I have list of users which have multiple roles. I am looking basically opposite of hasAuthority('systemAccessRole') for example if user have systemAccessRole i want to block him on some url.
<sec:intercept-url pattern="/url/global/*" access="hasAuthority('systemAccessRole')"/>
// user will not allowed to access domestic url if he/she has role systemAccessRole
<sec:intercept-url pattern="/url/domestic/*" access="hasAuthority('systemAccessRole')"/>
What would be a expression i can use in that case ?
Use the ! (not) operator:
<sec:intercept-url pattern="/url/domestic/*" access="!hasAuthority('systemAccessRole')"/>
Related
I was searching for a local cache solution to store output cache in user browser so that each user has his own cache, and i arrived to use he following profile:
<add name="Cache30MinClient" duration="1800" varyByParam="none" location="Client" noStore="true" />
However i found the following post which state that user cache is done by varyByCustom attibute .
My question is: Is my solution enough for caching data in user browser or should i follow that post?
Thanks.
It depends :) GetVaryByCustomString essentially lets you to select piece from http request that can be used as cache key. In your solution (I'm kind of missing the controller piece) your cache key is empty - so every single user will get the same result - this may be fine if the users are anonymous or if the fact that user is authenticated or not doesn't play a role in output html.
What I am trying to do:
Set up a TFS work item to allow assigning tasks to people who don't have TFS accounts. Those users wouldn't access TFS. We just want to keep track of we assigned tasks to when those people are outside of our team.
What I have tried:
Basically I want to update the AssignedTo field on a task work item to allow entering values that aren't in the list, but still show a dropdown of valid AD users to pick from.
Replacing the ValidUsers rule with a SuggestedValues rule solves the problem of letting us add values that aren't in the list but we lose the dropdown of TFS users unless we manually type each person into a global list (which I'd prefer not to have to maintain).
Using both a ValidUsers rule and a SuggestedValues rule lets you use the dropdown AND type in a new value, but if the typed value isn't in the list it won't validate.
The Question
Is there a way to set up a SuggestedValues rule that pulls the suggested values from an AD or TFS group? Or perhaps there is another way of skinning this cat?
Yes, you can populate the SuggestedValues with a AD Security group or a TFS group with:
<ListRule expanditems="true">
<LISTITEM value="[Project]\Contributors" />
<LISTITEM value="[Project]\Project Administrators" />
<LISTITEM value="Domain\GroupName" />
</ListRule>
I need to know more on the back end flow, when a user adds an item to cart as a guest and the logs in using his valid credentials. The orderId created for the guest gets migrated to the registered user's id. Could someone please explain how this is handled ? Details of the commands and DB tables would be helpful.
I did read about a MigrateUserEntries Command but I am not sure if that is the correct one.
Thanks in advance.
When a guest user logs in, his cart gets merged with the cart of the registered user account.
This impacts the tables related to order and order items.
You can look at the documentation of OrderCopy for more details.
But the Trick here is :-
public class MigrateUserEntriesCmdImpl
extends TaskCommandImpl
implements MigrateUserEntriesCmd
This task command is used to migrate resources owned by one user to another. The mandatory resources that are migrated are Addresses, Current Orders, Interest Items, Order Items, Orders, and Order templates.
By default, this command will not merge the shopping cart for the 2 users, but it can be configured to do so by:
a) Setting the mergeCart flag in the request property in the command context to true.
OR:
b) Setting MemberSubSystem/MergeCartsAtAuthentication/enabled in the wc-server.xml to true.
The mergeCart flag in the request property will take higher priority.
Before executing this task command the following sets should be performed:
setOldUser() -->getOldUser()
This method retrieves the old user whose resources are to be migrated to the new user.
setNewUser() -->getNewUser()
This method retrieves the new user who is the recipient of migrated resources from the old user.
These both OldUser and NewUser will be able to retrieve from UserAccessBean of concern JSP.
migrateOrderItem(OrderItemAccessBean abOrderItem, UserAccessBean abNewUser, CommandContext newUserCmdCtx)
This method migrates an order item to a new user.
First, some review about User lifecycle in WCS commerce :
1- user visited the site as generic user with USER ID = -1002
2- when user add any item to his shopping cart , WCS create an OrderId and assign it to new USER ID created and user called "guest" in this case
(both #1 and #2) have userType=G
3- when user log in using login form it is by default attached to LogonCmd in struts configuration , and if you decompile that controller command you will see that it is calling MigrateUserEntriesCmd task command which responsible for migrating Addresses, Current Orders, Interest Items, Order Items, Orders, and Order templates.
the new orderID that is used is the Registered OrderId .
I suggest you use decompiler installed to your RAD so you can decompile IBM classes for better understanding of the logic and then customize your code as IBM best practice (extending commands .. etc )
I use JAD eclipse plugin for decompilation .
