Versions Compared

Old Version 11

changes.mady.by.user Stuart W Brown

Saved on

compared with

New Version 12

changes.mady.by.user Stuart W Brown

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This document is a brief description of the processing that occurs to authenticate and authorize an HTTP request using Acegi and the SAIS Framework, highlighting features that are useful for application developers to know about.

There are The processing has two parts to this. One part is performed by Acegi, and the other part is performed by SAIS framework code.

...

Acegi itself and the SAIS framework components are all configured using the Spring context. Configurations for Acegi and framework components related to it are found in the applicationContext-common-security.xml of an application or in SAIS Common. Some configuration entries in web.xml and applicationContext-web.xml are also important. When you look at the entries in these files there are many more than what are described in this document, however, it is unusual to have to change entries not discussed.

The configuration bean for the filter chain is called the filterChainProxy. Here is a sample configuration:

...

There are a couple of things that are required to use this filter. First, there must be a role, usually in the MIT Roles database, associated with users allowed to do the impersonation. Second, the login url should be protected at the page level with this role ( see below ). Third, the login url, and a logout url, should be implemented and configured on the filter. Fourth, the filter should be added to the filterChainProxy bean configuration, after the filterSecurityInterceptor, since we have to get the "can impersonate" role first. ( Example TBD )

Page level security

One may also configure a mapping of roles to page urls. In the example above where we were testing if a user had the instructor role before showing them a page to select sections to view, instead of writing code, we could have simple have  declared our protection like this:

...

and the Acegi framework would have invoked the access denied handler when a user who did not have this role tried to access the page. We could then write the access denied handler to show a page with a friendly message or perhaps redirect the user somewhere they are supposed to be instead.