Announcement Announcement Module
Collapse
No announcement yet.
Problem with https channel processing. Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Problem with https channel processing.

    Hi,

    I'm using tomcat 5.5.4 with ssl enabled. When I attempt to hit a page on my application that REQUIRES_SECURE_CHANNEL, acegi attempts to redirect me to the root of my context. This then triggers the REQUIRES_INSECURE_CHANNEL rule and I'm left sitting at the SSL altar.

    Any help would be appreciated.

    Relevant Trace:
    Code:
    17:11:33.796 DEBUG (net.sf.acegisecurity.securechannel.ChannelProcessingFilter:165) - Request: http://localhost:8081/HealthTracker/login.jsp; ConfigAttributes: [REQUIRES_SECURE_CHANNEL]
    17:11:33.796 DEBUG (net.sf.acegisecurity.securechannel.RetryWithHttpsEntryPoint:117) - Redirecting to: /HealthTracker
    17:11:33.875 DEBUG (net.sf.acegisecurity.intercept.web.RegExpBasedFilterInvocationDefinitionMap:129) - Converted URL to lowercase, from: '/index.jsp'; to: '/index.jsp'
    17:11:33.891 DEBUG (net.sf.acegisecurity.intercept.web.RegExpBasedFilterInvocationDefinitionMap:141) - Candidate is: '/index.jsp'; pattern is \A/login.jsp\Z; matched=false
    17:11:33.891 DEBUG (net.sf.acegisecurity.intercept.web.RegExpBasedFilterInvocationDefinitionMap:141) - Candidate is: '/index.jsp'; pattern is \A/j_acegi_security_check.*\Z; matched=false
    17:11:33.891 DEBUG (net.sf.acegisecurity.intercept.web.RegExpBasedFilterInvocationDefinitionMap:141) - Candidate is: '/index.jsp'; pattern is \A.*\Z; matched=true
    17:11:33.906 DEBUG (net.sf.acegisecurity.securechannel.ChannelProcessingFilter:165) - Request: http://localhost:8081/HealthTracker/index.jsp; ConfigAttributes: [REQUIRES_INSECURE_CHANNEL]
    17:11:33.906 DEBUG (net.sf.acegisecurity.intercept.web.RegExpBasedFilterInvocationDefinitionMap:129) - Converted URL to lowercase, from: '/index.jsp'; to: '/index.jsp'
    17:11:33.906 DEBUG (net.sf.acegisecurity.intercept.web.RegExpBasedFilterInvocationDefinitionMap:141) - Candidate is: '/index.jsp'; pattern is \A/admin/.*\Z; matched=false
    17:11:33.906 DEBUG (net.sf.acegisecurity.intercept.AbstractSecurityInterceptor:462) - Public object - authentication not attempted
    17:11:34.282 DEBUG (net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter:172) - Chain processed normally
    Context files (Using a variation on Craig's Simplifying Acegi Configuration http://jroller.com/page/habuma/20041..._configuration)
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN"
        "http&#58;//www.springframework.org/dtd/spring-beans.dtd">
    
    <beans>
    	<bean id="authenticationProcessingFilter"
    		parent="baseAuthenticationProcessingFilter">
    		<property name="authenticationFailureUrl">
    			<value>/auth/login.jsp?login_error=1</value>
    		</property>
    	</bean>
    
    	<bean id="authenticationEntryPoint"
    		parent="baseAuthenticationEntryPoint">
    		<property name="loginFormUrl">
    			<value>/auth/login.jsp</value>
    		</property>
    	</bean>
    
    	<bean id="filterInvocationInterceptor"
    		parent="baseFilterInvocationInterceptor">
    		<property name="objectDefinitionSource">
    			<value>
    				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
    				\A/admin/.*\Z=ROLE_ADMIN
    			</value>
    		</property>
    	</bean>
    
    	<bean id="authenticationDao"
    		class="net.sf.acegisecurity.providers.dao.memory.InMemoryDaoImpl">
    		<property name="userMap">
    			<value>admin=password,ROLE_ADMIN</value>
    		</property>
    	</bean>
    
    	<bean id="channelProcessingFilter"
    		parent="baseChannelProcessingFilter">
    		<property name="filterInvocationDefinitionSource">
    			<value>
    				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
    				\A/login.jsp\Z=REQUIRES_SECURE_CHANNEL
    				\A/j_acegi_security_check.*\Z=REQUIRES_SECURE_CHANNEL
    				\A.*\Z=REQUIRES_INSECURE_CHANNEL
    			</value>
    		</property>
    	</bean>
    
    </beans>
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN"
        "http&#58;//www.springframework.org/dtd/spring-beans.dtd">
    
    <!-- = = = = = = = = = = = = = = = = = = = =
    	= SECURING AT THE HTTP REQUEST LEVEL    =
    	= = = = = = = = = = = = = = = = = = = = -->
    <beans>
    	<!-- = = = = = = = SECURITY FILTERS = = = = = = = -->
    	<bean id="securityEnforcementFilter"
    		class="net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter">
    		<property name="filterSecurityInterceptor">
    			<ref bean="filterInvocationInterceptor" />
    		</property>
    		<property name="authenticationEntryPoint">
    			<ref bean="authenticationEntryPoint" />
    		</property>
    	</bean>
    
