Hi, a different approach could be using Spring patterns to restrict
access to your resources with something like this in your
applicationContext-security.xml:
<sec:http auto-config="true"
session-fixation-protection="newSession"
access-denied-page="/permission_denied.jsp">
<sec:intercept-url pattern="/someResource/**"
access="ROLE_ADMIN, ROLE_USER"/>
<sec:intercept-url pattern="/anotherResorce/**"
access="ROLE_ADMIN"/>
</sec:http>
<sec:authentication-provider user-service-ref="userDetailsService"/>
The roles can be managed with an authentication provider. Here you can
see an example of a class that implements 'UserDetailsService' ->
http://bit.ly/7cpjiF
Hth.
You can create a class that implements 'UserDetailsService' to provide
the role to Spring environment.
FSauer_at_dsthealthsolutions.com escribió:
>
> I wrote a Spring-aware version of the RolesAllowedResourceFilter with
> this filter method:
>
> *public* ContainerRequest filter(ContainerRequest request) {
> // if filter was created, authentication is required,
> *if* (sc.getUserPrincipal() == *null*) {
> // not authenticated, so make Spring redirect
> to authentication
> *throw* *new*
> AuthenticationCredentialsNotFoundException("resource requires
> Authentication");
> }
> *if* (!denyAll) {
> *for* (String role : rolesAllowed) {
> *if* (sc.isUserInRole(role))
> *return* request;
> }
> }
> // required role not present in principal, deny access
> *throw* *new* AccessDeniedException("Insufficient
> privileges: " + sc.getUserPrincipal().getName());
> }
>
> which causes the Spring security config to kick in and properly do
> redirects to access denied pages when needed and stuff like that,
> unfortunately,
> the jersey container logs these exceptions:
>
> Dec 22, 2009 2:20:02 PM
> com.sun.jersey.server.impl.application.WebApplicationImpl _handleRequest
> SEVERE: The _RuntimeException_ could not be mapped to a response,
> re-throwing to the HTTP container
> _org.springframework.security.AccessDeniedException_: Insufficient
> privileges: jack
>
> is there a way to configure the jersey container servlet to NOT log
> these exceptions?
>
> I tried NOT to do this and keep Spring out of this and instead try to
> somehow handle the 403 response in the spring layer but the Response
> coming
> out of jersey is already committed so the forward to the access denied
> page fails with a response already committed IllegalStateException......
>
> any ideas?
> Thanks,
>
> Frank
>
>
> ------------------------------------------------------------------------
>
> Please consider the environment before printing this email and any
> attachments.
>
> *This e-mail and any attachments are intended only for the individual
> or company to which it is addressed and may contain information which
> is privileged, confidential and prohibited from disclosure or
> unauthorized use under applicable law. If you are not the intended
> recipient of this e-mail, you are hereby notified that any use,
> dissemination, or copying of this e-mail or the information contained
> in this e-mail is strictly prohibited by the sender. If you have
> received this transmission in error, please return the material
> received to the sender and delete all copies from your system. *
>