prevent reaching inner folders without login [Archive]

View Full Version : prevent reaching inner folders without login

mavisakal

Sep 24th, 2004, 09:11 AM

How can I prevent users from accessing files by writing file names in the address bar of the browser. I exactly want to allow users to access only the login.jsp without logging.
For instance how can I check the login for /jsp/** pattern in the following code? Or is there a better implementation?
(I can write all of the roles for it but administrator may add new ROLES in run time.)
bye.

<bean id="filterInvocationInterceptor" class="net.sf.acegisecurity.intercept.web.FilterSecurityI nterceptor">
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property>
<property name="objectDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/secure/**=ROLE_SUPERVISOR
/jsp/**= ????????

</value>
</property>
</bean>

Ben Alex

Sep 24th, 2004, 06:31 PM

If roles can be created at runtime, you clearly cannot declaratively configure them in XML! For that you'll need a database-based ObjectDefinitionSource (actually a FilterInvocationDefinitionSource as it's for a FilterSecurityInterceptor) as per our other forum thread: http://forum.springframework.org/showthread.php?t=10185

shaan

May 4th, 2006, 02:31 PM

The hyperlink in previous post does not work - I have had this occur to me many times. Are threads purged after sometime ? I am curious ...

RayKrueger

May 5th, 2006, 10:55 PM

I think Ben has a list of URLs that point to previous answers he's given about common problems :P
Unfortunately, the Spring powers that be switched from phpbb to vbulletin a while back, which means the old urls are no good anymore.

shan

May 6th, 2006, 11:03 AM

well, the essence is to implement your own AbstractFilterInvocationDefinitionSource

all you have to do is worry about one method to write:
public ConfigAttributeDefinition lookupAttributes(String url)

you receive the URL, and then return the appropriate ConfigAttributeDefinition

for example,

public ConfigAttributeDefinition lookupAttributes(String url) {

ConfigAttributeDefinition confAttrDefn = null;

String roleName = ???;

ConfigAttributeEditor configAttribEd = new ConfigAttributeEditor();
configAttribEd.setAsText(roleName);
confAttrDefn = (ConfigAttributeDefinition)configAttribEd.getValue ();

return confAttrDefn;

}