Announcement Announcement Module
Collapse
No announcement yet.
infinite loop : config problem? Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • infinite loop : config problem?

    Hi,

    I've been working on setting up the acegi security stuff for the last day, and everything seems very clear to me. The only thing I don't understand is acegi going into an infinite loop, after login, or when trying to acces a secured page, when I've not been logged in. I've implemented the functions to retrieve the user and getting the userbyUsername. And these functions are being called in the correct order. I'll post my security.xml here, and if somebody can help me... always apreciated...
    regards,

    Jürgen
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">
    
    <beans>
    	<!-- begin acegi security stuff -->
    	<bean id="filterChainProxy"
    		class="org.acegisecurity.util.FilterChainProxy">
    		<property name="filterInvocationDefinitionSource">
    			<value>
    				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
    				PATTERN_TYPE_APACHE_ANT
    				/**=httpSessionContextIntegrationFilter,formAuthenticationProcessingFilter,filterSecurityInterceptor,exceptionTranslationFilter,anonymousProcessingFilter
    			</value>
    		</property>
    	</bean>
    	<bean id="formAuthenticationProcessingFilter"
    		class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
    		<property name="filterProcessesUrl">
    			<value>/j_acegi_security_check</value>
    		</property>
    		<property name="authenticationFailureUrl">
    			<value>/jsp/login.jsp</value>
    		</property>
    		<property name="defaultTargetUrl">
    			<value>/employeepush/main.htm</value>
    		</property>
    		<property name="authenticationManager">
    			<ref bean="authenticationManager" />
    		</property>
    	</bean>
    	<bean id="httpSessionContextIntegrationFilter"
    		class="org.acegisecurity.context.HttpSessionContextIntegrationFilter">
    	</bean>
    	<bean id="exceptionTranslationFilter"
    		class="org.acegisecurity.ui.ExceptionTranslationFilter">
    		<property name="authenticationEntryPoint">
    			<ref bean="formLoginAuthenticationEntryPoint" />
    		</property>
    	</bean>
    	<bean id="filterSecurityInterceptor"
    		class="be.eltrovo.ePublisher.backend.security.EPublisherSecurityInterceptor">
    		<property name="authenticationManager">
    			<ref bean="authenticationManager" />
    		</property>
    		<property name="accessDecisionManager">
    			<ref local="accessDecisionManager" />
    		</property>
    		<property name="objectDefinitionSource">
    			<value>
    				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
    				PATTERN_TYPE_APACHE_ANT 
    				/employeepush/**=ROLE_USE			</value>
    		</property>
    	</bean>
    	<bean id="authenticationManager"
    		class="org.acegisecurity.providers.ProviderManager">
    		<property name="providers">
    			<list>
    				<ref bean="daoAuthenticationProvider" />
    			</list>
    		</property>
    	</bean>
    	<bean id="daoAuthenticationProvider"
    		class="be.eltrovo.ePublisher.business.users.EPublisherAuthenticationProvider">
    		<property name="userService">
    			<ref bean="userService" />
    		</property>
    		<property name="userAuthenticator" ref="userAuthenticator" />
    	</bean>
    	<!--
    		<bean id="authenticationDao"
    		class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">
    		<property name="userMap">
    		<value>
    		test=test,ROLE_USER
    		</value>
    		</property>
    		</bean>
    	-->
    	<bean id="accessDecisionManager"
    		class="org.acegisecurity.vote.UnanimousBased">
    		<property name="decisionVoters">
    			<list>
    				<ref bean="roleVoter" />
    			</list>
    		</property>
    	</bean>
    	<bean id="roleVoter" class="org.acegisecurity.vote.RoleVoter">
    		<property name="rolePrefix">
    			<value>ROLE_</value>
    		</property>
    	</bean>
    	<bean id="formLoginAuthenticationEntryPoint"
    		class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
    		<property name="loginFormUrl">
    			<value>/jsp/login.jsp</value>
    		</property>
    		<property name="forceHttps">
    			<value>false</value>
    		</property>
    	</bean>
    	<bean id="anonymousProcessingFilter"
    		class="org.acegisecurity.providers.anonymous.AnonymousProcessingFilter">
    		<property name="key">
    			<value>anonymous</value>
    		</property>
    		<property name="userAttribute">
    			<value>anonymous,ROLE_ANONYMOUS</value>
    		</property>
    	</bean>
    	<bean id="anonymousAuthenticationProvider"
    		class="org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider">
    		<property name="key">
    			<value>anonymous</value>
    		</property>
    	</bean>
    
    	<!-- end acegi security stuff -->
    
    </beans>
    Last edited by Jurgen; Sep 11th, 2006, 04:36 AM.

  • #2
    Login page is secured

    You apply security to the login page itself. That is, when you are not logged in, you get redirected to the login page, which requires you to be logged in.
    I would advise to put all secured pages in a folder and the login page outside. So you can easily adjust the patterns to apply differentiated security settings.

    Regards,
    Andreas

    P.S.: Please use [c o d e] [/c o d e] tags around listings to improve readability.

    Comment


    • #3
      infinite loop

      Hi,

      all the secured pages, are in the employeepush directory
      when I add the login page, and the index page, which are outside this directory and give them the role ROLE_ANONYMOUS,ROLE_USER, I get an infinite loop on these pages as wel.

      regards,

      Jürgen

      Comment


      • #4
        Your filter is /** (which is effectively everything). Your login.page is in /jsp which is included.

        So I would suggest to restrict your pattern somehow and keep index page and login page outside of the secured area.

        Regards,
        Andreas

        Comment


        • #5
          Hi,

          are you talking about the pattern of the filterChainProxy or of the filterSecurityInterceptor.

          Already a big thanks for the Support. Great!

          Jürgen

          Comment


          • #6
            You're right. I confused these two.
            However two things I just spotted: The anonymousProcessingFilter should be declared before filterSecurityInterceptor in the chain (order counts here). And second is, that anonymousAuthenticationProvider is not registered with the AuthenticationManager.

            The objectDefinitionSource of the FilterSecurityInterceptor seems to be ok. Still I think that there is somehow a cycle. Is it possible to debug into the code or consult the DEBUG log of acegi to find out more about this?

            Regards,
            Andreas

            Comment


            • #7
              infinite loop: debug output

              here's the debug output when I acces the login page
              Code:
              2006-09-10 15:42:48,825 DEBUG [org.acegisecurity.util.FilterChainProxy] - /images/logo150procent.jpg at position 4 of 5 in additional filter chain; firing Filter: 'be.eltrovo.ePublisher.backend.security.EPublisherSecurityInterceptor@17a9f24'
              2006-09-10 15:42:48,825 DEBUG [org.acegisecurity.util.FilterChainProxy] - /images/login.jpg at position 2 of 5 in additional filter chain; firing Filter: '[email protected]'
              2006-09-10 15:42:48,825 DEBUG [be.eltrovo.ePublisher.backend.security.EPublisherSecurityInterceptor] - .doFilter   !! localhost
              2006-09-10 15:42:48,825 DEBUG [org.acegisecurity.util.FilterChainProxy] - /images/login.jpg at position 3 of 5 in additional filter chain; firing Filter: '[email protected]fb06c9'
              2006-09-10 15:42:48,825 DEBUG [org.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap] - Converted URL to lowercase, from: '/images/logo150procent.jpg'; to: '/images/logo150procent.jpg'
              2006-09-10 15:42:48,825 DEBUG [org.acegisecurity.providers.anonymous.AnonymousProcessingFilter] - SecurityContextHolder not populated with anonymous token, as it already contained: 'org.acegisecurity.providers.anonymous.AnonymousAuthenticationToken@52a18595: Username: anonymous; Password: [PROTECTED]; Authenticated: true; Details: org.acegisecurity.ui.WebAuthenticationDetails@255f8: RemoteIpAddress: 127.0.0.1; SessionId: 4825B109034244A9F53CC5DD6DB2EF87; Granted Authorities: ROLE_ANONYMOUS'
              2006-09-10 15:42:48,825 DEBUG [org.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap] - Candidate is: '/images/logo150procent.jpg'; pattern is /jsp/index.jsp*; matched=false
              2006-09-10 15:42:48,825 DEBUG [org.acegisecurity.util.FilterChainProxy] - /images/login.jpg at position 4 of 5 in additional filter chain; firing Filter: 'be.eltrovo.ePublisher.backend.security.EPublisherSecurityInterceptor@17a9f24'
              2006-09-10 15:42:48,825 DEBUG [be.eltrovo.ePublisher.backend.security.EPublisherSecurityInterceptor] - .doFilter   !! localhost
              2006-09-10 15:42:48,825 DEBUG [org.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap] - Candidate is: '/images/logo150procent.jpg'; pattern is /jsp/login.jsp*; matched=false
              2006-09-10 15:42:48,825 DEBUG [org.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap] - Converted URL to lowercase, from: '/images/login.jpg'; to: '/images/login.jpg'
              2006-09-10 15:42:48,825 DEBUG [org.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap] - Candidate is: '/images/logo150procent.jpg'; pattern is /employeepush/**; matched=false
              2006-09-10 15:42:48,825 DEBUG [org.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap] - Candidate is: '/images/login.jpg'; pattern is /jsp/index.jsp*; matched=false
              2006-09-10 15:42:48,825 DEBUG [org.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap] - Candidate is: '/images/logo150procent.jpg'; pattern is /hrpublications/**; matched=false
              2006-09-10 15:42:48,825 DEBUG [org.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap] - Candidate is: '/images/login.jpg'; pattern is /jsp/login.jsp*; matched=false
              2006-09-10 15:42:48,825 DEBUG [org.acegisecurity.intercept.AbstractSecurityInterceptor] - Public object - authentication not attempted
              2006-09-10 15:42:48,825 DEBUG [org.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap] - Candidate is: '/images/login.jpg'; pattern is /employeepush/**; matched=false
              2006-09-10 15:42:48,825 DEBUG [org.acegisecurity.util.FilterChainProxy] - /images/logo150procent.jpg at position 5 of 5 in additional filter chain; firing Filter: 'org.acegisecurity.ui.ExceptionTranslationFilter@4c689e'
              2006-09-10 15:42:48,825 DEBUG [org.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap] - Candidate is: '/images/login.jpg'; pattern is /hrpublications/**; matched=false
              2006-09-10 15:42:48,825 DEBUG [org.acegisecurity.util.FilterChainProxy] - /images/logo150procent.jpg reached end of additional filter chain; proceeding with original chain
              2006-09-10 15:42:48,825 DEBUG [org.acegisecurity.intercept.AbstractSecurityInterceptor] - Public object - authentication not attempted
              2006-09-10 15:42:48,825 DEBUG [be.eltrovo.ePublisher.backend.OpenSessionInViewFilter] - Using SessionFactory 'hibernateSessionFactory' for OpenSessionInViewFilter
              2006-09-10 15:42:48,825 DEBUG [org.acegisecurity.util.FilterChainProxy] - /images/login.jpg at position 5 of 5 in additional filter chain; firing Filter: 'org.acegisecurity.ui.ExceptionTranslationFilter@4c689e'
              2006-09-10 15:42:48,825 DEBUG [org.acegisecurity.util.FilterChainProxy] - /images/login.jpg reached end of additional filter chain; proceeding with original chain
              2006-09-10 15:42:48,835 DEBUG [org.acegisecurity.ui.ExceptionTranslationFilter] - Chain processed normally
              2006-09-10 15:42:48,835 DEBUG [be.eltrovo.ePublisher.backend.security.EPublisherSecurityInterceptor] - AuthenticationObject found!!anonymous
              2006-09-10 15:42:48,835 DEBUG [org.acegisecurity.context.HttpSessionContextIntegrationFilter] - SecurityContextHolder set to new context, as request processing completed
              2006-09-10 15:42:48,835 DEBUG [be.eltrovo.ePublisher.backend.OpenSessionInViewFilter] - Closing single Hibernate Session in OpenSessionInViewFilter
              2006-09-10 15:42:48,855 DEBUG [org.acegisecurity.ui.ExceptionTranslationFilter] - Chain processed normally
              2006-09-10 15:42:48,855 DEBUG [be.eltrovo.ePublisher.backend.security.EPublisherSecurityInterceptor] - No AuthenticationObject found
              2006-09-10 15:42:48,855 DEBUG [org.acegisecurity.context.HttpSessionContextIntegrationFilter] - SecurityContext stored to HttpSession: 'org.acegisecurity.context.SecurityContextImpl@ffffffff: Null authentication'
              2006-09-10 15:42:48,855 DEBUG [org.acegisecurity.context.HttpSessionContextIntegrationFilter] - SecurityContextHolder set to new context, as request processing completed
              here's the debug code after I typed in username/login
              Code:
              2006-09-10 15:51:39,859 DEBUG [org.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap] - Converted URL to lowercase, from: '/j_acegi_security_check'; to: '/j_acegi_security_check'
              2006-09-10 15:51:39,859 DEBUG [org.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap] - Candidate is: '/j_acegi_security_check'; pattern is /**; matched=true
              2006-09-10 15:51:39,859 DEBUG [org.acegisecurity.util.FilterChainProxy] - /j_acegi_security_check at position 1 of 5 in additional filter chain; firing Filter: '[email protected]b81c'
              2006-09-10 15:51:39,859 DEBUG [org.acegisecurity.context.HttpSessionContextIntegrationFilter] - Obtained from ACEGI_SECURITY_CONTEXT a valid SecurityContext and set to SecurityContextHolder: 'org.acegisecurity.context.SecurityContextImpl@ffffffff: Null authentication'
              2006-09-10 15:51:39,869 DEBUG [org.acegisecurity.util.FilterChainProxy] - /j_acegi_security_check at position 2 of 5 in additional filter chain; firing Filter: '[email protected]'
              2006-09-10 15:51:39,869 DEBUG [org.acegisecurity.ui.webapp.AuthenticationProcessingFilter] - Request is to process authentication
              2006-09-10 15:51:39,869 DEBUG [org.acegisecurity.providers.ProviderManager] - Authentication attempt using be.eltrovo.ePublisher.business.users.EPublisherAuthenticationProvider
              2006-09-10 15:51:41,932 DEBUG [org.acegisecurity.ui.webapp.AuthenticationProcessingFilter] - Updated SecurityContextHolder to contain null Authentication
              2006-09-10 15:51:41,932 DEBUG [org.acegisecurity.ui.webapp.AuthenticationProcessingFilter] - Authentication request failed: org.acegisecurity.LockedException: User account is locked
              2006-09-10 15:51:41,932 DEBUG [org.acegisecurity.context.HttpSessionContextIntegrationFilter] - SecurityContextHolder set to new context, as request processing completed
              Last edited by Jurgen; Sep 11th, 2006, 04:34 AM.

              Comment


              • #8
                Strange that your interceptor first logs the existence of an anonymous authentication followed by a null authentication. What does your interceptor do, actually?

                Besides that, there seems to be an issue with the used credentials as the account seems to be locked.

                Regards,
                Andreas

                Comment


                • #9
                  infinite loop

                  Hey,

                  well the interceptor just contains a logger statement and a call super(blahblah). The thing is, in the retrieveUser function I do everything, and I pass a valid userDetails Object, with a grantedAuthority. After that for some reason the LockedException occurs, and beats me why, because, the user credentials and password are more then ok.

                  regards,

                  J.

                  Comment


                  • #10
                    What does your daoAuthenticationProvider bean look like? Eventually you should get an instance implementing UserDetails. Usually that's an User object. On construction this takes a flag concerning the locking of the account. Perhaps you might have a look at that.

                    Regards,
                    Andreas

                    Comment


                    • #11
                      Andreas,

                      I've debugged a bit, and changed a few things, and now it all works.
                      Thx for the support.

                      regards,

                      Jürgen

                      Comment

                      Working...
                      X