Announcement Announcement Module
Collapse
No announcement yet.
Why is the role_admin not working Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Why is the role_admin not working

    Hi
    here is my simple code for basic authentication.
    I gave roles to specific URL's
    But all the user logins work for all the URL's. why is that the Acess decision manager not controlling the Access.Do i need to code anything.
    Here is my acegi-security.xml
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE beans PUBLIC
    "-//SPRING//DTD BEAN//EN"
    "http://www.springframework.org/dtd/spring-beans.dtd">

    <beans>

    <!-- Configurer that replaces ${...} placeholders with values from properties files -->
    <!-- (in this case, JDBC related properties) -->

    <bean id="mySecurityDao" class="com.starwood.svo.ice.persistence.ibatis.sql mapdao.UserDaoImpl">
    <property name="dataSource"><ref local="tblMaintDataSource"/></property>
    <property name="sqlMapClient"><ref local="mySqlMapClient"/></property>
    </bean>
    <bean id="mySqlMapClient" class="org.springframework.orm.ibatis.SqlMapClient FactoryBean">
    <property name="configLocation"><value>WEB-INF/conf/ibatis/ibatis.xml</value></property>
    <property name="dataSource"><ref local="tblMaintDataSource"/></property>
    </bean>

    <bean id="tblMaintDataSource" class="org.apache.commons.dbcp.BasicDataSource">
    <property name="driverClassName" ><value>net.sourceforge.jtds.jdbc.Driver</value></property>
    <property name="url" ><value>jdbc:jtds:sqlserver://localhost/ICE</value></property>
    <property name="username"><value>ICEwebUser</value></property>
    <property name="password"><value>test</value></property>
    </bean>

    <!-- Datasource with connection pooling. Combines commons-dbcp and commons-pool packages -->
    <bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
    <property name="filterInvocationDefinitionSource">
    <value>
    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
    PATTERN_TYPE_APACHE_ANT
    /j_acegi_security_check*=httpSessionIntegrationFilt er,authenticationProcessingFilter, securityEnforcementFilter

    </value>
    </property>
    </bean>


    <bean id="httpSessionIntegrationFilter" class="org.acegisecurity.context.HttpSessionContex tIntegrationFilter">
    <property name="context">
    <value>org.acegisecurity.context.SecurityContextIm pl</value>
    </property>
    </bean>
    <bean id="authenticationProcessingFilter" class="org.acegisecurity.ui.webapp.AuthenticationP rocessingFilter">
    <property name="authenticationManager">
    <ref bean="authenticationManager"/>
    </property>
    <property name="authenticationFailureUrl">
    <value>/Login.jsp?error=1</value>
    </property>
    <property name="defaultTargetUrl">
    <value>/welcome1.jsp</value>
    </property>
    <property name="alwaysUseDefaultTargetUrl"><value>false</value></property>
    <property name="filterProcessesUrl">
    <value>/j_acegi_security_check</value>
    </property>
    </bean>
    <bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager ">
    <property name="providers">
    <list>
    <ref bean="daoAuthenticationProvider"/>
    </list>
    </property>
    </bean>

    <bean id ="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenti cationProvider">
    <property name = "userDetailsService">
    <ref local = "mySecurityDao"/>
    </property>
    </bean>


    <bean id="securityEnforcementFilter" class="org.acegisecurity.intercept.web.SecurityEnf orcementFilter">
    <property name="filterSecurityInterceptor">
    <ref bean="filterInvocationInterceptor"/>
    </property>
    <property name="authenticationEntryPoint">
    <ref bean="authenticationEntryPoint"/>
    </property>
    </bean>
    <bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecur ityInterceptor">
    <property name="authenticationManager">
    <ref bean="authenticationManager"/></property>
    <property name="accessDecisionManager">
    <ref bean="accessDecisionManager"/></property>
    <property name="objectDefinitionSource">

    <value>
    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
    PATTERN_TYPE_APACHE_ANT
    /*.jsp= ROLE_ADMIN
    /secure/* = ROLE_ADMIN, ROLE_SUPERVISOR

    </value>
    </property>
    </bean>
    <bean id="loggerListener"
    class="org.acegisecurity.event.authentication.Logg erListener" />


    <bean id="roleVoter" class="org.acegisecurity.vote.RoleVoter"/>

    <bean id="accessDecisionManager" class="org.acegisecurity.vote.UnanimousBased">
    <property name="allowIfAllAbstainDecisions">
    <value>false</value>
    </property>
    <property name="decisionVoters">
    <list>
    <ref local="roleVoter"/>
    </list>
    </property>
    </bean>
    <bean id="authenticationEntryPoint" class="org.acegisecurity.ui.webapp.AuthenticationP rocessingFilterEntryPoint">
    <property name="loginFormUrl">
    <value>/Login.jsp</value></property>
    <property name="forceHttps"><value>false</value></property>
    </bean>




    <!-- ========================= OTHER ================================================== -->

    <bean id="messageSource" class="org.springframework.context.support.Resourc eBundleMessageSource">
    <property name="basename"><value>messages</value></property>
    </bean>

    </beans>


    According to me only admin users should access the defaulttarget url but normal users can also access it.
    Can anybody help me with this
    And also if my welcome1.jsp redirects the page to /secure/welcome.do
    which should be accessible by role_supervisor or role_admin, is accessible by all users.
    Can anybody help me with this please

  • #2
    1. Can you get it to work by using exact pages, and no pattern matching (i.e., no *)?

    2. I don't know, but I'm wondering if having your defaultTargetUrl match the *.jsp in the objectDefinitionSource could be a problem.

    Comment


    • #3
      FilterChainProxy is incorrectly configured. See the Contacts Sample for a guide. Without it being used on every request, SecurityContextHolder is empty. Also, for debugging try using out-of-the-box UserDetailsService implementations such as InMemoryDaoImpl.

      Comment

      Working...
      X