you can further read (references):
http://pic.dhe.ibm.com/infocenter/wchelp/v7r0m0/index.jsp?topic=%2Fcom.ibm.commerce.admin.doc%2Fconcepts%2Fcmsmembers.htm&resultof%3D%2522%2555%2553%2545%2552%2553%2522%2520%2522%2575%2573%2565%2572%2522%2520
http://pic.dhe.ibm.com/infocenter/wchelp/v7r0m0/index.jsp?topic=%2Fcom.ibm.commerce.api.doc%2Fcom%2Fibm%2Fcommerce%2Fsecurity%2Fcommands%2FMigrateUserEntriesCmdImpl.html
Thanks
Abed
In login page add this code when user Guest and OrderItemMove is out of box command used
<pre>
<c:if test="${userType == 'G'}">
<wcf:url var="orderMove" value="OrderItemMove" type="Ajax">
<wcf:param name="toOrderId" value="."/>
<wcf:param name="deleteIfEmpty" value="*"/>
<wcf:param name="fromOrderId" value="*"/>
<wcf:param name="continue" value="1"/>
<wcf:param name="createIfEmpty" value="1"/>
<wcf:param name="calculationUsageId" value="-1" />
<wcf:param name="calculationUsageId" value="-2" />
<wcf:param name="calculationUsageId" value="-7" />
<wcf:param name="updatePrices" value="0"/>
</wcf:url>
</c:if>
</pre>
Button javascript code User clicks on :
LogonSubmit(document.Logon,'<c:out value='${orderMove}'/>','<c:out value='${afterOrderCalculateURL}'/>');void(0);">
After validation and form the URL
function LogonSubmit{
var completeOrderMoveURL = orderMoveURL;
completeOrderMoveURL = completeOrderMoveURL + "&URL=OrderCalculate?URL=" + afterOrderCalculateURL +"&calculationUsageId=-1&calculationUsageId=-2&calculationUsageId=-7";
document.getElementById('URL').value = completeOrderMoveURL;
}
//Then submit the form
form.submit();
I hope this Help for merging the items after login
In my system, I have numerous roles assigned to the users (lets assume 3 for now ROLE_ADMIN, ROLE_USER, ROLE_SERVICES). In one of my controllers (lets assume SearchController that we have three actions serviceIndex{}, userIndex{} and adminIndex{}), I want users of any role to be able to access two of the actions (the first two). For the final action, I want to restrict the action against a user of single role type (lets say ROLE_USER) but allow access to users of other roles (i.e. to ROLE_ADMIN, ROLE_SERVICE. I have something like the following in my requestmap table.
config_attribute ----------------------------------------------------------->url
ROLE_ADMIN,ROLE_SERVICE,ROLE_USER ------------------------------> /search/serviceIndex
ROLE_ADMIN,ROLE_SERVICE,ROLE_USER-------------------------------> /search/userIndex
ROLE_ADMIN,ROLE_SERVICE -----------------------------------------> /search/adminIndex
Since the third rule states that the url '/search/adminIndex' is not accessible to ROLE_USER, the user with that role should have been denied the authorization to access the url. But, the user can still access the url. What is the correct configuration. I did try someting like /search/adminIndex/**, but that doesn't work either. On a side note, none of the urls will have suffixes furthermore but I would still like to prevent access if users manipulate the url like adding suffixes like /search/userIndex/56a just in case.
Regards,
dipess
Since the plugin iterates through the rules and applies the first one that matches the current URL, I would set the adminIndex first and then have a catchall for anything else.
ROLE_ADMIN,ROLE_SERVICE /search/adminIndex
ROLE_ADMIN,ROLE_SERVICE,ROLE_USER /search/**
I'm developing a webapp which allows for two types for users - User and Admin.
There's are two parts of the site - the User side, and the Admin side. I'm using Spring Security to secure both sites and its working pretty well except I've come across a bit of a problem.
Basically, if the user is not logged in and tries to access a page on either part of the site, they should be directed to a different login page. For example:
user is not logged in and tries to access a page which only Users can see -> user is intercepted and is directed to LoginPageOne.jsp
The other case would then be:
user is not logged in and tries to access a page which only Admins can see -> user is intercepted and is directed to LoginPageTwo.jsp
I've tried to do this a number of ways without any success. First of all I tried to create two seperate sets of intercept-urls in my applicationContext-security.xml which would use different entry-point-refs which would in turn point to different login URLs. This failed - the webapp wouldnt even start.
Now I'm trying to extend the AuthenticationProcessingFilterEntryPoint but I don't know how to forward the user based on the resource they're trying to access. I was hoping I could find out what Roles the user needs in order to access the resource and based off that, forward them to the correct page but I'm not sure this is possible.
I've done a fair bit of searching across the interwebs and haven't managed to find a solution for my problem so any help with this would be greatly appreciated :-)
Thanks,
Ger.
Since version 3 Spring Security introduces org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint.
It serves as a Proxy which allows you to inject many entry point into it and decide at the runtime which point should be chosen for particular request.
It is quite simple for use but if you got any problems with it - just let me know in comment.
One approach would be to extend AuthenticationProcessingFilter to override
protected String determineFailureUrl(HttpServletRequest request,
AuthenticationException failed);
Then, based on the request URL and the authentication exception, decide the entry point URL.
Sample of config:
<http auto-config="false" entry-point-ref="authenticationProcessingFilterEntryPoint" >
<intercept-url pattern="/user" access="ROLE_USER"/>
<intercept-url pattern="/admin" access="ROLE_ADMIN"/>
<form-login login-page="/adminlogin" authentication-failure-url= "/adminlogin?error=true" default-target-url="/admin" />
</http>
<beans:bean id="authenticationProcessingFilterEntryPoint"
class="your.package.CustomAuthenticationProcessingFilterEntryPoint">
<beans:property name="loginFormUrl" value="/adminlogin"/>
<beans:property name="userLoginFormUrl" value="/userlogin"/>
<beans:property name="forceHttps" value="false"/>
and
the class:
public class CustomAuthenticationProcessingFilterEntryPoint extends AuthenticationProcessingFilterEntryPoint {
#Override
protected String determineUrlToUseForThisRequest(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) {
//check request.getRequestURI() and return where you need to redirect user.
}
Other option.
http://oajamfibia.wordpress.com/2011/07/07/role-based-login-redirect/#comment-12