Announcement Announcement Module
No announcement yet.
Acegi Programmatic Authentication Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Acegi Programmatic Authentication

    Hi all (first post),

    Sorry if this is a rehash of a common issue but i'm not finding any good answers in the archives.

    I've got a Hibernate/Spring/SpringMVC setup using Acegi for authentication.

    So far the 'login' scenario is fine - Acegi is correctly granting/denying access to users based upon their credentials. Now I also have a registration flow during which I add the user's creds to the database and then attempt to do programmatic Acegi authentication of the user. I'm doing the following to no avail:

    Authentication auth;
    GrantedAuthority[] ga = {new GrantedAuthorityImpl("ROLE_USER")};
    auth = new UsernamePasswordAuthenticationToken(user.getEmail( ), user.getPassword(), ga);
    SecurityContextHolder.getContext().setAuthenticati on( auth );

    That is, when I try to access protected resources after registration, i'm still redirected to the login page, when instead I would expect to have already been programmatically authenticated. Any tips on where to look next?

    When trying to access the protected resource the log displays:

    2007-02-15 12:59:56,015 DEBUG [org.acegisecurity.context.HttpSessionContextIntegr ationFilter] - HttpSession returned null object for ACEGI_SECURITY_CONTEXT - new SecurityContext instance associated with SecurityContextHolder

    There is no HTTPS/HTTP switching going on BTW.

    Thanks, Daniel.
    Last edited by danieljsanders; Feb 15th, 2007, 03:11 PM.

  • #2
    There are quite a few threads on programmatic authentication already, it might be worth doing a search. A few questions. Is the email address used as the username? The code looks ok. I would guess the problem is the Authentication isn't getting put into the session. Wouldn't it be easier after registration to simply post to the authentication filter just like the login.jsp page does in the tutorial example? I would have thought this would be quite neat. Otherwise, is it possible to up the logging to see what is going on.


    • #3
      Hi Karl, thanks.

      >>Is the email address used at the username?



      • #4
        Hi again Karl,

        Well I started looking thru the Acegi source code and then decided to try this in my controller:

        request.getSession().setAttribute("ACEGI_SECURITY_ CONTEXT", context);

        ...and it indeed causes the security context to be retained in the session and the functionality appears correct -after registration the user remains 'authenticated'.

        So It appears that previously the context was not being set into the session as an attribute. Authentication was being set on the context, but context was not being put into the Http Session - now it is - explicitly in my controller code. Is this a no-no?

        My next question is 'What actually causes the SecurityContext to be saved in the session?' So I can work out why that's not happening and remove my 'bad' code...

        Thanks, Daniel.
        Last edited by danieljsanders; Feb 15th, 2007, 08:33 PM.


        • #5
          I think HttpSessionContextIntegrationFilter is what you're after.


          • #6
            Thanks Karl. I do have the following in the Acegi config file, i'm not entirely clear on what i've done wrong here...

            <bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
            <property name="filterInvocationDefinitionSource">
            /**=httpSessionContextIntegrationFilter,authenticat ionProcessingFilter,exceptionTranslationFilter,fil terInvocationInterceptor
            Last edited by danieljsanders; Feb 16th, 2007, 12:20 PM.