How to disable redirect on secure resources?

[Simon G]

Hi all,

I'm securing a bunch of URLs for session based access. I have 2 questions:

1.
Can I configure Acegi to not redirect on un-authenticated access to a resource? ie I would rather get a 403 access denied response for an unauthenticated request to a secure resource, rather than a redirect to the loginFormURL (I want to manually control logins).

2.
If the above is possible, can I secure some URLs with a configured redirect, and other URLs with a straight 403 (for un-authenticated access)?


Cheers,
Simon

[Simon G]

Looking at org.acegisecurity.intercept.web.SecurityEnforcemen tFilter, I'm concluding that I can't configure Acegi to report a 403 (rather than redirect) when an authentication exception occurs.

Is anyone able to confirm this?

This is a pain for AJAX styled apps, where redirecting to login on an AJAX accessed resource won't achieve anything. If I can't pickup up a HTTP 403, I must check every AJAX response for a html login page, and interpret that as a 403. This adds another layer to the AJAX response handler, which normally deals with only XML or JavaScript Object Notation.

[Simon G]

ok - this isn't such a big deal!

Better solutions not withstanding (& for those interested), what I've done is set the authenticationEntryPoint loginFormUrl to a custom xml 'Denied Access' file (I called it 403.xml). The redirected logins are never used to login - they return the xml file which with the correct exception format (be it a soap fault or your own fault format) will be picked up within your AJAX response handler. Make sure to give the file an .xml extension so its served up with an xml mime type (not important if the response is JSON).

Then, the client app can dynamically post to j_acegi_security_check to login when it gets a 403.xml response.

[Ben Alex]

You could also configure a SecurityEnforcementFilter.authenticationEntryPoint which handles authentication failures in a custom manner as well.

[Simon G]

ok - thanks Ben