Kev’s Blog – Page 330 – Kev's Development Toolbox

October 25, 2006

Hours wasted with Acegi’s FilterSecurityInterceptor & CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON

Sometimes the answer to a problem is staring you right in your face. Across several evenings I spent a number of hours trying to work out why my URL based security using Acegi for my Grails application I am working on would not work. I though I was misunderstanding how to specify the wildcards using Ant syntax, and so kept trying many different variations of patterns to try and match the URLs I was trying to protect.

It finally dawned on me that the CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON instruction defined with the FilterSecurityInterceptor was causing all my problems. Some of my URLs contain mixed case, and I had blindly copied them into my configuration file, and forgot all about this setting to convert all URLs to lower case before comparing. Wow, that seems so obvious now, but I think it took me at least 6 hours of head scratching and reading many posts online before I worked out what was going wrong.

For an example of my configuration file and more details, see my other post here.

October 25, 2006

Understanding Acegi’s FilterSecurityInterceptor and URL matching

The ‘CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON’ parameter to FilterSecurityInterceptor means exactly that – URLs are converted to lower case for comparison with the patterns that you define.

If you use CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON, then make sure all the URL patterns you specify are also in lower case, otherwise you will never get a match. This seems obvious, but it took me several hours of trial and error before I spotted what was not working in my configuration.

For example, take this snippet of configuration:

<code>
    &lt;bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor"&gt;
        &lt;property name="authenticationManager"&gt;
        &lt;ref bean="authenticationManager"/&gt;&lt;/property&gt;
        &lt;property name="accessDecisionManager"&gt;
        &lt;ref bean="accessDecisionManager"/&gt;&lt;/property&gt;
        &lt;property name="objectDefinitionSource"&gt;
            &lt;value&gt;
                CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
                PATTERN_TYPE_APACHE_ANT
                /acegilogin.jsp*=ROLE_ANONYMOUS, ROLE_ADMIN
                /=ROLE_ANONYMOUS, ROLE_ADMIN
                /index.jsp=ROLE_ANONYMOUS, ROLE_ADMIN

                /item/show/**=ROLE_ANONYMOUS, ROLE_ADMIN
                /item/list/**=ROLE_ANONYMOUS, ROLE_ADMIN
                /item/doSomeOtherThing=ROLE_ANONYMOUS, ROLE_ADMIN
                ...
    &lt;/bean&gt;
</code>

The URL ‘/item/doSomeOtherThing’ is never going to be matched, since the incoming URLs for comparison are converted to lowercase by the CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON instruction.

October 25, 2006

History behind Struts 1 and Struts 2

Don Brown has an interesting article on OnJava.com on the history behind Struts 1 (the original Struts framework), Struts Shale (based on JSF), and Struts 2 , which has been based on WebWork 2.

If you’re confused as to what is going on in the Struts world then this article is an interesting read to bring you up to date.

October 25, 2006

Firefox 2 beats IE7 on Security and new features

CNET have a review of the latest Firefox 2 browser, and in a comparison with IE7 say that Firefox 2’s Security and other features are better than what is being offered in the latest IE7 from Microsoft.

Some of the new features include the ability to arrange tabs when browing multiple sites, restore the state of tabs if the OS crashes, and reopen a tab if you accidentally close it. Live Titles is another new interesting feature which allows websites to send updates to your bookmarks (RSS for bookmarks?), so for example if you have a news website bookmarked, when you view your bookmark for this site it will display a summary of the latest headline from the site.