Announcement Announcement Module
Collapse
No announcement yet.
Role based Authorization Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Role based Authorization

    Hi

    I am using the following FilterSecurityInterceptor in applicationContext.xml

    <bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecur ityInterceptor">
    <property name="authenticationManager"><ref bean="authenticationManager"/></property>
    <property name="accessDecisionManager"><ref local="httpRequestAccessDecisionManager"/></property>
    <property name="objectDefinitionSource">
    <value>
    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON PATTERN_TYPE_APACHE_ANT
    /secure/**=ROLE_SUPERVISOR,ROLE_USER

    </value>
    </property>
    </bean>


    But when i login with ROLE_USER credentials it is saying "Acess is Denied",it allows me with ROLE_SUPERVISOR credentials

    Thanks in Advance.

    Ramesh

  • #2
    please post the rest of your acegi configuration file.

    Thanks

    Rakesh

    Comment


    • #3
      RoleBasedAuthorization

      Hi Rakesh

      This is the acegi conf file i am using.

      <?xml version="1.0" encoding="UTF-8"?>
      <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">


      <beans>

      <!-- ======================== FILTER CHAIN ======================= -->

      <!-- if you wish to use channel security, add "channelProcessingFilter," in front
      of "httpSessionContextIntegrationFilter" in the list below -->
      <bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
      <property name="filterInvocationDefinitionSource">
      <value>
      CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
      PATTERN_TYPE_APACHE_ANT
      /**=httpSessionContextIntegrationFilter,authenticat ionProcessingFilter,exceptionTranslationFilter,fil terInvocationInterceptor
      </value>
      </property>
      </bean>

      <!-- ======================== AUTHENTICATION ======================= -->

      <bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager ">
      <property name="providers">
      <list>
      <ref local="daoAuthenticationProvider"/>
      </list>
      </property>
      </bean>

      <bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenti cationProvider">
      <!--<property name="userDetailsService"><ref local="inMemoryDaoImpl"/></property>-->
      <property name="userDetailsService"><ref local="jdbcAuthenticationDao"/></property>
      </bean>

      <!-- Simplest mapping between user, password and roles -->
      <bean id="inMemoryDaoImpl" class="org.acegisecurity.userdetails.memory.InMemo ryDaoImpl">
      <property name="userMap">
      <value>
      marissa=koala,ROLE_USER
      dianne=emu,ROLE_SUPERVISOR
      scott=wombat,ROLE_USER,ROLE_SUPERVISOR
      </value>
      </property>
      </bean>


      <bean id="dataSource" class="org.springframework.jdbc.datasource.DriverM anagerDataSource">
      <property name="driverClassName">
      <value>oracle.jdbc.driver.OracleDriver</value>
      </property>
      <property name="url">
      <value>jdbc:oracle:thin:@172.16.0.73:1521:appspm a</value>
      </property>
      <property name="username">
      <value>cst_test</value>
      </property>
      <property name="password">
      <value>env^test</value>
      </property>
      </bean>

      <bean id="jdbcAuthenticationDao" class="org.acegisecurity.userdetails.jdbc.JdbcDaoI mpl">
      <property name="dataSource">
      <ref bean="dataSource"></ref>
      </property>

      </bean>

      <!-- Handles any AccessDeniedException and AuthenticationException thrown within the filter chain -->
      <bean id="httpSessionContextIntegrationFilter" class="org.acegisecurity.context.HttpSessionContex tIntegrationFilter"/>


      <!-- ===================== ACCESS DECISION ==================== -->

      <bean id="httpRequestAccessDecisionManager" class="org.acegisecurity.vote.AffirmativeBased">
      <property name="allowIfAllAbstainDecisions"><value>false</value></property>
      <property name="decisionVoters">
      <list>
      <ref bean="roleVoter"/>
      </list>
      </property>
      </bean>

      <!-- An access decision voter that reads ROLE_* configuration settings -->
      <bean id="roleVoter" class="org.acegisecurity.vote.RoleVoter"/>


