ACEGI Authorization

Hi,in my previous blog i have talked about authentication.Here i am going to talk about authorization.Let me tell u first what it is.
Say for an application you want some users to use some feautres and you do not want that feautre to accessible by othere users.This blocking you can achieve through ACEGI
what you have to do is to create roles for each uses and giving priviles to each roles so that roles having certain privileges can access their feautres.Like in an web application we can have roles like Admin,Manager,Quest etc.So each roles can access feautres that others cannot.
You can use the code as i have given in authentication only you have to add some extra tags
which is shown below.
<br /><bean id="dbdrivenFilterInvocationDefinitionSource" class="mypackage.URLInterceptor"/><br />
Here URLInterceptor is a filter which gets invoked for each url and sees whether the current user with a given role has the privilege to acess the url if yes then he can go to the page defined by this url else he is redirected to acess denied page.

The filter code goes here
<br /><br /><br />import java.util.Iterator;<br />import java.util.List;<br />import java.util.Map;<br /><br />import org.acegisecurity.ConfigAttributeDefinition;<br />import org.acegisecurity.ConfigAttributeEditor;<br />import org.acegisecurity.intercept.web.AbstractFilterInvocationDefinitionSource;<br /><br />/**<br /> * *********************<br /> * Intercepts URL<br /> * @author Ajay<br /> * *********************<br /> *<br /> */<br />public classURLInterceptor extends AbstractFilterInvocationDefinitionSource{<br /> /**<br /> * default constructor<br /> *<br /> */<br /> public URLInterceptor(){<br /> <br /> }<br /> /**<br /> * Retrives the roles based on url.<br /> * @param url String<br /> * @return ConfigAttributeDefinition<br /> */<br /> public ConfigAttributeDefinition lookupAttributes(String url) {<br /> List secureObjectRoles = null;<br /> String absUrl = null;<br /> if( url.endsWith("Login.jsp") || url.endsWith("MyAlerts.jsp") || url.endsWith("error.jsp"))<br /> {<br /> return null;<br /> }<br /> final IROAppsAlertService alertSer = (IROAppsAlertService) ROAppsBeanLoader<br /> .getInstance("ROAppsAlertService");<br /> if(url.indexOf("?") > 0 )<br /> {<br /> absUrl=url.substring( url.lastIndexOf("/")+1,url.lastIndexOf("."));<br /> if(absUrl.equalsIgnoreCase("ROAppsAcegiLogin"))<br /> {<br /> return null;<br /> }<br /> secureObjectRoles = alertSer.getRoleBasedOnURL(absUrl);<br /> System.out.println("xxxxxxxxxxxxxxxxurlxxxxxxxxxxxxxxxx"+absUrl);<br /> System.out.println("xxxxxxxxxxxxxxxxxxxxurl rolesxxxxxxxxxxxxx"+secureObjectRoles);<br /> }<br /> if(url.endsWith("jsp") || url.endsWith("jspf"))<br /> {<br /> <br /> absUrl=url.substring( url.lastIndexOf("/")+1,url.lastIndexOf("."));<br /> secureObjectRoles = alertSer.getRoleBasedOnURL(absUrl);<br /> System.out.println("xxxxxxxxxxxxxxxxxxsecured oblectsx ends withxxxxxxxxxxxxxxxx"+secureObjectRoles);<br /> }<br /> if (secureObjectRoles == null)// if secure object not exist in database<br /> return null;<br /> if (secureObjectRoles != null && !secureObjectRoles.isEmpty()) {<br /> System.out.println("xxxxxxxxxxxxxxxxxxsecured oblects not nullxxxxxxxxxxxxxxxxx"+secureObjectRoles);<br /> final ConfigAttributeEditor configAttrEditor = new ConfigAttributeEditor();<br /> final StringBuffer rolesStr = new StringBuffer();<br /> for (int i = 0; i < secureObjectRoles.size(); i++) {<br /> final Map objRole = (Map) secureObjectRoles.get(i);<br /> final String role=(String) objRole.get("txt_acegi_role");<br /> rolesStr.append(role).append(",");<br /> }<br /> System.out.println("xxxxxxxxxxxxxxxxxrole stringxxxxxxxxxxx"+rolesStr);<br /> configAttrEditor.setAsText(rolesStr.toString().substring(0,<br /> rolesStr.length() - 1));<br /> final ConfigAttributeDefinition configAttrDef = (ConfigAttributeDefinition) configAttrEditor<br /> .getValue();<br /> return configAttrDef;<br /> }<br /> return null;<br /> <br /> }<br /> /**<br /> * Implemented to store and can identify <br /> * the net.sf.acegisecurity.ConfigAttributeDefinition<br /> * that applies to a given secure object invocation.<br /> * @return Iterator<br /> */<br /> public Iterator getConfigAttributeDefinitions() {<br /> return null;<br /> }<br />}<br /><br />


Let me explain a bit of the code the method lookupAttributes gets called for each url
with parameter as the url of the current page.Here in this method we do some login inorder to find the all the roles for the current role from the database.
and bind that url to the ConfigAttributeEditor object and return to the caller that is the browser.If the user has role that is present in the this object than he can access the current page else not.