Adding a New Role

**vinaya** · Mar 13th, 2007, 02:54 PM

Hi,

I am trying to add a new role, ROLE_DEMO to the exisiting contacts example

here is my security.xml

Code:

<bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
      <property name="authenticationManager"><ref bean="authenticationManager"/></property>
      <property name="accessDecisionManager"><ref local="httpRequestAccessDecisionManager"/></property>
      <property name="objectDefinitionSource">
         <value>
			    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
			    PATTERN_TYPE_APACHE_ANT
			    /index.jsp=ROLE_ANONYMOUS,ROLE_USER,ROLE_DEMO
			    /hello.htm=ROLE_ANONYMOUS,ROLE_USER,ROLE_DEMO
			    /logoff.jsp=ROLE_ANONYMOUS,ROLE_USER,ROLE_DEMO
			    /switchuser.jsp=ROLE_SUPERVISOR
			    /j_acegi_switch_user=ROLE_SUPERVISOR
			    /acegilogin.jsp*=ROLE_ANONYMOUS,ROLE_USER,ROLE_DEMO
				/**=ROLE_USER,ROLE_DEMO
         </value>
      </property>
   </bean>

This seems not working.
Do I need to override any other classes for this?
Is it mandatory to have ROLE_ prefixed for all the roels?

Thanks

**karldmoore** · Mar 13th, 2007, 03:25 PM

When you say it's not working, what does that actually mean? You do need to ensure when the users are loaded the appropriate ones have the ROLE assigned otherwise you aren't going to be able to access the URL.

**vinaya** · Mar 13th, 2007, 04:05 PM

If I assign a role ROLE_USER to the user, I am successfully logged in into the application.
But if the have the role as ROLE_DEMO or ADMINDS, for the same user, it gives me

Code:

Sorry, access is denied
org.acegisecurity.AccessDeniedException: Access is denied 

Authentication object as a String: org.acegisecurity.providers.UsernamePasswordAuthenticationToken@4185c930: Username: org.acegisecurity.userdetails.User@fa7c0980: Username: CADAMS; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_DEMO; Password: [PROTECTED]; Authenticated: true; Details: org.acegisecurity.ui.WebAuthenticationDetails@fffd148a: RemoteIpAddress: 127.0.0.1; SessionId: 40BA25A77EB83451AF6D4AD682A1A995; Granted Authorities: ROLE_DEMO

**karldmoore** · Mar 13th, 2007, 04:07 PM

I'm guessing this will be down to how you have secured your URLs. This is seen in the code you originally posted.

**vinaya** · Mar 14th, 2007, 07:43 AM

I hae the ROLE_USER working but not ROLE_DEMO (which gives, access denied).
Is there any other place where I need to include ROLE_DEMO other than filterInvocationInterceptor?

Thanks

**karldmoore** · Mar 14th, 2007, 01:52 PM

You need to make sure the user that is trying to access the URL is actually assigned the ROLE. If you are using InMemoryDaoImpl or something similar just add the ROLE to the User.

**vinaya** · Mar 19th, 2007, 09:26 AM

Originally Posted by karldmoore

You need to make sure the user that is trying to access the URL is actually assigned the ROLE. If you are using InMemoryDaoImpl or something similar just add the ROLE to the User.

By this do you mean, adding in the database( I am using jdbcDaoImp)? I already have that added.

What is the role of

Code:

 <bean id="contactManagerSecurity" class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
      <property name="authenticationManager"><ref bean="authenticationManager"/></property>
      <property name="accessDecisionManager"><ref local="businessAccessDecisionManager"/></property>
      <property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
      <property name="objectDefinitionSource">
         <value>
            sample.contact.ContactManager.create=ROLE_USER,CVADMIN
            sample.contact.ContactManager.getAllRecipients=ROLE_USER,CVADMIN
            sample.contact.ContactManager.getAll=ROLE_USER,AFTER_ACL_COLLECTION_READ,CVADMIN
            sample.contact.ContactManager.getByUserId=ROLE_USER,SUPERVISOR,CVADMIN
            sample.contact.ContactManager.delete=ACL_CONTACT_DELETE
            sample.contact.ContactManager.deletePermission=ACL_CONTACT_ADMIN
            sample.contact.ContactManager.addPermission=ACL_CONTACT_ADMIN
         </value>
      </property>
   </bean>

Thanks
Vinaya

**karldmoore** · Mar 19th, 2007, 01:50 PM

I don't remember using the word "database". All I was trying to say is there are two things to do. You need to secure the URL or object with the ROLE_, you then need to ensure the user actually has the ROLE_ assigned.

So in the example you would add.

Code:

marissa=koala,ROLE_SUPERVISOR,ROLE_DEMO
dianne=emu,ROLE_USER
scott=wombat,ROLE_USER
peter=opal,disabled,ROLE_USER

Code:

/secure/extreme/**=ROLE_SUPERVISOR,ROLE_DEMO
/secure/**=IS_AUTHENTICATED_REMEMBERED
/**=IS_AUTHENTICATED_ANONYMOUSLY

**vinaya** · Mar 20th, 2007, 03:34 PM

Hi,

Thanks,
I got them working.

**karldmoore** · Mar 20th, 2007, 04:06 PM

Nice, what did the problem end up being?

Thread: Adding a New Role

Thread Tools

Display

Adding a New Role

Posting Permissions