Re: regarding the removal of web-security.xml from metadata/xdoclet

[Matt Raible <mr...@gmail.com>]

On 12/3/05, Anil Gangolli <an...@busybuddha.org> wrote:
>
> As Björn Ingimundarson recently noticed, we somehow lost the resource
> refs portion of the web.xml.
>
> It's because they happened to have been hiding in the web-security.xml
> fragment in metadata/xdoclet, and that was removed with the recent Acegi
> changes.  I believe we need the resource refs in general, even though
> things might work for Tomcat.  There's an odd comment that was there
> calling it a "Tomcat resource ref", but there's nothing specific about
> it; it's part of the Servlet 2.3 and 2.4 specs, and I think Tomcat may
> be one of the more lenient containers with respect to missing these.
> Not sure about that, but I'd like to put them back.  Objections?

Sorry about that - I forgot to checkin
metadata/web-resource-env-refs.xml, should be fixed now.

>
> On a related but different note, I'm a bit concerned that the
> security-constraint clauses that were there might also be required for
> some containers to know to setup for HttpServletRequest.isUserInRole()
> properly (which appears to still be used in the codebase).   Does the
> way Acegi is injected entirely obviate the need for them for all
> containers? Matt maybe you can comment on this question.

Yes, the SecurityContextHolderAwareRequestFilter makes it possible for
request.isUserInRole("rolename") to work.  I've successfully
integrated it into AppFuse, and a couple of productions sites - and
haven't had any issues.  I haven't seen any issues on my site so far -
but it is a single-user site for the most part.

Matt

>
> --a.
>
>