Paranoid web-security? How-to?

[Lachezar]

Hello all.
Recently I started implementing a web-based application.
I like Acegi, and decided to give it a try.
One of my colleagues had written something prior to my tests, and I decided to use that.

However I was very disappointed, that I have to set up url security by hand.

In a couple of words: I have a user-only application, that requires that the user authenticates prior to accessing any part of the application. However when I did this:

Code:

  <bean id="filterInvocationInterceptor" class="net.sf.acegisecurity.intercept.web.FilterSecurityInterceptor">
    <property name="objectDefinitionSource">
      <value>
        CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
        PATTERN_TYPE_APACHE_ANT
        /**=ROLE_USER
        /admin/**=ROLE_ADMIN
      </value>
    </property>
  </bean>

I got held up by an infinite web-redirecting when the user tries to access the login page at /login.html, or /security_check or /index.jsp (which just redirects to the login page).
I tried to find a way do disable security checks for the index and the login resources, but to no avail.[/b]

So. Is it possible to exclude any resources from the security checks?
I tried:

Code:

...
        PATTERN_TYPE_APACHE_ANT
        /=
        /login.html=
        /index.jsp=
        /security_check=
        /**=ROLE_USER
...

But this dies with a NPE when initializing the bean.

The only (I don't like it, but...) way I found is to secure EVERYTHING except the login resources, but this approach is a complete PITA when it comes to a modularized application, where modules would be added, and the security module will not know anything about them.

[Ben Alex]

See the Contacts Sample which demonstrates anonymous authentication. It addresses what you want to do. It's discussed at http://acegisecurity.sourceforge.net...y-ui-anonymous.

[Lachezar]

http://acegisecurity.sourceforge.net...y-ui-anonymous.

Yep! That's exactly what I was looking for. Many thanks.