    	<bean id="baseAuthenticationProcessingFilter"
    		class="net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter"
    		lazy-init="true">
    		<property name="authenticationManager">
    			<ref bean="authenticationManager" />
    		</property>
    		<property name="filterProcessesUrl">
    			<value>/j_acegi_security_check</value>
    		</property>
    		<property name="authenticationFailureUrl">
    			<value>/jsp/login.jsp?login_error=1</value>
    		</property>
    		<property name="defaultTargetUrl">
    			<value>/</value>
    		</property>
    	</bean>
    
    	<bean id="baseAuthenticationEntryPoint"
    		class="net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint"
    		lazy-init="true">
    		<property name="loginFormUrl">
    			<value>/jsp/login.jsp</value>
    		</property>
    		<property name="forceHttps">
    			<value>false</value>
    		</property>
    	</bean>
    
    	<!-- = = = = = = = = SECURITY INTERCEPTOR = = = = = = = = -->
    	<bean id="baseFilterInvocationInterceptor"
    		class="net.sf.acegisecurity.intercept.web.FilterSecurityInterceptor"
    		lazy-init="true">
    		<property name="authenticationManager">
    			<ref bean="authenticationManager" />
    		</property>
    		<property name="accessDecisionManager">
    			<ref bean="accessDecisionManager" />
    		</property>
    	</bean>
    
    	<!-- = = = = = = = = AUTHENTICATION = = = = = = = -->
    	<bean id="authenticationManager"
    		class="net.sf.acegisecurity.providers.ProviderManager">
    		<property name="providers">
    			<list>
    				<ref bean="daoAuthenticationProvider" />
    			</list>
    		</property>
    	</bean>
    
    	<bean id="daoAuthenticationProvider"
    		class="net.sf.acegisecurity.providers.dao.DaoAuthenticationProvider">
    		<property name="authenticationDao">
    			<ref bean="authenticationDao" />
    		</property>
    	</bean>
    
    	<!-- = = = = = = = = ACCESS CONTROL = = = = = = = -->
    	<bean id="accessDecisionManager"
    		class="net.sf.acegisecurity.vote.UnanimousBased">
    		<property name="allowIfAllAbstainDecisions">
    			<value>false</value>
    		</property>
    		<property name="decisionVoters">
    			<list>
    				<ref bean="roleVoter" />
    			</list>
    		</property>
    	</bean>
    
    	<bean id="roleVoter" class="net.sf.acegisecurity.vote.RoleVoter" />
    	<!-- = = = = = = = = CACHING = = = = = = = = = = -->
    	<bean id="cacheManager"
    		class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean" />
    
    	<bean id="userCacheBackend"
    		class="org.springframework.cache.ehcache.EhCacheFactoryBean">
    		<property name="cacheManager">
    			<ref local="cacheManager" />
    		</property>
    		<property name="cacheName">
    			<value>userCache</value>
    		</property>
    		<property name="timeToIdle">
    			<value>300</value>
    		</property>
    	</bean>
    
    	<bean id="userCache"
    		class="net.sf.acegisecurity.providers.dao.cache.EhCacheBasedUserCache">
    		<property name="cache">
    			<ref local="userCacheBackend" />
    		</property>
    	</bean>
    
    	<!-- = = = = = = = = GENERAL UTILITY = = = = = = = -->
    	<bean id="httpSessionIntegrationFilter"
    		class="net.sf.acegisecurity.ui.webapp.HttpSessionIntegrationFilter" />
    
    	<!-- = = = = = = = = CHANNEL SECURITY = = = = = = = -->
    	<bean id="baseChannelProcessingFilter"
    		class="net.sf.acegisecurity.securechannel.ChannelProcessingFilter"
    		lazy-init="true">
    		<property name="channelDecisionManager">
    			<ref bean="channelDecisionManager" />
    		</property>
    		<property name="filterInvocationDefinitionSource">
    			<value></value>
    		</property>
    	</bean>
    
    	<bean id="channelDecisionManager"
    		class="net.sf.acegisecurity.securechannel.ChannelDecisionManagerImpl">
    		<property name="channelProcessors">
    			<list>
    				<ref bean="secureChannelProcessor" />
    				<ref bean="insecureChannelProcessor" />
    			</list>
    		</property>
    	</bean>
    
    	<bean id="secureChannelProcessor"
    		class="net.sf.acegisecurity.securechannel.SecureChannelProcessor" />
    	<bean id="insecureChannelProcessor"
    		class="net.sf.acegisecurity.securechannel.InsecureChannelProcessor" />
    </beans>
    Thanks in advance,

    Ryan

  • #2
    After looking at RetryWithHttpsEntryPoint for some time I cannot see why it is not composing the correct redirecton URL. Would you mind adding some debug lines to your local copy, and posting the extra detail.

    Comment


    • #3
      Ok, so more information. I just tried the exact same configuration on my box at home and everything works exactly as it should. It looks like there is something goofy with the configuration on my computer at work. I've got a roaming profile at work and my guess is that there is a problem associated with that (Home directory is actually on a remote server).

      Comment

      Working...
      X