Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-10-30 22:28:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

Clarify AccessDecisionManager configuration if no configuration attributes being used.

Browse Source
This commit is contained in:
Ben Alex 2005-03-23 11:12:03 +00:00
parent 747825cda1
commit 81e84067ae
1 changed files with 24 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
doc/docbook/acegi.xml
View File

@ -2113,6 +2113,28 @@ public boolean supports(Class clazz);</programlisting></para>
previous provider is passed to the next in the list. Let's now previous provider is passed to the next in the list. Let's now
consider our ACL-aware implementations of consider our ACL-aware implementations of
<literal>AfterInvocationProvider</literal>.</para> <literal>AfterInvocationProvider</literal>.</para>
<para>Please be aware that if you're using
<literal>AfterInvocationManager</literal>, you will still need
configuration attributes that allow the
<literal>MethodSecurityInterceptor</literal>'s
<literal>AccessDecisionManager</literal> to allow an operation. If
you're using the typical Acegi Security included
<literal>AccessDecisionManager</literal> implementations, having no
configuration attributes defined for a particular secure method
invocation will cause each <literal>AccessDecisionVoter</literal> to
abstain from voting. In turn, if the
<literal>AccessDecisionManager</literal> property
"<literal>allowIfAllAbstainDecisions</literal>" is
<literal>false</literal>, an <literal>AccessDeniedException</literal>
will be thrown. You may avoid this potential issue by either (i)
setting "<literal>allowIfAllAbstainDecisions</literal>" to
<literal>true</literal> (although this is generally not recommended)
or (ii) simply ensure that there is at least one configuration
attribute that an <literal>AccessDecisionVoter</literal> will vote to
grant access for. This latter (recommended) approach is usually
achieved through a <literal>ROLE_USER</literal> or
<literal>ROLE_AUTHENTICATED</literal> configuration attribute. </para>
</sect2> </sect2>
<sect2 id="afterinvocation-acl-aware"> <sect2 id="afterinvocation-acl-aware">
@ -3898,7 +3920,7 @@ $CATALINA_HOME/bin/startup.sh</programlisting></para>
your own regular expression to match a different part of the your own regular expression to match a different part of the
subject's distinguished name. An subject's distinguished name. An
<classname>AuthenticationDao</classname> is used to load the <classname>AuthenticationDao</classname> is used to load the
user information. <!-- TODO: Give email matching as an example --></para> user information.<!-- TODO: Give email matching as an example --></para>
</listitem> </listitem>