Announcement Announcement Module
Collapse
No announcement yet.
images over SSL w/ IE Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • images over SSL w/ IE

    I have been working happily w/ Acegi until it came time to test some parts of my web app w/ IE. I have since learned that IE has a *feature* where it does not download linked content from a secure connection w/ certain combinations of header values. I'm guessing my problem is simliar to what these different groups have come across.

    The header content from a page secured w/ Acegi on my machine is:
    Server: Apache-Coyote/1.1
    Pragma: No-cache
    Expires: Thu, 01 Jan 1970 00:00:00 GMT
    Cache-Control: no-cache, no-store
    Content-Type: text/html;charset=UTF-8
    Content-Language: en-US
    Transfer-Encoding: chunked
    Date: Sat, 01 Apr 2006 10:37:57 GMT

    200 OK
    Reading the above links and others on the web indicate that these two lines are causing my problems:
    Pragma: No-cache
    Cache-Control: no-cache, no-store
    When Tomcat sees a secure connection, it will automatically apply those headers to the response, causing some obvious difficulties.

    Having not come across this before though, I went back to a Struts app still on the same box, visited a secure page in it, and it worked fine for IE - its response header for the secure page is:
    Server: Apache-Coyote/1.1
    Content-Type: text/html;charset=ISO-8859-1
    Transfer-Encoding: chunked
    Date: Sat, 01 Apr 2006 10:43:48 GMT

    200 OK
    I'm just about out of ideas, and would appreciate any thoughts on getting past this.

    Thanks,

    Paul

  • #2
    Hi,

    It's not clear whether you're just looking for general suggestions on the problem or do you have some reason to believe that Acegi is influencing the headers that are being produced (other than the difference with the struts app)? If so you'll need to give more specific information on what Acegi features you're using.

    Do you still see the same headers with Acegi's filters disabled completely?

    What transport constraints (if any) are being applied in web.xml in both apps? One of the comments in the bugzilla link you posted mentions that

    "Tomcat adds the respective caching headers to the HTTP header automatically if and only if a resource of a webapp is being accessed for which a user data constraint of CONFIDENTIAL has been set."

    Comment


    • #3
      Thanks for responding. At this point, I'll take any suggestions - specific or otherwise. I looked over the web.xml files for both applications as well as the default for the server, and cannot find anything referencing a security-constraint, confidential or otherwise.

      Just incase, I added a security-constraint with a transport-guarantee value of NONE to my webapp w/ no effect.

      I did temporarily remove Acegi from the app, and had the exact same headers for pages loaded with both http:// and https:// so Acegi would appear to not be the issue. Interesting enough though before the original post I'd written a small filter to set the offending headers to IE friendly values, and it had no effect - the values would not sitck, so I commented that out of the applications web.xml file. While I had Acegi temporarily removed this time around, I re-added that filter, and the headers were finally what they should be - it worked.

      I'd tend to think this is a tomcat issue, but I have a webapp (struts though) that works on this box w/o problem.

      Here are my Acegi entries in web.xml:
      Code:
        <filter>
        	<filter-name>Acegi-Channel</filter-name>
        	<filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
        	<init-param>
        		<param-name>targetClass</param-name>
        		<param-value>org.acegisecurity.securechannel.ChannelProcessingFilter</param-value>
        	</init-param>
        </filter>
        
        <filter> 
          <filter-name>Acegi Security System for Spring HTTP Session Integration Filter</filter-name> 
          <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class> 
          <init-param> 
            <param-name>targetClass</param-name> 
            <param-value>org.acegisecurity.context.HttpSessionContextIntegrationFilter</param-value> 
          </init-param> 
        </filter> 
      
        <filter>
          <filter-name>Acegi Authentication Processing Filter</filter-name>
          <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
          <init-param>
            <param-name>targetClass</param-name>
            <param-value>org.acegisecurity.ui.webapp.AuthenticationProcessingFilter</param-value> 
          </init-param>
        </filter>
      
        <filter>
          <filter-name>Acegi HTTP Request Security Filter</filter-name>
          <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
          <init-param>
            <param-name>targetBean</param-name>
            <param-value>securityEnforcementFilter</param-value>
          </init-param>
        </filter>
      
        <filter>
          <filter-name>Acegi HTTP Request Security Interceptor</filter-name>
          <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
          <init-param>
            <param-name>targetBean</param-name>
            <param-value>filterInvocationInterceptor</param-value>
          </init-param>
        </filter>
      
      
        <filter-mapping>
        	<filter-name>Acegi-Channel</filter-name>
        	<url-pattern>/*</url-pattern>
        </filter-mapping>
        
        <filter-mapping> 
          <filter-name>Acegi Security System for Spring HTTP Session Integration Filter</filter-name> 
          <url-pattern>/*</url-pattern> 
        </filter-mapping> 
      
        <filter-mapping>
          <filter-name>Acegi Authentication Processing Filter</filter-name>
          <url-pattern>/*</url-pattern>
        </filter-mapping>
      
        <filter-mapping>
          <filter-name>Acegi HTTP Request Security Filter</filter-name>
          <url-pattern>/*</url-pattern>
        </filter-mapping>
      
        <filter-mapping>
          <filter-name>Acegi HTTP Request Security Interceptor</filter-name>
          <url-pattern>/*</url-pattern>
        </filter-mapping>
      My -security.xml file that configures Acegi:
      Code:
      	<!-- Security Enforcement Filter - - decide what is supposed to be secured -->
      	<bean id="securityEnforcementFilter"
          	  class="org.acegisecurity.ui.ExceptionTranslationFilter">
          	<property name="authenticationEntryPoint">
      	      <ref bean="authenticationEntryPoint"/>
          	</property>
      	</bean>
      	
