSessionContextIntegrationFil
ter" />
So now I can secure everything with @Secure("ROLE_...") in my application
but I am not sure it his handled the right way ; especially because of the
two instance do the AcessDecisionManager I saw and realized that the
instance that was handling the security in the non-tapestry methods of my
application looks like to be the one "dedicated to authentication" (the one
containing a AuthenticatedVoter and a RoleVoter)
I thought I found a solution using the "access-decision-manager-ref"
property of the tag "security:global-method-security" used before but the
reference to the AccessDecisionManager declared by TSS look unreachable.
It is declared in the SecurityModule class like
@Marker(SpringSecurityServices.class)
public final AccessDecisionManager buildAccessDecisionManager {...}
But when I write
<security:global-method-security secured-annotations="enabled"
access-decision-manager-ref="accessDecisionMnager" />
I get a
"NoSuchBeanDefinitionException :No bean named
'accessDecisionManager' is defined"
This really starts annoy me :-( ...
So has anyone ever secured a method out of a page/component (like in a class
of a Service/Dao layer) with TSS and how ?
Is there a way to configure the thing I had to put in XML in an appModule
like the rest of TSS configuration ?
Thanks for any input.
Nicolas
----- original message -----
> From : Jonathan Barker
> To : Tapestry users
> Objet : Re: TSS add custom voter
> Nicolas,
> Are you sure you want another AccessDecisionVoter?
> This sounds more like you want instance-based security, available through
> the spring-security-acl package. I can't help you much on code, because
> what I have is using 2.0, with deprecated interfaces and classes, from my
> evolution from Acegi. Specifically, my work involved custom
implementations
> of AclProvider. I do have an AclAuthorize component that I use in my
> personal copy of tapestry-spring-security that could easily be adapted if
> you wanted that.
> Regards,
> Jonathan
Jonathan Barker
ITStrategic
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org