      <!-- Note the order that entries are placed against the objectDefinitionSource is critical.
      The FilterSecurityInterceptor will work from the top of the list down to the FIRST pattern that matches the request URL.
      Accordingly, you should place MOST SPECIFIC (ie a/b/c/d.*) expressions first, with LEAST SPECIFIC (ie a/.*) expressions last -->
      <bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecur ityInterceptor">
      <property name="authenticationManager"><ref bean="authenticationManager"/></property>
      <property name="accessDecisionManager"><ref local="httpRequestAccessDecisionManager"/></property>
      <property name="objectDefinitionSource">
      <value>
      CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON PATTERN_TYPE_APACHE_ANT
      /secure/**=ROLE_SUPERVISOR
      /secure/tabs.jsp=ROLE_USER
      </value>
      </property>
      </bean>


      <!-- ===================== HTTP CHANNEL REQUIREMENTS ==================== -->


      <!-- ===================== HTTP REQUEST SECURITY ==================== -->

      <bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFi lter">
      <property name="authenticationEntryPoint"><ref local="authenticationProcessingFilterEntryPoint"/></property>
      </bean>

      <bean id="authenticationProcessingFilter" class="org.acegisecurity.ui.webapp.AuthenticationP rocessingFilter">
      <property name="authenticationManager"><ref bean="authenticationManager"/></property>
      <property name="authenticationFailureUrl"><value>/acegilogin.jsp?login_error=1</value></property>
      <property name="defaultTargetUrl"><value>/</value></property>
      <property name="filterProcessesUrl"><value>/j_acegi_security_check</value></property>
      </bean>

      <bean id="authenticationProcessingFilterEntryPoint" class="org.acegisecurity.ui.webapp.AuthenticationP rocessingFilterEntryPoint">
      <property name="loginFormUrl"><value>/acegilogin.jsp</value></property>
      <property name="forceHttps"><value>false</value></property>
      </bean>

      <!-- Allow the use of getRemoteUser(), getUserPrincipal(), etc on request for Acegi -->
      <!-- bean id="contextHolderAwareRequestFilter" class="org.acegisecurity.wrapper.SecurityContextHo lderAwareRequestFilter"/ -->

      </beans>

      Thanks
      Mahendran

      Comment


      • #4
        in this example you have

        CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON PATTERN_TYPE_APACHE_ANT
        /secure/**=ROLE_SUPERVISOR
        /secure/tabs.jsp=ROLE_USER

        which is different from your earleir post. Which one are you using becuase this latest configuration won't let ROLE_USER in.

        What url are you using? Also, how have you configured your Spring DispatcherServelt mapping? I have found that they can conflict.

        Cheers

        Rakesh

        Comment


        • #5
          Hi Rakesh

          I have configured DispatcherServlet mapping in web.xml like:

          <servlet>
          <servlet-name>ati-acegi-web1</servlet-name>
          <servlet-class>org.springframework.web.servlet.DispatcherSe rvlet</servlet-class>
          <load-on-startup>1</load-on-startup>
          </servlet>
          <servlet-mapping>
          <servlet-name>ati-acegi-web1</servlet-name>
          <url-pattern>*.htm</url-pattern>
          </servlet-mapping>

          And in my application context file:


          <bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecur ityInterceptor">
          <property name="authenticationManager"><ref bean="authenticationManager"/></property>
          <property name="accessDecisionManager"><ref local="httpRequestAccessDecisionManager"/></property>
          <property name="objectDefinitionSource">
          <value>
          CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON PATTERN_TYPE_APACHE_ANT
          /secure/**=ROLE_SUPERVISOR,ROLE_USER

          </value>
          </property>
          </bean>

          Here it is not letting ROLE_USER authority.

          Thanks
          Ramesh.

          Comment


          • #6
            Hi Rakesh

            I am getting the below stacktrace when i am trying to login through ROLE_USER:

            [DEBUG,AbstractSecurityInterceptor,ExecuteThread: '12' for queue: 'weblogic.kernel.Default'] Secure object: FilterInvocation: URL: /secure/tabs.jsp; ConfigAttributes: [ROLE_SUPERVISOR]
            [DEBUG,AbstractSecurityInterceptor,ExecuteThread: '12' for queue: 'weblogic.kernel.Default'] Secure object: FilterInvocation: URL: /secure/tabs.jsp; ConfigAttributes: [ROLE_SUPERVISOR]
            [DEBUG,AbstractSecurityInterceptor,ExecuteThread: '12' for queue: 'weblogic.kernel.Default'] Previously Authenticated: org.acegisecurity.providers.UsernamePasswordAuthen ticationToken@0: Username: org.acegisecurity.userdetails.User@fb966e00: Username: marissa; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Password: [PROTECTED]; Authenticated: true; Details: org.acegisecurity.ui.WebAuthenticationDetails@2eb7 6: RemoteIpAddress: 127.0.0.1; SessionId: G6GTClBhrvmhBdWGnLxPGtvJTv3XJMQ2Wh8nRH1yWvNT6QYpsv Zy!-1492286906!1144685646984; Granted Authorities: ROLE_USER
            [DEBUG,AbstractSecurityInterceptor,ExecuteThread: '12' for queue: 'weblogic.kernel.Default'] Previously Authenticated: org.acegisecurity.providers.UsernamePasswordAuthen ticationToken@0: Username: org.acegisecurity.userdetails.User@fb966e00: Username: marissa; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Password: [PROTECTED]; Authenticated: true; Details: org.acegisecurity.ui.WebAuthenticationDetails@2eb7 6: RemoteIpAddress: 127.0.0.1; SessionId: G6GTClBhrvmhBdWGnLxPGtvJTv3XJMQ2Wh8nRH1yWvNT6QYpsv Zy!-1492286906!1144685646984; Granted Authorities: ROLE_USER
            [DEBUG,ExceptionTranslationFilter,ExecuteThread: '12' for queue: 'weblogic.kernel.Default'] Access is denied (user is not anonymous); sending back forbidden response
            org.acegisecurity.AccessDeniedException: Access is denied
            at org.acegisecurity.vote.AffirmativeBased.decide(Aff irmativeBased.java:83)
            at org.acegisecurity.intercept.AbstractSecurityInterc eptor.beforeInvocation(AbstractSecurityInterceptor .java:347)
            at org.acegisecurity.intercept.web.FilterSecurityInte rceptor.invoke(FilterSecurityInterceptor.java:113)
            at org.acegisecurity.intercept.web.FilterSecurityInte rceptor.doFilter(FilterSecurityInterceptor.java:79 )
            at org.acegisecurity.util.FilterChainProxy$VirtualFil terChain.doFilter(FilterChainProxy.java:303)
            at org.acegisecurity.ui.ExceptionTranslationFilter.do Filter(ExceptionTranslationFilter.java:143)
            at org.acegisecurity.util.FilterChainProxy$VirtualFil terChain.doFilter(FilterChainProxy.java:303)
            at org.acegisecurity.ui.AbstractProcessingFilter.doFi lter(AbstractProcessingFilter.java:246)
            at org.acegisecurity.util.FilterChainProxy$VirtualFil terChain.doFilter(FilterChainProxy.java:303)
            at org.acegisecurity.context.HttpSessionContextIntegr ationFilter.doFilter(HttpSessionContextIntegration Filter.java:220)
            at org.acegisecurity.util.FilterChainProxy$VirtualFil terChain.doFilter(FilterChainProxy.java:303)
            at org.acegisecurity.util.FilterChainProxy.doFilter(F ilterChainProxy.java:173)
            at org.acegisecurity.util.FilterToBeanProxy.doFilter( FilterToBeanProxy.java:120)
            at weblogic.servlet.internal.FilterChainImpl.doFilter (FilterChainImpl.java:27)
            at weblogic.servlet.internal.WebAppServletContext$Ser vletInvocationAction.run(WebAppServletContext.java :6987)
            at weblogic.security.acl.internal.AuthenticatedSubjec t.doAs(AuthenticatedSubject.java:321)
            at weblogic.security.service.SecurityManager.runAs(Se curityManager.java:121)

            Thanks
            Mahndran

            Comment


            • #7
              A few things:

              1. where is the /secure directory? Is it under WEB-INF? If so, you cannot access it directly and you have to go via the dispatcher servlet which has been configured to only process requests ending in .htm.

              2. How many Spring/Acegi xml files do you have? The error message talks about not having an anonymous role but you don't seem to have configured that role.

              Cheers

              Rakesh

              Comment


              • #8
                Hi Rakesh

                The secure dir is not under WEB-INF and i am using only one acegi conf file
                which i have posted already.
                My actual requirement is to enable or disable resources based on Authoritys,so
                in secure/tabs.jsp i am retrieving the corresponding authority of logged user and displaying only authorized data,but when i login as ROLE_USER authority it says the AcessDeniedException.SO both ROLE_USER,ROLE_SUPERVISOR should have acess to secure/tabs.jsp.

                Thanks in Advance
                Mahendran.

                Comment

                Working...
                X