Announcement Announcement Module
Collapse
No announcement yet.
OpenLDAP - Acegi partial success Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • OpenLDAP - Acegi partial success

    Hi,

    I have set up a test OpenLDAP server, and am looking to use basic authentication on a web service using acegi filters. I have managed to get the basic web prompt, and for the filter to authenticate against openldap and return a success but then I still get a 403 access denied page as the result. From the debug console I get an Authentication success, but I am concerned that the roles returned is [] is that the problem? I have pasted the output, my application context.xml and the openldap set up data file below and would be grateful for any advice.

    Many thanks,

    Norman

    HTML Code:
    2007-03-26 09:01:53,142 DEBUG [org.acegisecurity.ldap.DefaultInitialDirContextFactory] Creating InitialDirContext with environment {java.naming.provider.url=ldap://127.0.0.1:389/dc=mydomain,dc=com, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.principal=cn=Manager,dc=mydomain,dc=com, com.sun.jndi.ldap.connect.pool=true, java.naming.security.authentication=simple, java.naming.security.credentials=******}
    2007-03-26 09:01:53,142 DEBUG [org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator] Roles from search: []
    2007-03-26 09:01:53,142 DEBUG [org.springframework.web.context.support.XmlWebApplicationContext] Publishing event in context [[email protected]14f4ec4]: org.acegisecurity.event.authentication.AuthenticationSuccessEvent[source=[email protected]89852a4: Username: org.acegisecurity.userdetails.ldap.LdapUserDetailsImpl@10287d; Password: [PROTECTED]; Authenticated: true; Details: org.acegisecurity.ui.WebAuthenticationDetails@fffe3f86: RemoteIpAddress: 127.0.0.1; SessionId: BB019464FCABCAAA10E9F7E9C150565E; Granted Authorities: ]
    2007-03-26 09:01:53,142 WARN  [org.acegisecurity.event.authentication.LoggerListener] Authentication event AuthenticationSuccessEvent: jbloggs; details: org.acegisecurity.ui.WebAuthenticationDetails@fffe3f86: RemoteIpAddress: 127.0.0.1; SessionId: BB019464FCABCAAA10E9F7E9C150565E
    2007-03-26 09:01:53,142 DEBUG [org.acegisecurity.ui.basicauth.BasicProcessingFilter] Authentication success: [email protected]89852a4: Username: org.acegisecurity.userdetails.ldap.LdapUserDetailsImpl@10287d; Password: [PROTECTED]; Authenticated: true; Details: org.acegisecurity.ui.WebAuthenticationDetails@fffe3f86: RemoteIpAddress: 127.0.0.1; SessionId: BB019464FCABCAAA10E9F7E9C150565E; Granted Authorities: 
    2007-03-26 09:01:53,142 DEBUG [org.acegisecurity.util.FilterChainProxy] /test.jp2 at position 4 of 4 in additional filter chain; firing Filter: 'org.acegisecurity.intercept.web.FilterSecurityInterceptor@175b0b5'
    2007-03-26 09:01:53,142 DEBUG [org.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap] Converted URL to lowercase, from: '/test.jp2'; to: '/test.jp2'
    2007-03-26 09:01:53,142 DEBUG [org.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap] Candidate is: '/test.jp2'; pattern is /**; matched=true
    2007-03-26 09:01:53,142 DEBUG [org.acegisecurity.intercept.AbstractSecurityInterceptor] Secure object: FilterInvocation: URL: /test.jp2; ConfigAttributes: [ROLE_AUTHENTICATED]
    2007-03-26 09:01:53,142 DEBUG [org.acegisecurity.intercept.AbstractSecurityInterceptor] Previously Authenticated: [email protected]89852a4: Username: org.acegisecurity.userdetails.ldap.LdapUserDetailsImpl@10287d; Password: [PROTECTED]; Authenticated: true; Details: org.acegisecurity.ui.WebAuthenticationDetails@fffe3f86: RemoteIpAddress: 127.0.0.1; SessionId: BB019464FCABCAAA10E9F7E9C150565E; Granted Authorities: 
    2007-03-26 09:01:53,142 DEBUG [org.springframework.web.context.support.XmlWebApplicationContext] Publishing event in context [[email protected]14f4ec4]: org.acegisecurity.event.authorization.AuthorizationFailureEvent[source=FilterInvocation: URL: /test.jp2]
    2007-03-26 09:01:53,142 DEBUG [org.acegisecurity.ui.ExceptionTranslationFilter] Access is denied (user is not anonymous); delegating to AccessDeniedHandler
    applicationcontext.xml
    HTML Code:
    <?xml version="1.0" encoding="utf-8"?>
    <!DOCTYPE 
    beans SYSTEM "http://www.springframework.org/dtd/spring-beans.dtd">
    <beans>
        <!-- FilterToBeanProxy  -->
        <bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
                <property name="filterInvocationDefinitionSource">
                        <value>
                                CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
                                PATTERN_TYPE_APACHE_ANT
                                /**=httpSessionContextIntegrationFilter,exceptionTranslationFilter,basicProcessingFilter,filterInvocationInterceptor
                        </value>
                </property>
        </bean>
        
        <!-- filter for unauthenticated users/interactions -->
        <bean id="exceptionTranslationFilter"
                class="org.acegisecurity.ui.ExceptionTranslationFilter">
                <property name="authenticationEntryPoint">
                        <ref local="basicProcessingFilterEntryPoint"/>
                </property>
        </bean>
    
      <bean id="initialDirContextFactory"
      class="org.acegisecurity.ldap.DefaultInitialDirContextFactory">
        <constructor-arg value="ldap://127.0.0.1:389/dc=mydomain,dc=com" />
        <property name="managerDn">
          <value>cn=Manager,dc=mydomain,dc=com</value>
        </property>
        <property name="managerPassword">
          <value>secret</value>
        </property>
      </bean>
      
      <bean id="ldapAuthenticationProvider" class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider">
        <constructor-arg>
            <bean class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator">
                <constructor-arg>
                    <ref local="initialDirContextFactory"/>
                </constructor-arg>
                <property name="userDnPatterns">
                    <list>
                        <value>uid={0},ou=people</value>
                    </list>
                </property>
            </bean>
        </constructor-arg>
        <constructor-arg>
            <bean class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator">
                <constructor-arg>
                    <ref local="initialDirContextFactory"/>
                </constructor-arg>
                <constructor-arg>
                    <value>ou=groups</value>
                </constructor-arg>
                <property name="groupRoleAttribute">
                    <value>ou</value>
                </property>
                <property name="searchSubtree">
                    <value>true</value>
                </property>
                <property name="rolePrefix">
                    <value>ROLE_</value>
                </property>
                <property name="convertToUpperCase">
                    <value>true</value>
                </property>
            </bean>
        </constructor-arg>
      </bean>
      
      <!-- Automatically receives AuthenticationEvent messages -->
      <bean id="loggerListener"
      class="org.acegisecurity.event.authentication.LoggerListener" />
      
      <bean id="basicProcessingFilter"
      class="org.acegisecurity.ui.basicauth.BasicProcessingFilter">
        <property name="authenticationManager">
          <ref local="authenticationManager" />
        </property>
        <property name="authenticationEntryPoint">
          <ref local="basicProcessingFilterEntryPoint" />
        </property>
      </bean>
      <bean id="basicProcessingFilterEntryPoint"
      class="org.acegisecurity.ui.basicauth.BasicProcessingFilterEntryPoint">
        <property name="realmName">
          <value>EZIM Realm</value>
        </property>
      </bean>
      <bean id="httpSessionContextIntegrationFilter"
      class="org.acegisecurity.context.HttpSessionContextIntegrationFilter">
      </bean>
      <bean id="filterInvocationInterceptor"
      class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
        <property name="authenticationManager">
          <ref bean="authenticationManager" />
        </property>
        <property name="accessDecisionManager">
          <ref local="httpRequestAccessDecisionManager" />
        </property>
        <property name="objectDefinitionSource">
          <value>
                CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
    	        PATTERN_TYPE_APACHE_ANT
                /**=ROLE_AUTHENTICATED
          </value>
        </property>
      </bean>
      <bean id="httpRequestAccessDecisionManager"
      class="org.acegisecurity.vote.AffirmativeBased">
        <property name="decisionVoters">
          <bean class="org.acegisecurity.vote.RoleVoter" />
        </property>
      </bean>
      <bean id="authenticationManager"
      class="org.acegisecurity.providers.ProviderManager">
        <property name="providers">
          <list>
            <ref local="ldapAuthenticationProvider" />
          </list>
        </property>
      </bean>
    </beans>
    ldap config
    HTML Code:
    dn: dc=mydomain,dc=com
    objectClass: top
    objectClass: dcObject
    objectClass: domain
    dc: mydomain
    
    dn: ou=groups,dc=mydomain,dc=com
    objectClass: top
    objectClass: organizationalUnit
    ou: groups
    
    dn: ou=people,dc=mydomain,dc=com
    objectClass: top
    objectClass: organizationalUnit
    ou: people
    
    dn: cn=ezimUsers,ou=groups,dc=mydomain,dc=com
    objectClass: groupOfUniqueNames
    cn: ezimUsers
    uniqueMember: uid=jbloggs,ou=people,dc=mydomain,dc=com
    
    dn: uid=jbloggs,ou=people,dc=mydomain,dc=com
    objectClass: person
    objectClass: inetOrgPerson
    cn: Joe Bloggs
    displayName: Joe Bloggs
    givenName: Joe
    mail: [email][email protected][/email]
    sn: Bloggs
    uid: jbloggs
    userPassword: password

  • #2
    You appear to have the URLs secured with a role called ROLE_AUTHENTICATED, and the prefix is set as ROLE_. Does the user have an assigned role called "authenticated"?

    Comment


    • #3
      Hi,

      I think this is where my problem since the user jbloggs doesn't have any roles at all in OpenLdap, I just want acegi to authenticate his username and password.

      Is there a way to do this, and if not is there a quick way to add a role to openldap that will allow me to use acegi.

      thanks,

      Norman

      Comment


      • #4
        If you don't want to use roles you could simply replace the RoleVoter with AuthenticatedVoter. You could then secure the URL with something like IS_AUTHENTICATED_FULLY.
        http://acegisecurity.org/multiprojec...atedVoter.html

        Comment


        • #5
          fantastic thank you

          the authenticated voter worked!

          Comment


          • #6
            Great, glad it worked! If you want to add roles later you can do that as well. For the time being atleast you have to be authenticated to see the pages. One step at a time .

            Comment


            • #7
              single sign on with acegi

              hello,
              i am using acegi with LDAP and it works fine and when client enter username and password acegi check them in the ldap and if exist log it on.but i want to login client automaticaly when session created and acegi receive request from client ,if client login in operating system with ldap ,acegi dont ask username and password and automaticaly log it on.is it possible with acegi?

              Comment

              Working...
              X