      	
      	<bean id="authenticationProcessingFilter" 
      		class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
      		<property name="filterProcessesUrl">
      			<value>/j_acegi_security_check</value>
      		</property>
      		<property name="authenticationFailureUrl">
      			<value>/adminlogin.jsp?failed=true</value>
      		</property>
      		<property name="defaultTargetUrl">
      			<value>/</value>
      		</property>
      		<property name="authenticationManager">
      			<ref bean="authenticationManager"/>
      		</property>
      	</bean>
      
      	<!--   Populates the SecurityContextHolder with information obtained from the HttpSession -->
      	<bean id="HttpSessionContextIntegrationFilter"
      		class="org.acegisecurity.context.HttpSessionContextIntegrationFilter">
              <property name="context"><value>org.acegisecurity.context.SecurityContextImpl</value></property>
      	</bean>								
      	
      	<bean id="authenticationEntryPoint" 
      			class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
      		<property name="loginFormUrl">
      			<value>/adminlogin.jsp</value>
      		</property>
      		<property name="forceHttps"><value>true</value></property>
      	</bean>
      	
      
        <!-- = = = = = = = = SECURITY INTERCEPTOR = = = = = = = = -->  
      	<bean id="filterInvocationInterceptor"
      		class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
      		<property name="authenticationManager">
      			<ref bean="authenticationManager"/>
      		</property>
      		<property name="accessDecisionManager">
      			<ref bean="accessDecisionManager"/> 
      		</property>
      		<property name="objectDefinitionSource">
      			<value>
      				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
      				PATTERN_TYPE_APACHE_ANT
       				/admin/**=ROLE_ADMINISTRATOR
      			</value>
      		</property>
      	</bean>
      	
      	
      	<!--  Called from web.xml filter, ensures secure/insecure url -->
       	<bean id="channelProcessingFilter" class="org.acegisecurity.securechannel.ChannelProcessingFilter">
      		<property name="filterInvocationDefinitionSource">
      			<value>
      				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
      				\A/admin/.*\Z=REQUIRES_SECURE_CHANNEL
      				\A/adminlogin.jsp\Z=REQUIRES_SECURE_CHANNEL
      				\A/adminlogin.*\Z=REQUIRES_SECURE_CHANNEL
      				\A/secure/.*\Z=REQUIRES_SECURE_CHANNEL
      				\A/j_acegi_security_check.*\Z=REQUIRES_SECURE_CHANNEL
      				\A/.*\Z=REQUIRES_INSECURE_CHANNEL
      			</value>
      		</property>
      		<property name="channelDecisionManager">
      			<ref bean="channelDecisionManager"/>
      		</property>
      	</bean>
      	
      	<bean id="channelDecisionManager" class="org.acegisecurity.securechannel.ChannelDecisionManagerImpl">
      		<property name="channelProcessors">
      			<list>
      				<ref bean="secureChannelProcessor" />
      				<ref bean="insecureChannelProcessor" />
      			</list>
      		</property>
      	</bean>
      	
      	<bean id="secureChannelProcessor" class="org.acegisecurity.securechannel.SecureChannelProcessor" />
      	<bean id="insecureChannelProcessor" class="org.acegisecurity.securechannel.InsecureChannelProcessor" />
      
      	
      	<!--  =================== AUTHENTICATION ================================ -->
      	<bean id="authenticationManager"
      		class="org.acegisecurity.providers.ProviderManager">
      		<property name="providers">
      			<ref bean="daoAuthenticationProvider" />
      		</property>
      	</bean>
      	
      
      	<bean id="daoAuthenticationProvider" 
      		class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
      		<property name="userDetailsService">
      			<ref bean="userDetailsService" />
      		</property>
      	</bean>
      	
      	
      	<!-- Declare authenticationDao, which does actual authentication.  Uses JdbcDaoImpl -->
      	<bean id="userDetailsService" 
      		class="org.acegisecurity.userdetails.jdbc.JdbcDaoImpl">
      		<property name="dataSource">
      			<ref bean="dataSource" />
      		</property>
      		<property name="usersByUsernameQuery">
      			<value><snipped></value>
      		</property>
      		<property name="authoritiesByUsernameQuery">
      			<value><snipped></value>
      		</property>
      	</bean>
      	
      	
      	<!--  =================== AUTHORIZATION ================================ -->
      	<!-- Configure an Access Decision Manager -->
      	<bean id="accessDecisionManager" 
      		class="org.acegisecurity.vote.UnanimousBased">
      		<property name="allowIfAllAbstainDecisions">
      			<value>false</value>
      		</property>
      		<property name="decisionVoters">
      			<list><ref bean="roleVoter"/></list>
      		</property>
      	</bean>
      	
      	<!-- Configure the Role Voter -->
      	<bean id="roleVoter"
      		class="org.acegisecurity.vote.RoleVoter" />
      
      </beans>
      Just to clarify my OP, the 'linked content' is an <img> tag displaying the company logo on a variety of secure pages. Tomcat 5.5.9, JDK 1.5.0_04, Acegi 1.0RC2.

      If it might help I can post the server.xml for my dev box, though it's pretty basic. Thanks again,

      Paul
      Last edited by paulnw; Apr 2nd, 2006, 11:45 PM.

      Comment


      • #4
        I found the problem and can now apply a fix. It finally dawned on me that the secure pages I was having problems with - I had thought it was all of them - were form controller backed pages. I did not know, but AbstractFormController (and SimpleFormController) in its constructor calls setCacheSeconds(0), a method inherited from WebContentGenerator. This in turn sets the offending headers. Calling this same method w/ a value of -1 in my own constructor removes the headers - though I still have to disable caching w/o cratering IE.

        Thanks again, Paul

        Comment

        Working...
        X