Announcement Announcement Module
Collapse
No announcement yet.
Using Acegi Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Using Acegi

    Hi All

    I've been working on re-vamping my final year project using Spring. I'm now looking into security and thought about using Acegi for securing the application.

    The project is broken into two "components", component 1 contains layered module that connects to a database and contains the service layer for clients to use. The second part is the web component. Now the question I have (probably more of an acrhitectural question i think) is do i place the acegi stuff in component 1 or in do i create the bean definition in the web part?

    Not sure if that made sense...please let me know if you need more info.


    Thanks

  • #2
    Personally I think you need both. FilterSecurityInterceptor for the web tier and MethodSecurityInterceptor for the service layer. If you have any more details on what you are trying to do, post back and I'll try and help some more.
    http://acegisecurity.org/multiprojec...terceptor.html

    Comment


    • #3
      Hi there! Thanks for getting back to me. Basically here is what i am trying to do:

      Use acegi to authenticate users into the web application. There is a login page and i want to make sure that the person who is trying to access the application has permission. I'm not sure I can set the authentication levels in acegi, for example there are only certain members who can create, update and delete asset details. Now do i set access on the url level e.g. restrict access using filters based on the url (createAsset.do) or do i set it up on the method invocation level which would mean that it was reside on the backend component level.

      You mentioned that I should apply it to both parts but if i apply it to the model component then does it mean i would need to set something up in the web part?


      Not sure if that helps, but i can give more info.

      Thanks

      Comment


      • #4
        Have you had a look at the acegi-security-sample-tutorial example that ships with Acegi? This already covers the logon and URL securing you are after. So this covers your basic /secureURL.do style security. If you also declare method based security on your service layer then this covers all aspects of it.

        Comment


        • #5
          Hi there

          I'll have a look. I was wondering if you could help with soemthing. I have implemented form based authentication using the example that is provided in the Acegi documentation. I have used:

          Code:
          <bean id="authenticationProcessingFilter" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
            <property name="authenticationManager"><ref bean="authenticationManager"/></property>
            <property name="authenticationFailureUrl"><value>/login.jsp?login_error=1</value></property>
            <property name="defaultTargetUrl"><value>/</value></property>
            <property name="filterProcessesUrl"><value>/j_acegi_security_check</value></property>
          </bean>
          My question is that when the user has logged in is there a way to specify where to take the user? Do i need to specify it in the defaultTargetUrl? or is that for something else?

          My form action points to j_acegi_security_check. I presume that is correct. I couldn't find a section that said when login successful take the user to the desired location.

          Thanks again!

          Comment


          • #6
            Hi again

            Not sure if this has been covered. But when the user first logs in then i want him/her to be taken to the main menu page. But when the session expires then the login page needs to be displayed. When the user logins again then he/she needs to be taken to the original place where they came from. If i put the mainmenu.do in the defaultUrl definition will the user always be taken to the mainmenu.

            Apologies if this has been discussed but i couldn;t find a response.

            Thanks

            Comment


            • #7
              Originally posted by amin View Post
              Hi there

              My question is that when the user has logged in is there a way to specify where to take the user? Do i need to specify it in the defaultTargetUrl? or is that for something else?
              Please try to make use of the online documentation. For example, searching for "defaultTargetUrl acegi" in Google would take you here:

              http://acegisecurity.org/multiprojec...ingFilter.html

              which would answer this question immediately, as well as giving you information on how to specify that you always want to go to a particular url. Searching the forum for defaultTargetUrl will also give you a lot of different discussions on the use this property.

              Comment


              • #8
                As for the session timeout aspect I would have thought that would be handled for you.

                Comment


                • #9
                  I set the session timeout in the web.xml for 3 mins but nothing happened. I refreshed the page and got the same page. Didn't get the login page. Going to search the web now...

                  Comment


                  • #10
                    The other thing i noticed was that i had set up a resource to have the following:

                    /secure/test.jsp=ROLE_ADMIN

                    And in the user details I had set up

                    aminmoco=password,ROLE_USER


                    The login in component works fine, so if i enter an incorrect username and password then i am directed back to the login page with an error message being displayed. The problem is that i get through the login page to the test.jsp but that's not right as my access control is ROLE_USER not ROLE_ADMIN. I've been using the examples from the acegi sample war and the configuration files are pretty much the same e.g. they have the necessary bean definitions.

                    Not sure what i'm doing wrong. I'll post my applicationContext.xml file when i get home, currently at work.

                    Thanks
                    Amin

                    Comment


                    • #11
                      It would be a good idea for you to diff it with the original example with what you have. It's can be hard to look at the configuration and see what's wrong.

