View Full Version : SecureCommandConfigurer
Nov 22nd, 2004, 09:32 PM
SecureCommandConfigurer receives the login and logout events but does not update the commands as yet (a big TODO in the code).
Could you please let me know how rcp intends to handle this and I could look at implementing it for you.
Nov 23rd, 2004, 12:04 AM
The SecureCommandConfigurer should most likely be obsoleted. In general, I think the commands themselves should react to LoginEvents and disable themselves accordingly. We need to look at providing an AbstractSecureActionCommand or similiar action to make this easy.
Nov 23rd, 2004, 10:13 AM
Along these same lines, we have the requirement that some secured commands should simply not be visible (as opposed to not enabled)... would it make sense to add visibility to Guarded?
Nov 23rd, 2004, 01:10 PM
I think this would particularly useful for subclasses of CommandGroup - e.g a SecureCommandGroup subclass, which knowledge about the current user and the roles required for this group to be enabled and visible.
Nov 23rd, 2004, 01:40 PM
Just curious..... What remoting protocol are most Spring Rich clients using? I've added to Acegi Security core CVS two "better" integrations with remoting protocols than RemotingSecurityConfigurer. Now HttpInvoker and RMI invocations will automatically populate themselves with the ContextHolder-derived username and password (or the entire ContextHolder in RMI's case) at each invocation time. But are people using these protocols primarily, or others?
Nov 23rd, 2004, 03:55 PM
For now I'm using HttpInvoker (actually, I'm using a modified form of HttpInvoker, see this thread: http://forum.springframework.org/showthread.php?t=10753= ). What I've done is created an interface "AuthorizationAware" that any bean (including bean factories, such as my BasicAuthHttpInvokerProxyFactoryBean) can implement. If a bean in the application context implements this interface then it will be automatically injected with authorization information whenever the user logs in or out. This separates my invoker from any kind of security implementation (such as Acegi), and is slightly easier to use than application events.
Nov 29th, 2004, 05:28 PM
Hi Andy, an interesting approach. I just added a comment to that thread showing Acegi Security's approach to HttpInvoker extension. I think I'll soon add an interceptor which takes a list of classnames, expecting each class to provide a setUsername and setPassword method. At invocation time it will scan the IoC container for any instances, setting calling the respective setters based on the contents of the ContextHolder. This should eliminate the need for the SecureCommandConfigurer entirely.
Powered by vBulletin® Version 4.2.1 Copyright © 2013 vBulletin Solutions, Inc. All rights reserved.