I had to rewrite these classes in order to meet two requirements, and I want to know if these are of general interest:

  • Add a property 'rolePrefix' to SecurityContextHolderAwareRequestFilter. This is passed on to the SecurityContextHolderAwareRequestWrapper. The prefix, if set, is prepended to the role name before comparison in the isUserInRole method. For example, if set to 'ROLE_', It allows you to write
    Code:
    request.isUserInRole("Admin")
    insted of
    Code:
    request.isUserInRole("ROLE_Admin")
  • We use the <error-page> mechanism to display errors in the web application. At least in Tomcat, and when Acegi is configured to use a <url-pattern> for the filter mapping, the Acegi filters bypassed when the error page is rendered. If you use the HttpSessionContextIntegrationFilter in your filter chain, the SecurityContext is gone when you render the error page.

    I solved this problem by putting the SecurityContext as an attribute of the HttpServletRequest. This is done in the SecurityContextHolderAwareRequestFilter when it wraps the request (although this could perhaps be refactored out into a separate filter). When the wrapper tries to find the Authetication object, and none is found in the SecurityContextHolder, it tries the request attribute to see if it is there before giving up and returning null.


Comments?