Announcement Announcement Module
No announcement yet.
Access denied old chestnut Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Access denied old chestnut

    I'm trying to do a pretty standard forms based authentication using ACEGI. When I go to a URL in my application and I am not logged in, it produces the attached stack trace as it tries to redirect to the login page (acegilogin.jsp). Also attached is my acegi spring configuration file.

    Any help very much appreciated.

  • #2
    You are trying to hit login.jsp which is not specifically defined in your filterSecurityInterceptor. It ends up matching on /**=ROLE_USER,ROLE_ADMIN which your user does not have the correct granted authorities to access.

    Simply add
    add /login.jsp=ROLE_ANONYMOUS


    • #3
      Ah, well, I can see why you think this, but don't think it is quite the case. The application I am wrapping in acegi had a manual, non-acegi login called login.jsp that called a struts action to validate the login details. For now I have not made any changes at all to the old application, save for adding the acegi servlet filter in web.xml. So, in my example, I chose login.jsp as an example url that was unauthorised, but it could have been any other url within the application. Once it is all working login.jsp would disappear, but for the sake of argument, imagine login.jsp was called test.jsp and was only supposed to be accessible after logging into the application. Therefore the pattern matching for this should be via /**=ROLE_USER,ROLE_ADMIN, not via this /test.jsp=ROLE_ANONYMOUS.That is, unless login.jsp has some special significance as a file name.

      Basically I am getting the same problem with any protected URL. The annoying thing is I HAD this working, but must have changed something slightly to mess it up. What seems to be happening is that it realises the URL I have entered is protected, so it forwards to the acegilogin.jsp, and then promptly falls over.


      • #4
        Ok. Well if this is the case, based on the stack trace you are still running as anonymousUser which only has ROLE_ANONYMOUS.

        Your stack trace shows
        FilterInvocation: URL: /login.jsp; ConfigAttributes: [ROLE_USER, ROLE_ADMIN] which are the required granted authorites in order to access this page.

        If this is not the issue, then can you please explain it differently?


        • #5
          Thanks for the reply, I will try and explain it better.

          Just imagine login.jsp is not called login.jsp, as this name is obsolete, but call it topSecret.jsp instead. I asbsolutely want the authorities of topSecret.jsp page to be ROLE_USER, ROLE_ADMIN as I want only people that are logged in to be able to see the page. I type in /webapp/topSecret.jsp in my browser. Acegi sees I only currently have anonymous access to this page, so it tries to redirect to the authentication point (correct behaviour) with this log message:

          Access is denied (user is anonymous); redirecting to authentication entry point

          At which point it crashes with the stack trace, which I don't understand. What it should do is pop up the acegilogin.jsp page for me to authenticate, then forward on to my (badly named) login.jsp aka topSecret.jsp.

          The main spanner I have put in the works in terms of my example is calling the page I want to go to login.jsp. This just confuses the issue, but it's not a login page, just a page that should be protected. acegilogin.jsp is my actual login page for acegi forms based authentication.


          • #6
            What you are describing is normal behaviour.

            The stacktrace is a debug message to indicate what triggered the entry point and you can disable it by configuring your logging package appropriately.


            • #7
              Thanks for that, that has put me back on the right track. I am now getting the "looping login page" problem whereby it redirects endlessly to the login page. This seems to be because my pattern matching is not picking up the login page.

              On further investigation I found it was nothign more than a typo. I had this:

              PATTERN_TYPE_APACHE_ANT /acegilogin.jsp=ROLE_ANONYMOUS

              when I should have had this


              so it was not matching the acegilogin page because of my regular expressions being up the swanny.Schoolboy error.....

              Thanks to all who helped.