Announcement Announcement Module
Collapse
No announcement yet.
Can't access 'secured' resources - redirected to login page Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Can't access 'secured' resources - redirected to login page

    Hi guys,

    I'm using the setup described in the following configuration files, with Acegi v0.6.1 (inside of WebSphere). I'm using the security filter to redirect to my login.jsp. At the moment I am just running with the example in memory authentication DAO.

    This seems to work in that I don't get any error when I supply the correct username/password combination. However, I don't get redirected to the originally requested URL, after authentication. Instead, I end up back at the login.jsp, with no error message.

    I followed it through in the debugger and have noticed that the the authenticated attribute on the Authentication object is not set to true despite successful authentication. Not sure why this should be so. Have I got my filters out of order in the configuration? Does it matter? (I've just tried it with the authentication filter before the auto-integration filter - still no joy.)

    Thanks, Owen

    Here's my web.xml excerpt:
    Code:
        <filter>
            <filter-name>Acegi Security System for Spring Auto Integration Filter</filter-name>
            <filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
            <init-param>
                <param-name>targetClass</param-name>
                <param-value>net.sf.acegisecurity.ui.AutoIntegrationFilter</param-value>
            </init-param>
        </filter>
        
        <filter>
            <filter-name>Acegi Authentication Processing Filter</filter-name>
            <filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
            <init-param>
                <param-name>targetClass</param-name>
                <param-value>net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter</param-value>
            </init-param>
        </filter>
    
        <filter>
            <filter-name>Acegi HTTP Request Security Filter</filter-name>
            <filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
            <init-param>
                <param-name>targetClass</param-name>
                <param-value>net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter</param-value>
            </init-param>
        </filter>
        
        <filter-mapping>
          <filter-name>Acegi HTTP Request Security Filter</filter-name>
          <url-pattern>/*</url-pattern>
        </filter-mapping>
    	
        <filter-mapping>
          <filter-name>Acegi Authentication Processing Filter</filter-name>
          <url-pattern>/*</url-pattern>
        </filter-mapping>
    
        <filter-mapping>
          <filter-name>Acegi Security System for Spring Auto Integration Filter</filter-name>
          <url-pattern>/*</url-pattern>
        </filter-mapping>
    and here's my applicationContext.xml excerpt:
    Code:
    	<bean id="autoIntegrationFilter" class="net.sf.acegisecurity.ui.AutoIntegrationFilter" />
        
        	<!-- If you replace this bean with say JdbcDaoImpl, just ensure your replacement
    	     has the same bean id &#40;authenticationDao&#41; -->
    	<bean id="authenticationDao" class="net.sf.acegisecurity.providers.dao.memory.InMemoryDaoImpl">
      		<property name="userMap">
    			<value>
    				marissa=koala,ROLE_SUPERVISOR
    				dianne=emu,ROLE_TELLER
    				scott=wombat,ROLE_TELLER
    				peter=opal,disabled,ROLE_TELLER
    			</value>
    		</property>
    	</bean>
    
    	<!-- Note the order that entries are placed against the objectDefinitionSource is critical.
    	     The FilterSecurityInterceptor will work from the top of the list down to the FIRST pattern that matches the request URL.
    	     Accordingly, you should place MOST SPECIFIC &#40;ie a/b/c/d.*&#41; expressions first, with LEAST SPECIFIC &#40;ie a/.*&#41; expressions last -->
    	<bean id="filterInvocationInterceptor" class="net.sf.acegisecurity.intercept.web.FilterSecurityInterceptor">
        	<property name="authenticationManager"><ref local="authenticationManager"/></property>
        	<property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
     		<property name="objectDefinitionSource">
    			<value>
    			    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
    			    PATTERN_TYPE_APACHE_ANT
    				/secure/**=ROLE_SUPERVISOR
    			</value>
    		</property>
    	</bean>
        
        <!-- probably don't need to change the following ever -->
        
        <bean id="daoAuthenticationProvider" class="net.sf.acegisecurity.providers.dao.DaoAuthenticationProvider">
         	<property name="authenticationDao"><ref local="authenticationDao"/></property>
         	<property name="userCache"><ref local="userCache"/></property>
    	</bean>
    	
    	<bean id="userCache" class="net.sf.acegisecurity.providers.dao.cache.EhCacheBasedUserCache">
    		<property name="minutesToIdle"><value>5</value></property>
    	</bean>
    
