Nicolas,
which T5 version are you using? AFAIK, w/ T5.1 and later your T5 services
should indeed be accessible as Spring beans. I think before 5.1, they
aren't.
Regarding T-S-S : it's set up to handle Tapestry component security (that
is, securing whole components or methods within the components). It does
nothing to handle @Secured annotations on any random classes within your
application. Overall, it seems to me that what you're trying to achieve
should be achievable using plain S-S. If you do need to secure access to T5
pages, you might be able to achieve that w/o T-S-S (there's an article on
the wiki on using S-S w/o T-S-S).
Regards,
Alex Kotchnev
On Tue, May 11, 2010 at 3:26 AM, Nicolas Gillet - MARKET-IP <
nicolas.gil...@market-ip.com> wrote:
> Hello,
>
> Thank you for your answer Jonathan.
>
> I have never tried the instance-based security so I don't know which
> solution would suit the best.
> BTW my investigation lead me to wonder if the way I enabled the security on
> method was right.
>
> I tried to use a new voter of mine to secure a page and this worked fine
> ...
>
> Then I remembered that I had to enable myself security on method. With a
> standard configuration of TSS I could not put an @Secure annotation
> anywhere
> else than on a method of a page or component.
> If I tried to put one on a method it did nothing at all. No error but no
> security either.
> So after loads of searches and trials I could have it working adding those
> 3
> line in the applicationContext.xml
>
> <security:authentication-manager alias="providerManager" />
> <security:authentication-provider user-service-ref="userDao" />
> <security:global-method-security secured-annotations="enabled" />
>
> So far I could add an @Secure("ROLE_...") annotation on any method of my
> application.
>
> Then came the problem of DWR that was specifically excluded from Tapestry
> context. Here again, I had to solve it adding one more filter in the
> web.xml
> with a reference to a bean in the applicationContext.xml :
>
> <bean id="dwrFilterChainProxy"
> class="org.springframework.security.util.FilterChainProxy">
> <property name="filterInvocationDefinitionSource">
> <value>
> CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
> PATTERN_TYPE_APACHE_ANT
> /**=httpSessionContextIntegrationFilter
> </value>
> </property>
> </bean>
>
> <bean id="httpSessionContextIntegrationFilter"
>
> class="org.springframework.security.context.HttpSessionContextIntegrationFil
> ter" />
>
> So now I can secure everything with @Secure("ROLE_...") in my application
> but I am not sure it his handled the right way ; especially because of the
> two instance do the AcessDecisionManager I saw and realized that the
> instance that was handling the security in the non-tapestry methods of my
> application looks like to be the one "dedicated to authentication" (the one
> containing a AuthenticatedVoter and a RoleVoter)
>
> I thought I found a solution using the "access-decision-manager-ref"
> property of the tag "security:global-method-security" used before but the
> reference to the AccessDecisionManager declared by TSS look unreachable.
> It is declared in the SecurityModule class like
>
> @Marker(SpringSecurityServices.class)
> public final AccessDecisionManager buildAccessDecisionManager {...}
>
> But when I write
>
> <security:global-method-security secured-annotations="enabled"
> access-decision-manager-ref="accessDecisionMnager" />
>
> I get a
> "NoSuchBeanDefinitionException :No bean named
> 'accessDecisionManager' is defined"
>
> This really starts annoy me :-( ...
>
> So has anyone ever secured a method out of a page/component (like in a
> class
> of a Service/Dao layer) with TSS and how ?
> Is there a way to configure the thing I had to put in XML in an appModule
> like the rest of TSS configuration ?
>
> Thanks for any input.
>
> Nicolas
>
> ----- original message -----
> > From : Jonathan Barker
> > To : Tapestry users
> > Objet : Re: TSS add custom voter
>
> > Nicolas,
>
> > Are you sure you want another AccessDecisionVoter?
>
> > This sounds more like you want instance-based security, available through
> > the spring-security-acl package. I can't help you much on code, because
> > what I have is using 2.0, with deprecated interfaces and classes, from my
> > evolution from Acegi. Specifically, my work involved custom
> implementations
> > of AclProvider. I do have an AclAuthorize component that I use in my
> > personal copy of tapestry-spring-security that could easily be adapted if
> > you wanted that.
>
> > Regards,
>
> > Jonathan
>
> Jonathan Barker
> ITStrategic
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
> For additional commands, e-mail: users-h...@tapestry.apache.org
>
>
