PDA

View Full Version : How do I exclude URLs?


mraible
Dec 14th, 2004, 04:17 PM
I'm using good ol' container-managed authentication and migrating to Acegi. I'm protecting *.html in my web.xml and I allow some URLs to pass through using a <security-constraint> with no <auth-contraint>:


<!-- All anyone to access passwordHint and signup -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Unrestricted</web-resource-name>
<description>All users can view</description>
<url-pattern>/passwordHint.html</url-pattern>
<url-pattern>/signup.html</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
</security-constraint>

With Acegi, I've been able to get all of this working, except for the unprotected pages. Is there a way to manipulate the following expression so that a couple of URLs aren't protected?



<property name="objectDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/*.html=Administrators
</value>
</property>


I'd rather not put these pages in a specific directory since I've (so far) been able to integrate Acegi w/o changing a single line of code. ;-)

Thanks,

Matt
mraible
Dec 15th, 2004, 11:49 PM
After reading many posts on this forum and seeing the "anonymous" user approach, I gave it a whirl. I got it to work, but I had to write quite a bit of code to do something that should be simple. So I scrapped it and hacked Acegi a bit to allow excluded URLs. Below is a patch that allows you to exclude URLs in your context file with the following syntax:



<property name="objectDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
!/signup.html=Foo
!/passwordhint.html*=Foo
/*.html*=Administrators
</value>
</property>


I found that the "=Foo" is necessary, even though it's never used. Here's the patch/hack for the Ant pattern matching:



Index&#58; core/src/main/java/net/sf/acegisecurity/intercept/web/PathBasedFilterInvocationDefinitionMap.java
================================================== =================
RCS file&#58;

/cvsroot/acegisecurity/acegisecurity/core/src/main/java/net/sf/acegisecurity/intercept/web/PathBasedFilterInvocationD

efinitionMap.java,v
retrieving revision 1.2
diff -u -r1.2 PathBasedFilterInvocationDefinitionMap.java
--- core/src/main/java/net/sf/acegisecurity/intercept/web/PathBasedFilterInvocationDefinitionMap.java 5 Dec 2004

05&#58;04&#58;52 -0000 1.2
+++ core/src/main/java/net/sf/acegisecurity/intercept/web/PathBasedFilterInvocationDefinitionMap.java 16 Dec 2004

00&#58;46&#58;51 -0000
@@ -113,6 +113,19 @@

while &#40;iter.hasNext&#40;&#41;&#41; &#123;
EntryHolder entryHolder = &#40;EntryHolder&#41; iter.next&#40;&#41;;
+
+ // If path starts with !, and it matches, return
+ if &#40;entryHolder.getAntPath&#40;&#41;.startsWith&#40;"!"&#41;&#41; &#123;
+ String pathToCompare =
+ entryHolder.getAntPath&#40;&#41;.substring&#40;1, entryHolder.getAntPath&#40;&#41;.length&#40;&#41;&#41;;
+ boolean matched = PathMatcher.match&#40;pathToCompare, url&#41;;
+ if &#40;matched&#41; &#123;
+ if &#40;logger.isDebugEnabled&#40;&#41;&#41; &#123;
+ logger.debug&#40;"Matched excluded URL, returning null"&#41;;
+ &#125;
+ return null;
+ &#125;
+ &#125;

boolean matched = PathMatcher.match&#40;entryHolder.getAntPath&#40;&#41;, url&#41;;
Ben Alex
Dec 16th, 2004, 02:37 PM
Don't forget ObjectDefinitionSource is an interface, so you can keep your customisations and they will (unless we modify the interface contract) be compatible with future release of Acegi Security.

I still intend to code an anonymous user approach, as people might find it helpful for method security as well.