    	<bean id="authenticationManager" class="net.sf.acegisecurity.providers.ProviderManager">
    		<property name="providers">
    		  <list>
    		    <ref local="daoAuthenticationProvider"/>
    		  </list>
    		</property>
    	</bean>
    
    	<bean id="roleVoter" class="net.sf.acegisecurity.vote.RoleVoter"/>
    
    	<bean id="accessDecisionManager" class="net.sf.acegisecurity.vote.AffirmativeBased">
       		<property name="allowIfAllAbstainDecisions"><value>false</value></property>
    		<property name="decisionVoters">
    		  <list>
    		    <ref local="roleVoter"/>
    		  </list>
    		</property>
    	</bean>
    
    	<bean id="authenticationProcessingFilter" class="net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
    		<property name="authenticationManager"><ref local="authenticationManager"/></property>
    		<property name="authenticationFailureUrl"><value>/login.jsp?login_error=1</value></property>
    		<property name="defaultTargetUrl"><value>/</value></property>
    		<property name="filterProcessesUrl"><value>/j_acegi_security_check</value></property>
    	</bean>
    
    	<bean id="securityEnforcementFilter" class="net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter">
    		<property name="filterSecurityInterceptor"><ref local="filterInvocationInterceptor"/></property>
    		<property name="authenticationEntryPoint"><ref local="authenticationProcessingFilterEntryPoint"/></property>
    	</bean>
    
    	<bean id="authenticationProcessingFilterEntryPoint" class="net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
    		<property name="loginFormUrl"><value>/login.jsp</value></property>
    		<property name="forceHttps"><value>false</value></property>
    	</bean>

  • #2
    Yes, your filter-mappings are in the wrong order. They should be:

    ChannelProcessingFilter
    AuthenticationProcessingFilter
    CasProcessingFilter
    BasicProcessingFilter
    AutoIntegrationFilter
    SecurityEnforcementFilter

    I've listed all of them for the benefit of the archives. They're also listed in hte reference guide toward the end.

    The reason this order is required is because you ChannelProcessingFilter, if used, redirects to the correct channel (eg HTTPS). The various *ProcessingFilters then actually login the user if the HTTP request related to a login (eg a login form or a BASIC authentication header or a CAS redirect etc). The result of these *ProcessingFilters is to put the known-to-be-valid username and password into an Authentication object and put it into a "well-known location" - typically HttpSession. AutoIntegrationFilter "reads" this well-known location and puts it onto the ContextHolder. SecurityEnforcementFilter refers solely to the ContextHolder and will use the username and password to re-authenticate the user as part of AbstractSecurityInterceptor processing. When the request ends, the AutoIntegrationFilter reads the ContextHolder and copies the Authentication off it and back into the well-known location, ready for next request.

    HTH

    Comment


    • #3
      Can't access 'secured' resources and redirected to login page too

      I can't access too. It's always an anonymous. Please help me! I'm beginner, sorry and thanks so much.

      applicationContext.xml
      Code:
      <beans>
      
      	<bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
      		<property name="filterInvocationDefinitionSource">
      			<value><![CDATA[
      				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
      				PATTERN_TYPE_APACHE_ANT
      				/**=httpSessionContextIntegrationFilter,logoutFilter,authenticationProcessingFilter,securityContextHolderAwareRequestFilter,rememberMeProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
      			]]></value>
      		</property>
      	</bean>
      
      	<bean id="httpSessionContextIntegrationFilter" class="org.acegisecurity.context.HttpSessionContextIntegrationFilter"/>
      
      	<bean id="logoutFilter" class="org.acegisecurity.ui.logout.LogoutFilter">
      		<constructor-arg value="/template/default/template.jsf"/> <!-- URL redirected to after logout -->
      		<constructor-arg>
      			<list>
      				<ref bean="rememberMeServices"/>
      				<bean class="org.acegisecurity.ui.logout.SecurityContextLogoutHandler"/>
      			</list>
      		</constructor-arg>
      	</bean>
      
      	<bean id="authenticationProcessingFilter" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
      		<property name="authenticationManager" ref="authenticationManager"/>
      		<property name="authenticationFailureUrl" value="/login/login.jsf"/>
      		<property name="defaultTargetUrl" value="/template/default/template.jsf"/>
      		<property name="filterProcessesUrl" value="/j_acegi_security_check"/>
      		<property name="rememberMeServices" ref="rememberMeServices"/>
      	</bean>
      
