Jan 21st, 2006, 08:26 PM
How to disable redirect on secure resources?
I'm securing a bunch of URLs for session based access. I have 2 questions:
Can I configure Acegi to not redirect on un-authenticated access to a resource? ie I would rather get a 403 access denied response for an unauthenticated request to a secure resource, rather than a redirect to the loginFormURL (I want to manually control logins).
If the above is possible, can I secure some URLs with a configured redirect, and other URLs with a straight 403 (for un-authenticated access)?
Jan 24th, 2006, 01:17 AM
Looking at org.acegisecurity.intercept.web.SecurityEnforcemen tFilter, I'm concluding that I can't configure Acegi to report a 403 (rather than redirect) when an authentication exception occurs.
Is anyone able to confirm this?
Jan 24th, 2006, 02:09 AM
ok - this isn't such a big deal!
Better solutions not withstanding (& for those interested), what I've done is set the authenticationEntryPoint loginFormUrl to a custom xml 'Denied Access' file (I called it 403.xml). The redirected logins are never used to login - they return the xml file which with the correct exception format (be it a soap fault or your own fault format) will be picked up within your AJAX response handler. Make sure to give the file an .xml extension so its served up with an xml mime type (not important if the response is JSON).
Then, the client app can dynamically post to j_acegi_security_check to login when it gets a 403.xml response.
Jan 25th, 2006, 09:35 PM
You could also configure a SecurityEnforcementFilter.authenticationEntryPoint which handles authentication failures in a custom manner as well.
Jan 25th, 2006, 09:46 PM