Announcement Announcement Module
Collapse
No announcement yet.
Open the login page in case that the user is not logged in. Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Open the login page in case that the user is not logged in.

    Hi,
    I'm new to Acegi,
    I've been following the steps of Spring in action in order to configure my application to use Acegi Security.
    Everything worked fine except the when I try to access a certain page without being logged to the application, it still opens with no problem at all.
    What I expected is that the user should be redirected to the login page then he/she could access the requested page.
    It seems that there is something I'm missing.
    Could anyone plz help me in that.
    Here is my acegi configuration file and the web.xml file.
    applicationContext-acegi.xml:

    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN"
        "http&#58;//www.springframework.org/dtd/spring-beans.dtd">
    
    <beans>
    <!-- =============================== Authentication Configuration ============================ -->
    
    
    <!-- Configure the Provider Manager which is an Implementation of the authentication Manager-->
    <!-- This bean takes a list of Authentication Providers-->
    <!-- Provider Manager steps one by one through this collection -->
    <!-- until one of them successfully authenticates the user -->
    <bean id="authenticationManager"
    	class ="net.sf.acegisecurity.providers.ProviderManager">
    		<property name="providers">
    			<list>
    				<ref bean="daoAuthenticationProvider"/>
    			</list>
    		</property>
    </bean>
    
    <!-- Configure the Authentication Provider which is a DaoAuthenticationProvider-->
    <!-- Here we configure the DaoAuthenticationProvider -->
    <!-- It has a property named authenticationDao which will be configured later -->
    <bean id="daoAuthenticationProvider"
    	class="net.sf.acegisecurity.providers.dao.DaoAuthenticationProvider">
    		<property name="authenticationDao">
    			<ref bean="inMemoryAuthenticationDao"/>
    		</property>
    </bean>
    
    <!-- How is the authenticationDao bean configured ?? -->
    <!-- It can be configured using InMemorDaoImpl or JdbcDaoImpl -->
    
    <!-- Using InMemeoryDaoImpl -->
    <!-- Used if the authentication needs are trivial -->
    <!-- Or for development time convenience -->
    <!-- It has  a property named UserMap -->
    <!-- A userMap object contains a list of usernames,password and ROLEs&#40;authorities&#41;-->
    <bean id="inMemoryAuthenticationDao"
    	class="net.sf.acegisecurity.providers.dao.memory.InMemoryDaoImpl">
    		<property name="userMap">
    			<value>
    				user_1=secret_1,ROLE_MANAGER
    				user_2=secret_2,ROLE_EMPLOYEE
    				user_3=secret_3,ROLE_EMPLOYEE
    				user_4=secret_4,ROLE_MANAGER
    			</value>
    		</property>
    		
    <!-- properties for password encoding, saltSource and caching could also be added here -->
    
    </bean>
    
    <!-- ======================Authorization Configuration &#40;Access Decision&#41;============================= -->
    
    <!-- Access Decision Managers are responsible for determining the access rights for an authenticated user -->
    <!-- They poll on or more objects that vote on whether a user is granted access to a secured resource -->
    <bean id="accessDecisionManager"
    	class="net.sf.acegisecurity.vote.UnanimousBased">
    <!-- The Access Decision Manager takes a list of DecisionVoters -->		
    		<property name="decisionVoters">
    			<list>
    				<ref bean="roleVoter"/>
    			</list>
    		</property>
    
    <!-- If you want to override the default behaviour if all voters abstain from voting -->
    <!-- Set the allowIfAllAbstainProperty -->
    		<!--<property name="allowIfAllAbstain">
      			<value>true</value>
    		</property>-->
    		
    </bean>
    
    <!-- Access Decision Voter -->
    <!-- RoleVoter decides its vote by comparing all of the configuration attributes of the secured resource -->
    <!-- &#40;that are prefixed with ROLE_&#41; with all of the authorities granted to the authenticated user. -->
    <!-- The roleVoter will only abstain from voting when the authorities required for access are not prefixed with ROLE_ -->
    <bean id="roleVoter"
    	class ="net.sf.acegisecurity.vote.RoleVoter">
    
    <!-- If you want to override the ROLE_ prefix with any other prefix-->
    <!-- Add the following property to the roleVoter bean -->
    		<!-- property name="rolePrefix">
    			<value>GROUP_</value>
    		</property-->
    </bean>
    
    
    <!-- ================================ Security Enforcement Filter ============================ -->	
    <bean id="securityEnforcementFilter" 
    	class="net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter">
      		<property name="filterSecurityInterceptor">
        		<ref bean="securityInterceptor"/>
      		</property>
      		
      		<property name="authenticationEntryPoint">
       			 <ref bean="authenticationEntryPoint"/>
      		</property>
    </bean>
    
