Mar 11th, 2008, 06:33 PM
Authorizing access to domain objects in an AbstractMarshallingPayloadEndpoint context
I have a use case where a user should only have access to certain domain objects.
The user has already been authenticated via Acegi from their Spring MVC login and a ACEGI_SECURITY_CONTEXT exists before they use the Spring webservices to access their domain objects.
So I'd like to access their ACEGI_SECURITY_LAST_USERNAME and/or ACEGI_SECURITY_CONTEXT to get the current username. I can then check to see that they are trying to access their own domain objects and deny access if they don't "own" them.
Unfortunately, AbstractMarshallingPayloadEndpoint passes an unmarshalled requestObject to the invokeInternal() method. The method only receives the unmarshalled requestObject, so it looks like I don't have any access to the Acegi data in that context.
Is there any way to get access to the Acegi data in the AbstractMarshallingPayloadEndpoint context? I'd include the username in the message body but that would be an obvious security exposure.
Mar 18th, 2008, 07:10 PM
SecurityContextHolder.getContext().getAuthenticati on().getName() would give you the user Name.