                      Comment


                      • #12
                        I'll do that.. here it is anyway...maybe something that i missed will stick out for others:

                        Code:
                        <?xml version="1.0" encoding="UTF-8"?>
                        <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN"
                               "http://www.springframework.org/dtd/spring-beans.dtd">
                         
                         <beans>
                         
                         	<bean id="memoryAuthenticationDao" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">
                            	<property name="userMap">
                                	<value>
                                   	 aminmoco=ordeal,ROLE_USER
                                	</value>
                            	</property>
                        	</bean>
                        	
                        	
                        	<bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager"> 
                        		<property name="providers"> 
                        		<list> 
                        			<ref local="daoAuthenticationProvider"/> 
                        			
                        		</list> 
                        		</property> 
                        	</bean> 
                        	
                        	<bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider"> 
                        		<property name="userDetailsService"><ref bean="memoryAuthenticationDao"/></property>  
                        	</bean> 
                        	
                        	<bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
                        		<property name="filterInvocationDefinitionSource">
                        			<value><![CDATA[
                        			PATTERN_TYPE_APACHE_ANT
                        			/**=httpSessionContextIntegrationFilter,securityContextHolderAwareRequestFilter,exceptionTranslationFilter,filterInvocationInterceptor, authenticationProcessingFilter
                        			]]></value>
                        		</property>
                        	</bean>
                        	
                        	<bean id="securityContextHolderAwareRequestFilter" class="org.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter"/>
                        
                        	
                        	<bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter">
                        		<property name="authenticationEntryPoint">
                        			<bean class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
                        				<property name="loginFormUrl">
                        					<value>/login.do</value>
                        				</property>
                        				<property name="forceHttps">
                        					<value>true</value>
                        				</property>
                        			</bean>
                        		</property>
                        		<property name="accessDeniedHandler">
                              	<bean class="org.acegisecurity.ui.AccessDeniedHandlerImpl">
                              		<property name="errorPage" value="/login.do?login_error=1"/>
                              	</bean>
                              </property>
                        	</bean>
                        	<bean id="httpSessionContextIntegrationFilter" class="org.acegisecurity.context.HttpSessionContextIntegrationFilter"/>
                        
                        	<bean id="httpRequestAccessDecisionManager" class="org.acegisecurity.vote.AffirmativeBased">
                              <property name="allowIfAllAbstainDecisions"><value>false</value></property>
                              <property name="decisionVoters">
                                 <list>
                                    <ref bean="roleVoter"/>
                                    <ref bean="authenticatedVoter" />
                                 </list>
                              </property>
                           </bean>
                           
                           <bean id="roleVoter" class="org.acegisecurity.vote.RoleVoter" />
                           <bean id="authenticatedVoter" class="org.acegisecurity.vote.AuthenticatedVoter"/>
                        	
                        	<bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor" >
                        		<property name="authenticationManager" ref="authenticationManager" />
                        		<property name="accessDecisionManager" >
                        			<ref bean="httpRequestAccessDecisionManager"/>
                        		</property>
                        		<property name="objectDefinitionSource">
                        			<value>
                        				<![CDATA[
                        				PATTERN_TYPE_APACHE_ANT
                        				/secure/test.jsp=ROLE_ADMIN
                        				]]>
                        			</value>
                        		</property>
                        	</bean>
                        	
                        	<bean id="authenticationProcessingFilter" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter"> 
                        		<property name="authenticationManager"><ref bean="authenticationManager"/></property> 
                        		<property name="authenticationFailureUrl"><value>/login.do?login_error=1</value></property> 
                        		<property name="defaultTargetUrl"><value>/secure/test.jsp</value></property> 
                        		 <property name="filterProcessesUrl"><value>/j_acegi_security_check</value></property> 
                        	</bean> 
                        	
                         </beans>
                        Thanks again.

                        Comment


                        • #13
                          tutorial

                          hi members
                          please where can i get th "acegi-security-sample-tutorial ": I don't fing it in http://www.acegisecurity.org.

                          AMIN can you list the THE ACTION of your "login.jsp" form and the equivalent mapping in web.xml to be intercepted by "authenticationProcessingFilter".

                          thinks
                          Last edited by badi007; Mar 15th, 2007, 04:19 AM.

                          Comment


                          • #14
                            Hi

                            I used the debug.jsp that is apart of the tutorial and it seems as though the authentication object is null. The debug page is really helpful. The login page logs me in but does not set up the access control. I'm gonna look into this further.

                            For the tutorial it comes as war file. I'm deploying my app on Jboss so i can see the expanded version in the tmp/deploy directory. I've been using the context file provided with the example.

                            This is becoming a blog!

                            Comment


                            • #15
                              Hi Badi007

                              The action for my login page is j_acegi_check. I'm currently at work so i can't rememeber what the entry is in the web.xml. I can post it later when i get home. Otherwise I've been using the sample tutorial web.xml file from the acegi site. Have u found the tutorial?

                              Comment

                              Working...
                              X