Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

If you're using the login page to get the users to login, as opposed to using Windows integrated authentication, you can force the user to have to login before they can do anything.
By default an anonymous user (one that hasn't logged in yet) can see a list of clients that are available, and from there they can login with the login button, but by using the changes listed below the user is forced to login before they can perform any operations at all.

To make the change you need to change the objectDefinitionSource in the following section in security.xml

	<bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
		<property name="authenticationManager" ref="authenticationManager"/>
		<property name="accessDecisionManager">
			<bean class="org.acegisecurity.vote.AffirmativeBased">
				<property name="allowIfAllAbstainDecisions" value="false"/>
				<property name="decisionVoters">
					<list>
						<bean class="org.acegisecurity.vote.RoleVoter"/>
						<bean class="org.acegisecurity.vote.AuthenticatedVoter"/>
					</list>
				</property>
			</bean>
		</property>
		<property name="objectDefinitionSource">
			<value>
				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
				PATTERN_TYPE_APACHE_ANT
				/**=IS_AUTHENTICATED_ANONYMOUSLY
			</value>
		</property>
	</bean>

To force authentication the objectDefinitionSource should be changed to:

		<property name="objectDefinitionSource">
			<value>
				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
				PATTERN_TYPE_APACHE_ANT
				/login.*=IS_AUTHENTICATED_ANONYMOUSLY
				/login/**=IS_AUTHENTICATED_ANONYMOUSLY
				/**=IS_AUTHENTICATED_FULLY
			</value>
		</property>

This allows the resources that the user needs to login to be available to anyone, but requires the user to be full authenticated before they can access anything else.

  • No labels