FilterSecurityInterceptor + Struts action path
Hi,
We are in the process of integrating Acegi in our current project that uses Struts/Spring/Hibernate. So far we've managed to replace our authorization modules with acegi's authentication package. However, we've been trying to figure out how FilterSecurityInterceptor works, specifically objectDefintionSource. We are using Struts action mapping to forward/process requests across our application. Question is how do we write this mappings to the objectDefinitionSource parameter?
For example:
In struts-config.xml
<action path="/path/action"
type="action.doSomething"
scope="request">
<forward name="doThis" path="/jsp/action.jsp" />
</action>
In our application context we try putting:
<bean id="filterInvocationInterceptor" class="net.sf.acegisecurity.intercept.web.FilterSe curityInterceptor">
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref local="httpRequestAccessDecisionManager"/></property>
<property name="objectDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
\A/path/.*\Z=ROLE_USER
\A/.*\Z=ROLE_USER,ROLE_ADMIN
</value>
</property>
</bean>
Now say I log in with a ROLE_ADMIN role, and click on the link with a URL that has /path/action, I am still able to see the page. Shouldn't the user be notified or not allowed to view this page? Or do I still need to place that explicitly on my JSP page?
Any suggestions/comments will be highly appreciated :-)
