Results 1 to 2 of 2

Thread: Authorizing access to domain objects in an AbstractMarshallingPayloadEndpoint context

  1. Mar 11th, 2008, 06:33 PM #1
    psconnolly
    psconnolly is offline Junior Member
    Join Date
    Oct 2006
    Location
    San Francisco Bay Area
    Posts
    11

    Question Authorizing access to domain objects in an AbstractMarshallingPayloadEndpoint context

    I have a use case where a user should only have access to certain domain objects.

    The user has already been authenticated via Acegi from their Spring MVC login and a ACEGI_SECURITY_CONTEXT exists before they use the Spring webservices to access their domain objects.

    So I'd like to access their ACEGI_SECURITY_LAST_USERNAME and/or ACEGI_SECURITY_CONTEXT to get the current username. I can then check to see that they are trying to access their own domain objects and deny access if they don't "own" them.

    Unfortunately, AbstractMarshallingPayloadEndpoint passes an unmarshalled requestObject to the invokeInternal() method. The method only receives the unmarshalled requestObject, so it looks like I don't have any access to the Acegi data in that context.

    Is there any way to get access to the Acegi data in the AbstractMarshallingPayloadEndpoint context? I'd include the username in the message body but that would be an obvious security exposure.
    Reply With Quote Reply With Quote
  2. Mar 18th, 2008, 07:10 PM #2
    harshi
    harshi is offline Senior Member
    Join Date
    Nov 2007
    Posts
    122

    Default

    SecurityContextHolder.getContext().getAuthenticati on().getName() would give you the user Name.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules