Announcement Announcement Module
Collapse
No announcement yet.
Role Problem Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Role Problem

    There are three groups in my Active Directory with some users:
    GroupAaa: usera
    GroupBbb: userb
    GroupCcc: userc

    In my descriptor springapp-servlet.xml, I set
    Code:
    	<bean id="filterSecurityInterceptor"
    		class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
    		<property name="authenticationManager">
    			<ref bean="authenticationManager" />
    		</property>
    		<property name="accessDecisionManager">
    			<ref bean="accessDecisionManager" />
    		</property>
    		<property name="objectDefinitionSource">
    			<value>
    				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
    				PATTERN_TYPE_APACHE_ANT
                    /*.do=ROLE_GROUPAAA
    			</value>
    		</property>
    	</bean>
    All work very well by the user usera.

    However, when I set
    Code:
    	<bean id="filterSecurityInterceptor"
    		class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
    		<property name="authenticationManager">
    			<ref bean="authenticationManager" />
    		</property>
    		<property name="accessDecisionManager">
    			<ref bean="accessDecisionManager" />
    		</property>
    		<property name="objectDefinitionSource">
    			<value>
    				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
    				PATTERN_TYPE_APACHE_ANT
                    /*.do=ROLE_GROUPAAA,ROLE_GROUPBBB,ROLE_GROUPCCC
    			</value>
    		</property>
    	</bean>
    My login (usera) is successful (pass the login page). But then it prompts to the next page (MainPage.do) or any page else is Access Denied.

    I found the following error in my log:
    Code:
    2007-03-20 16:35:00,956 DEBUG [org.acegisecurity.ui.ExceptionTranslationFilter] - Chain processed normally
    2007-03-20 16:35:00,956 DEBUG [org.acegisecurity.context.HttpSessionContextIntegrationFilter] - HttpSession is null, but SecurityContextHolder has not changed from default: ' org.acegisecurity.context.SecurityContextImpl@ffffffff: Null authentication'; not creating HttpSession or storing SecurityContextHolder contents
    2007-03-20 16:35:00,956 DEBUG [org.acegisecurity.context.HttpSessionContextIntegrationFilter] - SecurityContextHolder set to new context, as request processing completed
    2007-03-20 16:35:00,956 DEBUG [org.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap] - Converted URL to lowercase, from: '/MainPage.do'; to: '/MainPage.do'
    2007-03-20 16:35:00,956 DEBUG [org.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap] - Candidate is: '/MainPage.do'; pattern is /**; matched=true
    2007-03-20 16:35:00,956 DEBUG [org.acegisecurity.util.FilterChainProxy] - /MainPage.do at position 1 of 4 in additional filter chain; firing Filter: '[email protected]1d8'
    2007-03-20 16:35:00,956 DEBUG [org.acegisecurity.context.HttpSessionContextIntegrationFilter] - No HttpSession currently exists - new SecurityContext instance associated with SecurityContextHolder
    2007-03-20 16:35:00,956 DEBUG [org.acegisecurity.util.FilterChainProxy] - /MainPage.do at position 2 of 4 in additional filter chain; firing Filter: '[email protected]3'
    2007-03-20 16:35:00,956 DEBUG [org.acegisecurity.util.FilterChainProxy] - /MainPage.do at position 3 of 4 in additional filter chain; firing Filter: 'org.acegisecurity.ui.ExceptionTranslationFilter@1e8032c'
    2007-03-20 16:35:00,956 DEBUG [org.acegisecurity.util.FilterChainProxy] - /MainPage.do at position 4 of 4 in additional filter chain; firing Filter: '[email protected]'
    2007-03-20 16:35:00,956 DEBUG [org.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap] - Converted URL to lowercase, from: '/MainPage.do'; to: '/MainPage.do'
    2007-03-20 16:35:00,956 DEBUG [org.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap] - Candidate is: '/MainPage.do'; pattern is /*.do; matched=true
    2007-03-20 16:35:00,956 DEBUG [org.acegisecurity.intercept.AbstractSecurityInterceptor] - Secure object: FilterInvocation: URL: /MainPage.do; ConfigAttributes: [ROLE_GROUPAAA, ROLE_GROUPBBB, ROLE_GROUPCCC]
    2007-03-20 16:35:00,971 DEBUG [org.acegisecurity.ui.ExceptionTranslationFilter] - Authentication exception occurred; redirecting to authentication entry point
    org.acegisecurity.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
    	at org.acegisecurity.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:339)
    	at org.acegisecurity.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:254)
    	at org.acegisecurity.intercept.web.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:104)
    	at org.acegisecurity.intercept.web.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:72)
    	at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274)
    	at org.acegisecurity.ui.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:110)
    	at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274)
    	at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:217)
    	at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274)
    	at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:229)
    	at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274)
    	at org.acegisecurity.util.FilterChainProxy.doFilter(FilterChainProxy.java:148)
    	at org.acegisecurity.util.FilterToBeanProxy.doFilter(FilterToBeanProxy.java:98)
    	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
    	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
    	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
    	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
    	at org.apache.geronimo.tomcat.valve.DefaultSubjectValve.invoke(DefaultSubjectValve.java:56)
    	at org.apache.geronimo.tomcat.GeronimoStandardContext$SystemMethodValve.invoke(GeronimoStandardContext.java:342)
    	at org.apache.geronimo.tomcat.valve.GeronimoBeforeAfterValve.invoke(GeronimoBeforeAfterValve.java:31)
    	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
    	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
    	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
    	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:541)
    	at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:392)
    	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
    	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
    	at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:667)
    	at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
    	at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
    	at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:869)
    	at java.lang.Thread.run(Thread.java:595)
    What's wrong with my ACEGI configuration? Please help.

  • #2
    I don't think this is anything to do with the ROLE configuration. It seems the Authentication information isn't there when it's checked. I would have a look at the examples that ship with Acegi and compare your configuration. These kind of problems are usually related to filters.

    Comment


    • #3
      I mainly follow the code shown in http://documentation.wikia.com/wiki/AcegiMsad

      Above the suggested code, I also add:
      Code:
      	<!-- ****** START ACEGI Security Configuration *******-->
      	<!-- ======================== FILTER CHAIN ======================= -->
      
      	<!--  if you wish to use channel security, add "channelProcessingFilter," in front
      		of "httpSessionContextIntegrationFilter" in the list below -->
      	<bean id="filterChainProxy"
      		class="org.acegisecurity.util.FilterChainProxy">
      		<property name="filterInvocationDefinitionSource">
      			<value>
      				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
      				PATTERN_TYPE_APACHE_ANT
      				/**=httpSessionContextIntegrationFilter,formAuthenticationProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor
      			</value>
      		</property>
      	</bean>
      
      	<!-- Start Security filter config -->
      	<bean id="exceptionTranslationFilter"
      		class="org.acegisecurity.ui.ExceptionTranslationFilter">
      		<property name="authenticationEntryPoint">
      			<ref bean="formLoginAuthenticationEntryPoint" />
      		</property>
      	</bean>
      
      	<!-- Define filter to handle BASIC authentication -->
      	<bean id="basicProcessingFilter"
      		class="org.acegisecurity.ui.basicauth.BasicProcessingFilter">
      		<property name="authenticationManager">
      			<ref bean="authenticationManager" />
      		</property>
      		<property name="authenticationEntryPoint">
      			<ref bean="authenticationEntryPoint" />
      		</property>
      	</bean>
      
      	<!-- Define realm for BASIC login-->
      	<bean id="authenticationEntryPoint"
      		class="org.acegisecurity.ui.basicauth.BasicProcessingFilterEntryPoint">
      		<property name="realmName">
      			<value>Spring Web Realm</value>
      		</property>
      	</bean>
      
      	<!-- Define filter to handle FORM authentication -->
      	<bean id="formAuthenticationProcessingFilter"
      		class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
      		<property name="filterProcessesUrl">
      			<value>/j_acegi_security_check</value>
      		</property>
      		<property name="authenticationFailureUrl">
      			<value>/login.jsp?error=-00001</value>
      		</property>
      		<property name="defaultTargetUrl">
      			<value>/</value>
      		</property>
      		<property name="authenticationManager">
      			<ref bean="authenticationManager" />
      		</property>
      	</bean>
      
      	<!-- Define realm for FORM login-->
      	<bean id="formLoginAuthenticationEntryPoint"
      		class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
      		<property name="loginFormUrl">
      			<value>/login.jsp</value>
      		</property>
      		<property name="forceHttps">
      			<value>false</value>
      		</property>
      	</bean>
      
      	<bean id="httpSessionContextIntegrationFilter"
      		class="org.acegisecurity.context.HttpSessionContextIntegrationFilter">
      	</bean>
      	<!-- End Security filter config -->
      
      	<!-- Start Security interceptor config -->
      	<!-- Define authentication manager, decision manager and secure URL patterns -->
      	<bean id="filterSecurityInterceptor"
      		class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
      		<property name="authenticationManager">
      			<ref bean="authenticationManager" />
      		</property>
      		<property name="accessDecisionManager">
      			<ref bean="accessDecisionManager" />
      		</property>
      		<property name="objectDefinitionSource">
      			<value>
      				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
      				PATTERN_TYPE_APACHE_ANT 
      				/*.do=ROLE_USER
      			</value>
      		</property>
      	</bean>
      	<!-- End Security interceptor config -->
      
      	<!-- Start authentication config -->
      	<bean id="authenticationManager"
      		class="org.acegisecurity.providers.ProviderManager">
      		<property name="providers">
      			<list>
      				<ref bean="authenticationProvider" />
      			</list>
      		</property>
      	</bean>
      
      		<!-- End authentication config -->
      
      	<!-- Start authorization config -->
      	<bean id="accessDecisionManager"
      		class="org.acegisecurity.vote.UnanimousBased">
      		<property name="decisionVoters">
      			<list>
      				<ref bean="roleVoter" />
      			</list>
      		</property>
      	</bean>
      
      	<bean id="roleVoter" class="org.acegisecurity.vote.RoleVoter">
      		<property name="rolePrefix">
      			<value>ROLE_</value>
      		</property>
      	</bean>
      	<!-- End authorization config -->
      And my web.xml contains:
      Code:
      <!-- 
      	 - ACEGI Security Configuration
      	 -->
      	<filter>
      		<filter-name>Acegi Filter Chain Proxy</filter-name>
      		<filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
      		<init-param>
      			<param-name>targetBean</param-name>
      			<param-value>filterChainProxy</param-value>
      		</init-param>
      	</filter>
      	<filter-mapping>
      		<filter-name>Acegi Filter Chain Proxy</filter-name>
      		<url-pattern>/*</url-pattern>
      	</filter-mapping>
      Are the above related codes related to the problem? What's wrong? Thanks.

      Comment


      • #4
        Thanks for your advice. I got the solution. The key is in the bean accessDecisionManager.

        I used UnanimousBased (all roles are fulfilled) so access was denied.
        And I turn to AffirmativeBased (any role is fulfilled) so access is allowed.

        Comment


        • #5
          I'm glad it's sorted but I'm confused why that change made it work. It didn't seem related to that at all.

          Comment


          • #6
            When the previous voting method is used,
            usera accesses an object that is set for GroupAaa,GroupBbb,GroupCcc, usera belongs to GroupAaa but not GroupBbb or GroupCcc, so usera is rejected.

            Comment


            • #7
              Was there another exception after the one you've posted? This is the one that causes the redirect to the login page. If it was an access decision issue then the re would be another exception.

              Comment


              • #8
                Originally posted by Luke View Post
                Was there another exception after the one you've posted? This is the one that causes the redirect to the login page. If it was an access decision issue then the re would be another exception.
                Yes, my point indeed. The original exception just doesn't seem related to the solution.

                Comment


                • #9
                  Code:
                  2007-03-20 16:35:00,956 DEBUG [org.acegisecurity.intercept.AbstractSecurityInterceptor] - Secure object: FilterInvocation: URL: /MainPage.do; ConfigAttributes: [ROLE_GROUPAAA, ROLE_GROUPBBB, ROLE_GROUPCCC]
                  2007-03-20 16:35:00,971 DEBUG [org.acegisecurity.ui.ExceptionTranslationFilter] - Authentication exception occurred; redirecting to authentication entry point
                  org.acegisecurity.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
                  Only this exception.

                  The error does not redirect the user to login page but only exception. I can use error-page in web.xml to capture this error.

                  Comment


                  • #10
                    Well, the exception you're seeing is a debug message from here:

                    http://acegisecurity.org/multiprojec...ilter.html#147

                    not actually an error. It then calls the configured entry point here:

                    http://acegisecurity.org/multiprojec...yPoint.html#80

                    which should result in a redirect (and a corresponding log message).

                    Comment

                    Working...
                    X