Results 1 to 2 of 2

Thread: authorization based on HTTP method

  1. May 10th, 2005, 01:56 PM #1
    fractal76
    fractal76 is offline Junior Member
    Join Date
    May 2005
    Location
    New York
    Posts
    3

    Default authorization based on HTTP method

    Hi,
    I am building an application based heavily on REST principles: we use http methods for CRUD operations.

    This means that given a url http://somesite.com/contacts to:
    • Create contact send a POST request with user info to the above url
    • Delete contact send a DELETE request to http://somesite.com/contacts/3456, where 3456 is ID of contact.
    • To get a user send GET request to url from delete example

    While reading up on acegi I remember coming across a snippet saying that acegi url filters can accomodate HTTP methods for authorization. So, I would be able to say that only ROLE_ADMIN can submit HTTP DELETE request for a contact.

    Servlet spec supports filtering of http-method through <security-constraint> see page 96 of the 2.4 servlet api specification available from sun. Since Servlet api appears to be separate from the acegi security filtering I assume there is some other mechanism for connecting method to authorization in some acegi configuration.
  2. May 11th, 2005, 02:49 AM #2
    Ben Alex
    Ben Alex is offline Senior Member Spring Team
    Join Date
    Aug 2004
    Location
    Sydney, Australia
    Posts
    2,768

    Default

    Acegi Security does not presently offer this capability.

    However, it shouldn't be too difficult to add. You'd basically be looking at a custom FilterInvocationDefinitionSource (see http://acegisecurity.sourceforge.net...ionSource.html), or modifying one of the existing implementations. As noted in the JavaDocs, FilterInvocationDefinitionSource operates with the FilterInvocation secure object, which in turn provides the HttpServletRequest and therefore can take into account the HTTP method as well as the URI pattern.

    Your main decision is how to represent the new FilterInvocationDefinitionSource syntax at a property editor level. A suggestion is below:

    Code:
    /foo/bar.html&#58;POST,DELETE=ROLE_FOO     &#40;for GET or POST HTTP methods&#41;
/secure/*&#58;GET=ROLE_BAR                 &#40;only for GET HTTP method&#41;
/account/something=ROLE_BAR            &#40;implies all HTTP methods&#41;
    If you'd like to implement this with the existing classes, I would be pleased to add it to CVS. I expect the AbstractFilterInvocationDefinitionSource.lookupAtt ributes() abstract method would need to change to allow the HTTP method to be passed to the subclass.
« Previous Thread | Next Thread »

Similar Threads

  1. Order of Bean definitions matters?
    By cfuser in forum Container
    Replies: 2
    Last Post: Oct 21st, 2005, 10:29 AM
  2. Spring container fails with no exception
    By naor in forum Container
    Replies: 9
    Last Post: Oct 1st, 2005, 03:39 PM
  3. EHCaching Hibernate
    By dencamel in forum Data
    Replies: 3
    Last Post: Sep 6th, 2005, 09:03 PM
  4. PerformanceMonitorInterceptor
    By tnist in forum AOP
    Replies: 3
    Last Post: Aug 24th, 2005, 01:39 PM
  5. Method call why not be intercepted by MethodSecurityIntercep
    By aaron8tang in forum Security
    Replies: 8
    Last Post: Dec 7th, 2004, 06:13 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules