Announcement Announcement Module
Collapse
No announcement yet.
Cannot setupa a custom Access Denied error page using X509 Authentication Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cannot setupa a custom Access Denied error page using X509 Authentication

    Hello Everybody!

    First of all, thank you for this great project. It's worth its fame and it's really really useful. And now the "please please help me" stuff.

    I am developing an application that needs to validate users using X509 certificates but also allows users without a certificate to perform certain actions. The problem is that I cannot make Acegi show me a personalized 403 page. No matter what I put in the exceptionTranslationFilter, it keeps showing me the Tomcat 403 page.

    Here's my applicationContext-acegi-security.xml:

    Code:
    <beans>
    	
    	<bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
          	<property name="filterInvocationDefinitionSource">
             	<value>
    		    	CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
    		    	PATTERN_TYPE_APACHE_ANT
                	/**=channelProcessingFilter,httpSessionContextIntegrationFilter,x509ProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
             	</value>
          	</property>
        </bean>
    	
    	<bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">
          	<property name="providers">
             	<list>
    		    	<ref local="x509AuthenticationProvider"/>
    		    	<ref local="anonymousAuthenticationProvider"/>
             	</list>
    		</property>
       	</bean>
    
    	<bean id="httpSessionContextIntegrationFilter" class="org.acegisecurity.context.HttpSessionContextIntegrationFilter">
    	</bean>
    
    	<bean id="x509AuthenticationProvider" class="org.acegisecurity.providers.x509.X509AuthenticationProvider">
    		<property name="x509AuthoritiesPopulator"><ref local="x509AuthoritiesPopulator"/></property>
            <property name="x509UserCache"><ref local="x509UserCache"/></property>
    	</bean>
    	
    	<bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"/>
    	
    	<bean id="x509UserCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean">
           	<property name="cacheManager">
              	<ref local="cacheManager"/>
           	</property>
           	<property name="cacheName">
              	<value>x509Cache</value>
           	</property>
        </bean>
    
    	<bean id="x509UserCache" class="org.acegisecurity.providers.x509.cache.EhCacheBasedX509UserCache">
          	<property name="cache"><ref local="x509UserCacheBackend"/></property>
    	</bean>
    	
    	<bean id="x509AuthoritiesPopulator" class="org.acegisecurity.providers.x509.populator.DaoX509AuthoritiesPopulator">
    			<property name="userDetailsService"><ref local="inMemoryDaoImpl"/></property>
          <!--  <property name="subjectDNRegex"><value>emailAddress=(.*?),</value></property> -->
    	</bean>
    	
    	<bean id="anonymousProcessingFilter" class="org.acegisecurity.providers.anonymous.AnonymousProcessingFilter">
    		<property name="key"><value>foobar</value></property>
    		<property name="userAttribute"><value>anonymousUser,ROLE_ANONYMOUS</value></property>
    	</bean>
    	
    	<bean id="anonymousAuthenticationProvider" class="org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider">
    		<property name="key"><value>foobar</value></property>
    	</bean>
    	
    	<bean id="inMemoryDaoImpl" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">
    		<property name="userMap">
    			<value>
    				administrator,ROLE_ADMIN
    			</value>
    		</property>
    	</bean>
    	
    	<!-- ===================== HTTP CHANNEL REQUIREMENTS ==================== -->
    	
    	<bean id="channelProcessingFilter" class="org.acegisecurity.securechannel.ChannelProcessingFilter">
    		<property name="channelDecisionManager"><ref local="channelDecisionManager"/></property>
     		<property name="filterInvocationDefinitionSource">
    			<value>
    			    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
    				\A.*\Z=REQUIRES_SECURE_CHANNEL
    			</value>
    		</property>
    	</bean>
    	
    	<bean id="channelDecisionManager" class="org.acegisecurity.securechannel.ChannelDecisionManagerImpl">
    	    <property name="channelProcessors">
          		<list>
     	        	<ref local="secureChannelProcessor"/>
            		<ref local="insecureChannelProcessor"/>
         		</list>
    	    </property>
    	</bean>
    