      	<bean id="securityContextHolderAwareRequestFilter" class="org.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter"/>
      
      	<bean id="rememberMeProcessingFilter" class="org.acegisecurity.ui.rememberme.RememberMeProcessingFilter">
      		<property name="authenticationManager" ref="authenticationManager"/>
      		<property name="rememberMeServices" ref="rememberMeServices"/>
      	</bean>
      
      	<bean id="anonymousProcessingFilter" class="org.acegisecurity.providers.anonymous.AnonymousProcessingFilter">
      		<property name="key" value="changeThis"/>
      		<property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS"/>
      	</bean>
      	<bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter">
      		<property name="authenticationEntryPoint">
      			<bean class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
      				<property name="loginFormUrl" value="/login/login.jsf"/>
      				<property name="forceHttps" value="false"/>
      			</bean>
      		</property>
      		<property name="accessDeniedHandler">
      			<bean class="org.acegisecurity.ui.AccessDeniedHandlerImpl">
      				<property name="errorPage" value="/login/error.jsf"/>
      			</bean>
      		</property>
      	</bean>
      
      	<bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
      		<property name="authenticationManager" ref="authenticationManager"/>
      		<property name="accessDecisionManager">
      			<bean class="org.acegisecurity.vote.AffirmativeBased">
      				<property name="allowIfAllAbstainDecisions" value="false"/>
      				<property name="decisionVoters">
      					<list>
      						<bean class="org.acegisecurity.vote.RoleVoter"/>
      						<bean class="org.acegisecurity.vote.AuthenticatedVoter"/>
      					</list>
      				</property>
      			</bean>
      		</property>
      		<property name="objectDefinitionSource">
      			<value>
      				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
      				PATTERN_TYPE_APACHE_ANT
      				/qlhochieu/**=ROLE_MANAGER
      				/qldoanra/**=ROLE_MANAGER
      				/qldoanvao/**=ROLE_MANAGER
      			</value>
      		</property>
      	</bean>
      
      	<bean id="rememberMeServices" class="org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices">
      		<property name="userDetailsService" ref="userDetailsService"/>
      		<property name="key" value="changeThis"/>
      	</bean>
      
      	<bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">
      		<property name="providers">
      			<list>
      				<ref local="daoAuthenticationProvider"/>
      				<bean class="org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider">
      					<property name="key" value="changeThis"/>
      				</bean>
      				<bean class="org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider">
      					<property name="key" value="changeThis"/>
      				</bean>
      			</list>
      		</property>
      	</bean>
      
      	<bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
      		<property name="userDetailsService" ref="userDetailsService"/>
      	</bean>
      
      	<!-- UserDetailsService is the most commonly frequently Acegi Security interface implemented by end users -->
      	<bean id="userDetailsService" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">
      		<property name="userProperties">
      			<bean class="org.springframework.beans.factory.config.PropertiesFactoryBean">
      				<property name="location" value="/WEB-INF/users.properties"/>
      			</bean>
      		</property>
      	</bean>
      
      	<!-- This bean is optional; it isn't used by any other bean as it only listens and logs -->
      	<bean id="loggerListener" class="org.acegisecurity.event.authentication.LoggerListener"/>
      
      </beans>
      My configs in web.xml

      Code:
      	<context-param>
      		<param-name>contextConfigLocation</param-name>
      		<param-value>
      			/WEB-INF/applicationContext-acegi-security.xml
      		</param-value>
      	</context-param>
      
      	<filter>
      		<filter-name>Acegi Filter Chain Proxy</filter-name>
      		<filter-class>
      			org.acegisecurity.util.FilterToBeanProxy
      		</filter-class>
      		<init-param>
      			<param-name>targetClass</param-name>
      			<param-value>
      				org.acegisecurity.util.FilterChainProxy
      			</param-value>
      		</init-param>
      	</filter>
      	<listener>
      		<listener-class>
      			org.springframework.web.context.ContextLoaderListener
      		</listener-class>
      	</listener>
      
      	<filter-mapping>
      		<filter-name>Acegi Filter Chain Proxy</filter-name>
      		<url-pattern>/*</url-pattern>
      		<dispatcher>FORWARD</dispatcher>
      		<dispatcher>REQUEST</dispatcher>
      
      	</filter-mapping>
      I can't find any reason for this error. If i use SSL to access via HTTPS, how i must configure them?
      どうも、ありがとう ございます。

      Comment

      Working...
      X