roller-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konrad Hosemann <kon...@hosemann.name>
Subject Re: Securing Postings
Date Wed, 02 Dec 2009 11:31:53 GMT
Hi,

Am 02.12.2009 um 02:59 schrieb Dave:
> Protected blogs is not an out-of-the-box feature and probably not an
> easy customization.
> 
> It might be possible via some LDAP and Spring Security magic that you
> could create some blogs that are visible only to certain people.

Requiring authentication to access roller can realized by some changes to the Spring Security
configuration, see the attached security.xml. The changes are basically:

-- exclude some URL patterns from filtering, like styles and favicon. done in property filterInvocationDefinitionSource
of bean filterChainProxy

-- require at least editor role for all other URLs. done in property objectDefinitionSource
of bean filterInvocationInterceptor. This implies that you grant the editor role to all users.
Because I use the roller admin API to manage users, that is not problem for me. If you manage
users using the roller webapp you might add some hack somewhere to grant that role automatically..

if you want to exclude some blog from requiring a successful login, you could add a rule to
the filterInvocationInterceptor, e.g. 
/demo/**=ROLE_ANONYMOUS,admin,editor
would allow everybody to access the blog with the handle 'demo'

Of course this is a static definition and only works on blogs as a whole, not single postings.
But it could be a starting point. 

This works for 4.0.1, I have not yet tried 5.0

best regards,
konrad

Mime
View raw message