    	<bean id="secureChannelProcessor" class="org.acegisecurity.securechannel.SecureChannelProcessor"/>
    	<bean id="insecureChannelProcessor" class="org.acegisecurity.securechannel.InsecureChannelProcessor"/>
    
    	<!-- ===================== HTTP REQUEST SECURITY ==================== -->
    	
    	<bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter">
    		<property name="authenticationEntryPoint"><ref local="x509ProcessingFilterEntryPoint"/></property>
    		<property name="accessDeniedHandler">
        		<bean class="org.acegisecurity.ui.AccessDeniedHandlerImpl">
          			<property name="errorPage" value="/accessDenied.jsp"/>
        		</bean>
      		</property>
    	</bean>
    
    	<bean id="x509ProcessingFilter" class="org.acegisecurity.ui.x509.X509ProcessingFilter">
    		<property name="authenticationManager"><ref local="authenticationManager"/></property>
    	</bean>
    
    	<bean id="x509ProcessingFilterEntryPoint" class="org.acegisecurity.ui.x509.X509ProcessingFilterEntryPoint">
    	</bean>
    
    	<bean id="httpRequestAccessDecisionManager" class="org.acegisecurity.vote.AffirmativeBased">
       		<property name="allowIfAllAbstainDecisions"><value>false</value></property>
    		<property name="decisionVoters">
    			<list>
    		    	<ref bean="roleVoter"/>
    		  	</list>
    		</property>
    	</bean>
    	
    	<bean id="roleVoter" class="org.acegisecurity.vote.RoleVoter"/>
    	
    	<bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
        	<property name="authenticationManager"><ref local="authenticationManager"/></property>
        	<property name="accessDecisionManager"><ref local="httpRequestAccessDecisionManager"/></property>
     		<property name="objectDefinitionSource">
    			<value>
    			    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
    				\A/index.jsp\Z=ROLE_ADMIN
    				\A/accessDenied.jsp\Z=ROLE_ANONYMOUS
    			</value>
    		</property>
    	</bean>
    	
    </beans>
    Maybe I am doing stupid things, but I am really really new to Acegi and although I have read the Reference guide I do not know if there is something wrong...

    Thanks in advance

  • #2
    If you want to supply a custom error page you can simply do this in the web.xml.
    http://wiki.metawerx.net/Wiki.jsp?pa....xml.ErrorCode

    Comment


    • #3
      Hi!

      Thanks for the info, but I tried this before and it's not the most suitable solution because I am using sitemesh to decorate the pages and this page needs to be decorated also and using this technique I cannot decorate it. Is this the only way to do it?

      Thanks

      Comment


      • #4
        Solved!

        It was a problem with the configuration of Sitemesh. Thanks for everything!

        Comment


        • #5
          Not a problem, you beat me to the answer . Glad you got it working!

          Comment


          • #6
            Another question (I know I should open a new thread but if you know it, it will be quickly done)

            I cannot get the user using the InMemoryDao although in the certificate I send the CN is the username I put in the userMap... do you know what can be wrong? I mean it always authenticates me as an anonymous user

            Comment


            • #7
              Any chance you could post your solution to the original problem as another user emailed me to see how you solved it.

              Comment


              • #8
                Hi!

                This is how you enable sitemesh for the error pages. You have to configure the filter-mapping of sitemesh in the web.xml file this way.

                Code:
                <filter-mapping>
                	<filter-name>sitemesh</filter-name>
                	<url-pattern>/*</url-pattern>
                	<dispatcher>REQUEST</dispatcher>
                	<dispatcher>FORWARD</dispatcher>
                	<dispatcher>ERROR</dispatcher>
                </filter-mapping>
                Also, you have to add the error-page configuration you told me to the web.xml file and add this line to the top of the error page

                Code:
                <%@ page isErrorPage="true" %>
                Also, the other I had is solved too.

                Comment


                • #9
                  Any chance you could give the solution to that as well. I'd sooner not get more emails about that as well .

                  Comment


                  • #10
                    Well, to solve that I made another UserDetailsService of my own using Hibernate because the project needs it. The InMemoryDaoImpl was used only to test if DaoX509AuthenticatorPopulator worked (and it works ). So really, I did not solved the problem, I took a different approach

                    Comment

                    Working...
                    X