    
    <!-- The bean definition of the securityInterceptor property refered to in the securityEnforcemntFilter bean -->
    <bean id="securityInterceptor"
    	class="net.sf.acegisecurity.intercept.web.FilterSecurityInterceptor">
    		<property name="authenticationManager">
    			<ref bean="authenticationManager"/>
    		</property>
    		
    		<property name="accessDecisionManager">
    			<ref bean="accessDecisionManager"/>
    		</property>
    		
    		<property name="objectDefinitionSource">
    			<value>
    				<!--CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON-->
    				\A/manager/.*\Z=ROLE_MANAGER
    				\A/employee/.*\Z=ROLE_MANAGER,ROLE_EMPLOYEE
    			</value>
    		</property>
    </bean>
    
    <!-- ======Authentication Entry point using AuthenticationProcessingFilterEntryPoint&#40;form-based authentication&#41;==== -->
    <bean id="authenticationEntryPoint"
    	class="net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
    		<property name="loginFormUrl">
    			<value>/loginForm.jsp</value>
    		</property>
    		
    		<property name="forceHttps">
    			<value>true</value>
    		</property>
    </bean>
    
    <bean id="authenticationProcessingFilter"
    	class="net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
    <!-- Tells the authenticationProcessingFilter which URL it should intercept -->
    		<property name="filterProcessesUrl">
    			<value>/j_acegi_security_check</value>
    		</property>
    <!-- Used to display an error message when login fails -->
    		<property name="authenticationFailureUrl">
    			<value>/loginForm.jsp?failed=true</value>
    		</property>
    		<property name="defaultTargetUrl">
    			<value>/attendanceForm.html</value>
    		</property>
    		<property name="authenticationManager">
    			<ref bean="authenticationManager"/>
    		</property>
    </bean>		
    
    
    
    
    <!-- HttpSessionIntegrationFilter keeps the authentication object in the HTTP session between requests -->
    <bean id="integrationFilter"
    	class="net.sf.acegisecurity.ui.webapp.HttpSessionIntegrationFilter"/>
    	
    <!-- Channel processing filter -->
    <!-- Used to ensure that the web application pages are delivered over the proper channel &#40;HTTP or HTTPS&#41; -->
    <!-- regardless of whether you remember to put the Http&#40;s&#41; or not -->
    <bean id="channelProcessingFilter"
    	class="net.sf.acegisecurity.securechannel.ChannelProcessingFilter">
    		<property name="filterInvocationDefinitionSource">
    			<value>	
    				<!--CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON-->
    				\A/loginForm.jsp.*\Z=REQUIRES_SECURE_CHANNEL
    				\A/j_acegi_security_check.*\Z=REQUIRES_SECURE_CHANNEL
    				\A.*\Z=REQUIRES_INSECURE_CHANNEL
    
    			</value>
    		</property>
    <!-- the channel processing filter doesn't work alone -->
    <!-- It collaborates with a Channel Decision Manager -->
    <!-- which in turn delegates the responsibility to one or more channel processors -->		
    		<property name="channelDecisionManager">
    			<ref bean="channelDecisionManager"/>
    		</property>
    </bean>
    	
    <!-- The channel decision manager is responsible for deciding whether the channel of the request's URL -->
    <!-- meets the channel security rules defined by the filter invocation definition source property -->
    <!-- of the channel processing filter -->
    <!-- Channel Decision Manager Impl iterates over its channel processors giving them an opportunity -->
    <!-- to override the channel of the request -->
    <bean id="channelDecisionManager"
    	class="net.sf.acegisecurity.securechannel.ChannelDecisionManagerImpl">
    		<property name="channelProcessors">
    			<list>
    				<ref bean="secureChannelProcessor"/>
    				<ref bean="insecureChannelProcessor"/>
    			</list>
    		</property>
    </bean>
    
    <!-- Channel Processors &#40;secure & insecure&#41;-->
    <bean id="secureChannelProcessor"
    	class="net.sf.acegisecurity.securechannel.SecureChannelProcessor"/>
    	
    <bean id="insecureChannelProcessor"
    	class="net.sf.acegisecurity.securechannel.InsecureChannelProcessor"/>
    	
    
    </beans>

    web.xml:

    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <web-app xmlns="http&#58;//java.sun.com/xml/ns/j2ee"
        xmlns&#58;xsi="http&#58;//www.w3.org/2001/XMLSchema-instance"
        xsi&#58;schemaLocation="http&#58;//java.sun.com/xml/ns/j2ee http&#58;//java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4">
    
        <display-name>Attendance</display-name>
        
        <context-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>
                /WEB-INF/applicationContext*.xml
            </param-value>
        </context-param>
    
        <listener>
            <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
        </listener>
        
        <servlet>
            <servlet-name>action</servlet-name>
            <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
            <load-on-startup>1</load-on-startup>
        </servlet>
        
        
        <!-- Add SiteMesh servlets for Velocity and FreeMarker here -->
        
        <servlet-mapping>
            <servlet-name>action</servlet-name>
            <url-pattern>*.html</url-pattern>
        </servlet-mapping>
        
    	<welcome-file-list>
    		<!-- Redirects to "loginForm.jsp" for dispatcher handling -->
    		<welcome-file>index.jsp</welcome-file>
    	</welcome-file-list>
    
      
      
        <!-- Force Encoding to UTF-8 -->
        <filter>
            <filter-name>encodingFilter</filter-name>
            <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
            <init-param>
                <param-name>encoding</param-name>
                <param-value>UTF-8</param-value>
            </init-param>
            <init-param>
                <param-name>forceEncoding</param-name>
                <param-value>true</param-value>
            </init-param>
        </filter>
        <filter-mapping>
            <filter-name>encodingFilter</filter-name>
            <url-pattern>*.html</url-pattern>
        </filter-mapping>
        <filter-mapping>
            <filter-name>encodingFilter</filter-name>
            <url-pattern>*.jsp</url-pattern>
        </filter-mapping>    
    
    <!-- ========================Security Filters ======================== -->    
    
    <!-- Channel Processing Filter -->
    <!-- Ensures that web application pages are delivered over the proper channels &#40;HTTP or HTTPS&#41; -->
    <!-- regardless of whether you remember to put the http&#40;s&#41; or not -->
    <!-- Note&#58; -->
    <!-- The filter mapping of this filter should appear before any other filter mappings -->
    	<filter>
    		<filter-name>Acegi-Channel</filter-name>
    		<filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
    		<init-param>
    			<param-name>targetClass</param-name>
    			<param-value>net.sf.acegisecurity.securechannel.ChannelProcessingFilter</param-value>
    		</init-param>
    	</filter>
    
    <!-- The filter mapping of the Channel Processing Filter -->
        <!-- It should appear before any other filter mapping -->
        <filter-mapping>
        	<filter-name>Acegi-Channel</filter-name>
        	<url-pattern>/*</url-pattern>
        </filter-mapping>
    
           
    <!-- Acegi-Security &#40;Security Enforcement Filter&#41; -->
    <!-- A special servlet filter -->
    <!-- It delegates work to a bean in the spring application context -->
    <!-- The delegate bean implements the javax.servlet.Filter interface but it is configured in the -->
    <!-- spring configuration file instead of web.xml -->   
       <filter>
       		<filter-name>Acegi-Security</filter-name>
       		<filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
       		<init-param>
       			<param-name>targetBean</param-name>
       			<param-value>securityEnforcementFilter</param-value>
       		</init-param>
       	</filter>
       	 
       	<filter-mapping>
       		<filter-name>Acegi-Security</filter-name>
       		<url-pattern>/*</url-pattern>
       	</filter-mapping>
       	
    <!-- Acegi-Authentication &#40;Basic Processing Filter&#41; -->
    <!-- this filter is found in the temp file -->	
    	
    	
    <!-- Acegi-Authentication &#40;Authentication Processing Filter&#41; -->
    <filter>
    		<filter-name>Acegi-Authentication</filter-name>
    		<filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
    		<init-param>
    			<param-name>targetClass</param-name>
    			<param-value>net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter</param-value>
    		</init-param>
    	</filter>	
    	
    	<filter-mapping>
    		<filter-name>Acegi-Authentication</filter-name>
    		<url-pattern>/*</url-pattern>
    	</filter-mapping>
    	
    	
    <!-- Acegi-Integration &#40;HTTP Session Integration Filter&#41; -->
    	<filter>
    		<filter-name>Acegi-Integration</filter-name>
    		<filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
    		<init-param>
    			<param-name>targetClass</param-name>
    			<param-value>net.sf.acegisecurity.ui.webapp.HttpSessionIntegrationFilter</param-value>
    		</init-param>
    	</filter>
    <!-- This filter mapping should be placed after all other filter mappings -->	
    	<filter-mapping>
    		<filter-name>Acegi-Integration</filter-name>
    		<url-pattern>/*</url-pattern>
    	</filter-mapping>
    	
    
    </web-app>
    Thanks in Advance.
    Sherihan.

  • #2
    You appear to be using an old version of Acegi Security. Please install the latest version, using the Contacts Sample as your guide (as it reflects the latest XML). I'd also suggest using Ant Paths instead of Regular Expressions, as they're easier for people to follow.

    Comment

    Working...
    X