How do I exclude URLs?

[mraible]

I'm using good ol' container-managed authentication and migrating to Acegi. I'm protecting *.html in my web.xml and I allow some URLs to pass through using a <security-constraint> with no <auth-contraint>:

Code:

    <!-- All anyone to access passwordHint and signup -->
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Unrestricted</web-resource-name>
            <description>All users can view</description>
            <url-pattern>/passwordHint.html</url-pattern>
            <url-pattern>/signup.html</url-pattern>
            <http-method>POST</http-method>
            <http-method>GET</http-method>
        </web-resource-collection>
    </security-constraint>

With Acegi, I've been able to get all of this working, except for the unprotected pages. Is there a way to manipulate the following expression so that a couple of URLs aren't protected?

Code:

 		<property name="objectDefinitionSource">
			<value>
			    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
			    PATTERN_TYPE_APACHE_ANT
				/*.html=Administrators
			</value>
		</property>

I'd rather not put these pages in a specific directory since I've (so far) been able to integrate Acegi w/o changing a single line of code. ;-)

Thanks,

Matt

[mraible]

After reading many posts on this forum and seeing the "anonymous" user approach, I gave it a whirl. I got it to work, but I had to write quite a bit of code to do something that should be simple. So I scrapped it and hacked Acegi a bit to allow excluded URLs. Below is a patch that allows you to exclude URLs in your context file with the following syntax:

Code:

 		<property name="objectDefinitionSource">
			<value>
			    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
			    PATTERN_TYPE_APACHE_ANT
				!/signup.html=Foo
				!/passwordhint.html*=Foo
				/*.html*=Administrators
			</value>
		</property>

I found that the "=Foo" is necessary, even though it's never used. Here's the patch/hack for the Ant pattern matching:

Code:

Index: core/src/main/java/net/sf/acegisecurity/intercept/web/PathBasedFilterInvocationDefinitionMap.java
===================================================================
RCS file: 

/cvsroot/acegisecurity/acegisecurity/core/src/main/java/net/sf/acegisecurity/intercept/web/PathBasedFilterInvocationD

efinitionMap.java,v
retrieving revision 1.2
diff -u -r1.2 PathBasedFilterInvocationDefinitionMap.java
--- core/src/main/java/net/sf/acegisecurity/intercept/web/PathBasedFilterInvocationDefinitionMap.java	5 Dec 2004 

05:04:52 -0000	1.2
+++ core/src/main/java/net/sf/acegisecurity/intercept/web/PathBasedFilterInvocationDefinitionMap.java	16 Dec 2004 

00:46:51 -0000
@@ -113,6 +113,19 @@
 
         while (iter.hasNext()) {
             EntryHolder entryHolder = (EntryHolder) iter.next();
+            
+            // If path starts with !, and it matches, return
+            if (entryHolder.getAntPath().startsWith("!")) {
+                String pathToCompare = 
+                    entryHolder.getAntPath().substring(1, entryHolder.getAntPath().length());
+                boolean matched = PathMatcher.match(pathToCompare, url);
+                if (matched) {
+                    if (logger.isDebugEnabled()) {
+                        logger.debug("Matched excluded URL, returning null");
+                    }
+                    return null;
+                }
+            }
 
             boolean matched = PathMatcher.match(entryHolder.getAntPath(), url);

[Ben Alex]

Don't forget ObjectDefinitionSource is an interface, so you can keep your customisations and they will (unless we modify the interface contract) be compatible with future release of Acegi Security.

I still intend to code an anonymous user approach, as people might find it helpful for method security as well.